flimsy Posted August 1, 2006 Share Posted August 1, 2006 Hi first I'd like to introduce myself.. (see sig) I've been playing runescape now for around about a year... and I have had quite a lot of fun, made some good friends *waves to potato, mut & lulu* both young & old, and a few enemies.. especially when I was mining :XD: Anyway recently (very) my account was stolen... and no this topic is not going to be a MOAN-MY ACCOUNT WAS HACKED topic.. ok maybe a tiny bit (I need to vent), but on the whole it will be suggestions on how Jagex could perhaps improve things security wise. I know how easily the slimeball stole my account. Now first don't get me wrong, my computer is locked up tighter than a drum, uptodate AV, firewall, regular scans.. and yet somehow the slimeball managed to get my password... that is all he needed to get my rs account, despite the fact that I had recovery questions set. All the slimeball needed to do was log in with my password to change the Q & A for Account Recovery and set a new password and voila.. my account was now his. He didn't even need to give any of my previous answers to change them, that is how simple it is... and makes it more difficult for me to get my account back... Why?? simple because my answers don't match the new ones that the slimeball set!! Yup.. it's true, that is all they need in order to gain complete control of your Runescape account... and all the precious items you have collected. Even if you have recoveries set and a Bank-PIN.. they only need your password to be able to change them. This is what I discovered during the process of trying to recover my own account... First lets change your recoveries, the hacker just can go to the "set recovery questions" link on the main page, login using your password which he has somehow managed to get a hold of, and change/delete the Q & A's right there and then... there is no safeguard except another input box for the existing password (y'know the same one he logged in with). Second lets change your password, well.. I don't know about you guys, but I have found that the "change your password" link on the main page wasn't working properly the last couple of days, after I login (in order to change my password) I end up at a nice runescape page telling me that the password server is down (it's working properly now though... scratch that.. "error processing" comes up now for us)... so how would the hacker be able to change your password?? Well one way is for him to continually bombard the password server using the "change your password" link until it finally gives in, and lets him continue on to change the password, changing the password from this link is the swiftest way for them to get your account. Another way is to go through the "Recover a lost password" link on the main page. Well seeing as how they have already changed/deleted your recoveries all they have to do is use whatever they had put in as answers, use your stolen password as a previous password, input their chosen password... and boom... bye-bye goes your baby... Well now the hacker has your account, well and truly in his hands... but what about the content of your bank... it'll be safe right? You have a Bank-PIN... there's no way he can get into your bank right?... WRONG!! Now you're wondering What?! But how? how can he get his grimy hands on your precious *insert most valuable item here*?? Easy he only needs to claim he has forgotten your Bank-PIN and then wait up to 7 days and then he can get at all your gear... and this depends on whether you set a 3 or 7 day waiting period for changing Bank-PINs. Basically guys we only get 3 days within which to reclaim our accounts with most of our items back safely... anything we are wearing/holding will be gone even if we do manage to get our accounts back within 3 days, but at least in all likelihood your banked items will be safe... unfortunately if you set it to 3 day change over, or didn't set a Bank-PIN and aren't able to recover your account within those 3 days... then wave bye-bye to your gear as well. After losing all your gear... would you feel it would be worth it to get your account bank? So what can we do to combat this seemingly simple method of account theft?? A simple remedy: At the set recovery questions page, where an account already has set questions, have the user answer all of the previously set questions correctly (perhaps in random order) before permitting a change, with a waiting period before the new answers took effect... This would benefit all users because, first it will make things more difficult for the slimeball in that he would have to obtain the correct answers in the first place... Second once the account owner discovers his password has changed he will invariably attempt an account recovery and with the waiting period on the recovery change he will be more likely to submit the correct answers... Third it will alert the account owner for sure of a keylogger on their system if they try to log in & find their password has changed, then go to account recovery to find their recoveries have changed. At this point perhaps recording the ips of any users trying to initiate an account recovery request and comparing them to the account's ip history would be of value to the account owner. Of course if there aren't any questions set then... :ohnoes: Additional queries like how many *random item* do you have in your bank? wouldn't go astray either (on change recoveries page). In fact I would think it essential as the slimeball will have to be able to access the accounts bank first in order to know how many of that *random item* are in there... and that's the only good thing I have to say about the security for Runescape is: at least the bank pin security is good... that is until the slimeball decides to change your bank-pin.. to him it's only a couple of days waiting. What about the account recovery process itself... that needs improvement for sure.. Well firstly I think that if account recovery is being processed then it should cause the account in question to get locked, I would think that, using account recovery should alert somebody that something is being taken back???! Ok.. so I can see this won't work, not right off the bat, afterall can you imagine 10,000 users submitting account recovery requests to gain zezima's account?? or misuse from a person instigating an account recovery just to lock an account for spite... hmm... But surely an account which is being contested should be locked in some form at the soonest? Perhaps instead of a complete account lock... a bank lock which comes into effect at the first account recovery request... one which will prevent the slimeball from attempting to change the bank-pin until the account has been claimed properly.. that sounds a lot better, although personally I would prefer the complete lockdown... With the safeguards I'm suggesting in mind, imagine this scenario... the slimeball has changed the account password, he has to wait for the bank pin to change in order to be able to change the recoveries we had set... and then he will still have to wait further before his new recoveries take effect... in that time an account recovery is initiated which will freeze all pending recovery changes and PIN changes, allowing time for the owner to prove their account is theirs, without fear of losing all their bank items. So what else could be done?... I don't want to see my account being used when I'm not the one using it (I saw my account log in briefly today on another world... I know she's being used... possibly abused... needless to say I'm not happy).... If we suspect that someone other than the original owner has access to an account then we will lock the account to ensure that none of the items on the account are stolen and it is not used to break the Rules of ConductWell... that obviously didn't happen with my account... I wouldn't be able to see her log on if it was locked. How about as an aid to reclaiming a stