Jagex Account Guardian

Mercifull · September 5, 2012

Not being able to come up with your own questions is baffling, considering that the current password recovery system allows this in the first place.

Indeed and this is what Jagex had to say when I emailed them about it:

Hey Matt,

You should also bare in mind that JAG is just one tool and there are other security measures players can make use of such as the bank pin and email recovery questions.

Ultimately we need the players to play their part too and keep their computers secure and their personal information secret. If a player chose easy to guess answers a hijacker would still need to obtain their password to log into their account. JAG isn’t meant to be a replacement for player’s using common sense.

We’ve tried to choose a selection of questions so players can judge themselves which ones would be most difficult to answer. For example i know most people i play games with online wouldn’t be able to find out where my parents met!

It’s also completely up to the player what answers they put, they don’t have to be true. As long as you remember the answers to each question you can put whatever you like.

Although we hope most players will make use of JAG it is completely option and whether or not you use it is at your own discretion.

Kind Regards,

Mod Alena

tripsis · September 5, 2012

Should have posted yesterday, knew it would be an overhaul to their existing system, not what the rest of the world is doing (you can tell because they gave it a cute name).

I am a bit leery of this system though. On the face it's pretty good, especially if your IP is slow to change. Since you are only asked for the questions when using a new device or IP, a keylogger would have to wait until this happens, or be waiting on that new device for you. This should give your AV ample time to figure out things aren't on the up and up, and tell you what's going on (and hopefully deal with it). Needless to say, you should ideallly be running full scans with an up to date (and appropriate) program every time you are going to need to enter those questions.

My issue is the security gained by never being able to change the answers. The best way to use these questions is as 5 additional (very high quality) passwords, that should be total gibberish. Since you will hopefully almost never be using any of them, you will have to record them someplace, or use something painfully obvious so that you will actually be able to remember them (if you can remember a password that you never use, it means that password is a piece of garbage and the gods of computer security should strike you down where you stand). For me, this would be my blackberry which can store passwords as encrypted files, that in turn need their own password to decrypt so that they can be viewed. But then I would be relying on my phone to be a perfect device that will never break (and because I don't want all of my eggs in one basket, I keep my RS pass only in my head). But that puts me one hardware fault, or one wet phone, from having a very limited period of time left to use my account.

I'll have to think about this.

There are a lot of applications you can use to encrypt passwords/notes/files on your computer. A good example is 1Password.

Not being able to come up with your own questions is baffling, considering that the current password recovery system allows this in the first place.

Indeed and this is what Jagex had to say when I emailed them about it:

Hey Matt,

You should also bare in mind that JAG is just one tool and there are other security measures players can make use of such as the bank pin and email recovery questions.

Ultimately we need the players to play their part too and keep their computers secure and their personal information secret. If a player chose easy to guess answers a hijacker would still need to obtain their password to log into their account. JAG isn’t meant to be a replacement for player’s using common sense.

We’ve tried to choose a selection of questions so players can judge themselves which ones would be most difficult to answer. For example i know most people i play games with online wouldn’t be able to find out where my parents met!

It’s also completely up to the player what answers they put, they don’t have to be true. As long as you remember the answers to each question you can put whatever you like.

Although we hope most players will make use of JAG it is completely option and whether or not you use it is at your own discretion.

Kind Regards,

Mod Alena

We’ve tried to choose a selection of questions so players can judge themselves which ones would be most difficult to answer. For example i know most people i play games with online wouldn’t be able to find out where my parents met!

The funny thing about that is that it's probably not too hard. If your parents are into social media at all, all the person has to do is find your parents on Facebook/whatever (usually easy), and odds are the parent might say where they met their husband/wife.

Platinum_Myr · September 5, 2012

It's more difficult to social engineer something if they have no way to get a relationship with you, but it can be done. For example, a jealous friend could hack pretty easily (so lets hope we all have good friends) because they might be able to get into conversations. And some of those questions can take time to get someone to answer but you can direct conversation to make it happen.

A 2-step verification is best, but at least for now use a password safe program that encrypts files, and store the key on a flash drive (plus a simple to remember password). Then never leave the flash drive hanging around, and use entropy generating tools from the password program to create random entries for recovery questions.

Done. That will pretty much stop anyone from hacking you unless you get key-logged while typing in recovery questions.

Randox · September 5, 2012

I think its just ingrained in me to never store passwords on my hard drive. If I keep a second copy, it will be on a flash drive, not my hard disk (flash drives having the advantage of being disconected, capable to surviving the washing machine, and lasting longer).

Still, if these are going to be permanent, I would like to be able to regenerate my answers form scratch if I have to. A cipher where neither the plain text or key are known presents an almost infinite number of possible answers I might have typed in (actually, knowing one or the other doesn't really help you, though the plain text would give you length).

Kimberly · September 5, 2012

Ultimately we need the players to play their part too and keep their computers secure and their personal information secret. If a player chose easy to guess answers a hijacker would still need to obtain their password to log into their account. JAG isn’t meant to be a replacement for player’s using common sense.

We’ve tried to choose a selection of questions so players can judge themselves which ones would be most difficult to answer. For example i know most people i play games with online wouldn’t be able to find out where my parents met!

Jagex is not doing this to take a stand against stricter privacy. They're doing it because it's expensive to do otherwise. When they say it in that way, as if companies everywhere haven't acknowledged the prevalence of identity theft or phishing or whatever...That really pisses me right off. If that's the direction they've seriously gone why are they allowing accounts to be linked to facebook? The left hand really needs to start talking to the right before they start coming up with these bullshit excuses.

I'm just flabbergasted/gobsmacked/baffled/whatever word you want to put in here to express my deep annoyance and frustration with this company.

charliebrown_augh.avi

strilmus · September 5, 2012

I think its just ingrained in me to never store passwords on my hard drive. If I keep a second copy, it will be on a flash drive, not my hard disk (flash drives having the advantage of being disconected, capable to surviving the washing machine, and lasting longer).

Still, if these are going to be permanent, I would like to be able to regenerate my answers form scratch if I have to. A cipher where neither the plain text or key are known presents an almost infinite number of possible answers I might have typed in (actually, knowing one or the other doesn't really help you, though the plain text would give you length).

Well, your best bet for password copies is something like Keepass or Lastpass, which employs various methods to make sure that only you would be able to access that information.

Arceus · September 5, 2012

Once I set JAG and those 'permanent' recovery questions, if I were to undo it by taking off JAG, can recovery questions be changed again? (In other words, is it fully reversible?)

tripsis · September 5, 2012

I think its just ingrained in me to never store passwords on my hard drive. If I keep a second copy, it will be on a flash drive, not my hard disk (flash drives having the advantage of being disconected, capable to surviving the washing machine, and lasting longer).

Still, if these are going to be permanent, I would like to be able to regenerate my answers form scratch if I have to. A cipher where neither the plain text or key are known presents an almost infinite number of possible answers I might have typed in (actually, knowing one or the other doesn't really help you, though the plain text would give you length).

You probably could store the 1Password data on a flash drive. I know you can store it in Dropbox, which allows you to sync your passwords across multiple computers/phones/etc. It's still encrypted and still requires a "master password" to gain access.

Kaur · September 5, 2012

Once I set JAG and those 'permanent' recovery questions, if I were to undo it by taking off JAG, can recovery questions be changed again? (In other words, is it fully reversible?)

They can't be changed.

Good news, the bug has been squashed. No need to worry about dynamic IP-s any more.

We found a bug in the code. We think we've fixed it, so if you can try logging in to the game again hopefully you shouldn't be asked to register a new device if your IP address has changed.

Please let us know if there are any further problems with being asked to register devices multiple times.

Thanks everyone for your help in finding this bug.

Den · September 5, 2012

People actually put legit information as recovery answers?

Interesting.

Piu · September 5, 2012

1. Are your parent's middle names, your oldest cousin's name, the place where your parents meet really on FaceBook? Because I've never seen things like that on FaceBook before.

2. Can any of you even get hold of my FaceBook profile?

I don't see the big issue here. :?

RU_Insane · September 5, 2012

People actually put legit information as recovery answers?

Interesting.

Mhmm. Just use passwords from the Random.org Password Generator and use those as answers to Recov Qs.

tripsis · September 5, 2012

1. Are your parent's middle names, your oldest cousin's name, the place where your parents meet really on FaceBook? Because I've never seen things like that on FaceBook before.

2. Can any of you even get hold of my FaceBook profile?

I don't see the big issue here. :?

It's not just about what's stored in your cookie cutter profile. It's about the things you've posted *somewhere* at *some point* on your Facebook wall. Somewhere, at some point, maybe your mom commented on a photo saying, "Oh wow, that reminds me of the time I met my husband in Prague!" Or if someone can find you, they can probably find your family quite easily. They can scan through them, figure out who your cousins are, and then note down the ages until they find the oldest.

This isn't the case with all people, obviously. But for many, it is. There are a lot of people who don't have "Private" Facebook accounts. There are a lot of people who blindly accept every friend request. There are a lot of people who don't think about what they're saying online, or what their family is saying. There are a lot of people who have their recovery answers out there for the world to see, and dont' even realize it.

Quyneax · September 5, 2012

People actually put legit information as recovery answers?

Interesting.

This, pretty much. Even if you had trouble remembering 20-digit bogus answers (random password generator), writing them down in your diary/notebook/whatever is probably a fair bit more secure unless your particular hacker has access to your bedroom. In which case you probably have other things to worry about.

Blyaunte · September 6, 2012

1. Are your parent's middle names, your oldest cousin's name, the place where your parents meet really on FaceBook? Because I've never seen things like that on FaceBook before.

2. Can any of you even get hold of my FaceBook profile?

I don't see the big issue here. :?
It's not just about what's stored in your cookie cutter profile. It's about the things you've posted *somewhere* at *some point* on your Facebook wall. Somewhere, at some point, maybe your mom commented on a photo saying, "Oh wow, that reminds me of the time I met my husband in Prague!" Or if someone can find you, they can probably find your family quite easily. They can scan through them, figure out who your cousins are, and then note down the ages until they find the oldest.

This isn't the case with all people, obviously. But for many, it is. There are a lot of people who don't have "Private" Facebook accounts. There are a lot of people who blindly accept every friend request. There are a lot of people who don't think about what they're saying online, or what their family is saying. There are a lot of people who have their recovery answers out there for the world to see, and dont' even realize it.

Which is why my IRL Facebook account and my Runescape FB account don't mix. Not that I'd post "real" answers anyways.

If you want to use Facebook with your Runescape account, why not simply set up a dummy Facebook account for your Runescape character? :unsure:

tripsis · September 6, 2012

1. Are your parent's middle names, your oldest cousin's name, the place where your parents meet really on FaceBook? Because I've never seen things like that on FaceBook before.

2. Can any of you even get hold of my FaceBook profile?

I don't see the big issue here. :?
It's not just about what's stored in your cookie cutter profile. It's about the things you've posted *somewhere* at *some point* on your Facebook wall. Somewhere, at some point, maybe your mom commented on a photo saying, "Oh wow, that reminds me of the time I met my husband in Prague!" Or if someone can find you, they can probably find your family quite easily. They can scan through them, figure out who your cousins are, and then note down the ages until they find the oldest.

This isn't the case with all people, obviously. But for many, it is. There are a lot of people who don't have "Private" Facebook accounts. There are a lot of people who blindly accept every friend request. There are a lot of people who don't think about what they're saying online, or what their family is saying. There are a lot of people who have their recovery answers out there for the world to see, and dont' even realize it.

Which is why my IRL Facebook account and my Runescape FB account don't mix. Not that I'd post "real" answers anyways.

If you want to use Facebook with your Runescape account, why not simply set up a dummy Facebook account for your Runescape character? :unsure:

I'm not talking about people who use Facebook for RuneScape things. I just mean people wanting to hack your RuneScape account but they need answers to your recovery questions. So they do a lot of research to find your REAL Facebook account. This 'research' can include googling, figuring out your e-mail address, finding out what school you went to, finding that school's Facebook page and then finding people in connection with that school and picking you out of it. And then stalking your Facebook page to farm it for information.

People get DOXed all the time. That's one of the biggest ways people steal RuneScape accounts. A large part of that process is just doing online research to farm personal information, and part of that often leads back to Facebook, other social media sites, other online profiles, or any articles that may have included you that can now be found online. It doesn't matter if you 'officially' link those accounts to RuneScape or not. People are still capable of finding them. Of course it helps a lot if you use the same username, e-mail address, avatar, etc. But a lot of people do.

I mean, I personally don't use real answers for my recoveries, but I think it's safe to assume that most people in the RuneScape population do. And that leaves them vulnerable.

Arceus · September 6, 2012

Which is why my IRL Facebook account and my Runescape FB account don't mix. Not that I'd post "real" answers anyways.

If you want to use Facebook with your Runescape account, why not simply set up a dummy Facebook account for your Runescape character?

I did this. I've deleted the account, but that's another story.

Donnie · September 6, 2012

People actually put legit information as recovery answers?

Interesting.

Yeah good recoveries involve answers like:

Where did your parents meet?

Salty69verizon101elephant4frogs23

Piu · September 6, 2012

[hide=Discussion]

1. Are your parent's middle names, your oldest cousin's name, the place where your parents meet really on FaceBook? Because I've never seen things like that on FaceBook before.

2. Can any of you even get hold of my FaceBook profile?

I don't see the big issue here. :?
It's not just about what's stored in your cookie cutter profile. It's about the things you've posted *somewhere* at *some point* on your Facebook wall. Somewhere, at some point, maybe your mom commented on a photo saying, "Oh wow, that reminds me of the time I met my husband in Prague!" Or if someone can find you, they can probably find your family quite easily. They can scan through them, figure out who your cousins are, and then note down the ages until they find the oldest.

This isn't the case with all people, obviously. But for many, it is. There are a lot of people who don't have "Private" Facebook accounts. There are a lot of people who blindly accept every friend request. There are a lot of people who don't think about what they're saying online, or what their family is saying. There are a lot of people who have their recovery answers out there for the world to see, and dont' even realize it.

Which is why my IRL Facebook account and my Runescape FB account don't mix. Not that I'd post "real" answers anyways.

If you want to use Facebook with your Runescape account, why not simply set up a dummy Facebook account for your Runescape character? :unsure:

I'm not talking about people who use Facebook for RuneScape things. I just mean people wanting to hack your RuneScape account but they need answers to your recovery questions. So they do a lot of research to find your REAL Facebook account. This 'research' can include googling, figuring out your e-mail address, finding out what school you went to, finding that school's Facebook page and then finding people in connection with that school and picking you out of it. And then stalking your Facebook page to farm it for information.

People get DOXed all the time. That's one of the biggest ways people steal RuneScape accounts. A large part of that process is just doing online research to farm personal information, and part of that often leads back to Facebook, other social media sites, other online profiles, or any articles that may have included you that can now be found online. It doesn't matter if you 'officially' link those accounts to RuneScape or not. People are still capable of finding them. Of course it helps a lot if you use the same username, e-mail address, avatar, etc. But a lot of people do.

I mean, I personally don't use real answers for my recoveries, but I think it's safe to assume that most people in the RuneScape population do. And that leaves them vulnerable.

[/hide]

Yes, but they need your password first, AND THEN access your e-mail account before they can even get to those questions

Either way I'm just stating that this implementation is a very smart move by Jagex and several other companies (e.g Steam owner, Valve) and definitely will cut down the hacking cases of a lot of active accounts. Of course, while it isn't foolproof (as you've proved me) it's still an excellent preventive measure in the case big forums get hacked into again.

People actually put legit information as recovery answers?

Interesting.

Yeah good recoveries involve answers like:

Where did your parents meet?

Salty69verizon101elephant4frogs23

How do you know what question goes to what answer without leaving it down somewhere?

Sy_Accursed · September 6, 2012

[hide=Discussion]
1. Are your parent's middle names, your oldest cousin's name, the place where your parents meet really on FaceBook? Because I've never seen things like that on FaceBook before.

2. Can any of you even get hold of my FaceBook profile?

I don't see the big issue here. :?
It's not just about what's stored in your cookie cutter profile. It's about the things you've posted *somewhere* at *some point* on your Facebook wall. Somewhere, at some point, maybe your mom commented on a photo saying, "Oh wow, that reminds me of the time I met my husband in Prague!" Or if someone can find you, they can probably find your family quite easily. They can scan through them, figure out who your cousins are, and then note down the ages until they find the oldest.

This isn't the case with all people, obviously. But for many, it is. There are a lot of people who don't have "Private" Facebook accounts. There are a lot of people who blindly accept every friend request. There are a lot of people who don't think about what they're saying online, or what their family is saying. There are a lot of people who have their recovery answers out there for the world to see, and dont' even realize it.

Which is why my IRL Facebook account and my Runescape FB account don't mix. Not that I'd post "real" answers anyways.

If you want to use Facebook with your Runescape account, why not simply set up a dummy Facebook account for your Runescape character? :unsure:

I'm not talking about people who use Facebook for RuneScape things. I just mean people wanting to hack your RuneScape account but they need answers to your recovery questions. So they do a lot of research to find your REAL Facebook account. This 'research' can include googling, figuring out your e-mail address, finding out what school you went to, finding that school's Facebook page and then finding people in connection with that school and picking you out of it. And then stalking your Facebook page to farm it for information.

People get DOXed all the time. That's one of the biggest ways people steal RuneScape accounts. A large part of that process is just doing online research to farm personal information, and part of that often leads back to Facebook, other social media sites, other online profiles, or any articles that may have included you that can now be found online. It doesn't matter if you 'officially' link those accounts to RuneScape or not. People are still capable of finding them. Of course it helps a lot if you use the same username, e-mail address, avatar, etc. But a lot of people do.

I mean, I personally don't use real answers for my recoveries, but I think it's safe to assume that most people in the RuneScape population do. And that leaves them vulnerable.
[/hide]

Yes, but they need your password first, AND THEN access your e-mail account before they can even get to those questions

Either way I'm just stating that this implementation is a very smart move by Jagex and several other companies (e.g Steam owner, Valve) and definitely will cut down the hacking cases of a lot of active accounts. Of course, while it isn't foolproof (as you've proved me) it's still an excellent preventive measure in the case big forums get hacked into again.

People actually put legit information as recovery answers?

Interesting.

Yeah good recoveries involve answers like:

Where did your parents meet?

Salty69verizon101elephant4frogs23

How do you know what question goes to what answer without leaving it down somewhere?

You can note them down somewhere with a simple note

eg Meet.

Then run that text through a cipher, then store the cipher and the output in two separate password protected files, preferably on usb pens or w/e hidden away.

Would take a good few minutes to go through and get your answers back if needed but pwnage protection as someone would need ur rs pass, ur email pass, plus the 2 usb pens, plus the cipher software to decode plus the 2 passwords for the files to even have a chance of getting into ur account.

decebal · September 6, 2012

Either way I'm just stating that this implementation is a very smart move by Jagex and several other companies (e.g Steam owner, Valve) and definitely will cut down the hacking cases of a lot of active accounts. Of course, while it isn't foolproof (as you've proved me) it's still an excellent preventive measure in the case big forums get hacked into again.

While it will cut down on the cases, most people on here are disappointed because this isn't the best security measure to implement (e.g. two step is a lot more foolproof). Also, I haven't heard of anybody losing their RS account because of a big forum hack yet in Runescape.

Kimberly · September 6, 2012

Either way I'm just stating that this implementation is a very smart move by Jagex and several other companies (e.g Steam owner, Valve) and definitely will cut down the hacking cases of a lot of active accounts. Of course, while it isn't foolproof (as you've proved me) it's still an excellent preventive measure in the case big forums get hacked into again.
While it will cut down on the cases, most people on here are disappointed because this isn't the best security measure to implement (e.g. two step is a lot more foolproof). Also, I haven't heard of anybody losing their RS account because of a big forum hack yet in Runescape.

That's because you were inactive around the time Tip.it was hacked last year. There were a lot of older accounts that (stupidly, IMO) had their emails tied to their runescape account/same password/etc. And because their recovery system was still pretty bad then, it didn't take much to hijack another account.

Artemis1330 · September 6, 2012

1. Are your parent's middle names, your oldest cousin's name, the place where your parents meet really on FaceBook? Because I've never seen things like that on FaceBook before.

2. Can any of you even get hold of my FaceBook profile?

I don't see the big issue here. :?
It's not just about what's stored in your cookie cutter profile. It's about the things you've posted *somewhere* at *some point* on your Facebook wall. Somewhere, at some point, maybe your mom commented on a photo saying, "Oh wow, that reminds me of the time I met my husband in Prague!" Or if someone can find you, they can probably find your family quite easily. They can scan through them, figure out who your cousins are, and then note down the ages until they find the oldest.

This isn't the case with all people, obviously. But for many, it is. There are a lot of people who don't have "Private" Facebook accounts. There are a lot of people who blindly accept every friend request. There are a lot of people who don't think about what they're saying online, or what their family is saying. There are a lot of people who have their recovery answers out there for the world to see, and dont' even realize it.

Which is why my IRL Facebook account and my Runescape FB account don't mix. Not that I'd post "real" answers anyways.

If you want to use Facebook with your Runescape account, why not simply set up a dummy Facebook account for your Runescape character? :unsure:

I'm not talking about people who use Facebook for RuneScape things. I just mean people wanting to hack your RuneScape account but they need answers to your recovery questions. So they do a lot of research to find your REAL Facebook account. This 'research' can include googling, figuring out your e-mail address, finding out what school you went to, finding that school's Facebook page and then finding people in connection with that school and picking you out of it. And then stalking your Facebook page to farm it for information.

People get DOXed all the time. That's one of the biggest ways people steal RuneScape accounts. A large part of that process is just doing online research to farm personal information, and part of that often leads back to Facebook, other social media sites, other online profiles, or any articles that may have included you that can now be found online. It doesn't matter if you 'officially' link those accounts to RuneScape or not. People are still capable of finding them. Of course it helps a lot if you use the same username, e-mail address, avatar, etc. But a lot of people do.

I mean, I personally don't use real answers for my recoveries, but I think it's safe to assume that most people in the RuneScape population do. And that leaves them vulnerable.

Just to add, this may seem far fetched to some of you. But it happens all the time, even for runescape. I've even read on other forums of hackers going to the extent of actually going to a persons school and getting on the schools internet to attempt to recover an account, in hopes the similar ip or w/e will pass Jagex tests. It's kinda scarey to see the amount of information and the length people go to to recover accounts.

But yes, this may add some security, I am not disputing that. However, imo, there are way to many loopholes and it all primarily relies on the user to put not get keylogged and to use intelligent responses to the jag questions, and to use two step verification on thier email. And lets be honest, how often will that be....

This whole system appears to me to simply be away for jagex to reduce liability. Someone refrenced this a few pages back I believe. In this age, Runescape is increasingly tied to our real life info, face book being one example. Remember when sof came out, if your account was hijacked the hacker could use your credit/debit card to buy max spins (now not possible), another example. This system was a very cheap and very easy way Jagex could say "well....if they used JAG......"

Zerker_Jane · September 6, 2012

But if it increases account security like players want does it matter what jagex's motive behind it is?

Piu · September 6, 2012

Either way I'm just stating that this implementation is a very smart move by Jagex and several other companies (e.g Steam owner, Valve) and definitely will cut down the hacking cases of a lot of active accounts. Of course, while it isn't foolproof (as you've proved me) it's still an excellent preventive measure in the case big forums get hacked into again.
While it will cut down on the cases, most people on here are disappointed because this isn't the best security measure to implement (e.g. two step is a lot more foolproof). Also, I haven't heard of anybody losing their RS account because of a big forum hack yet in Runescape.

Then you must be clearly inactive during the time when Tip.It, Zybez, Runehead, Draynor, RuneHQ were all hacked and/or defaced.

Jagex Account Guardian

Recommended Posts

Link to comment

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Omali

Mercifull

Mercifull

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Important Information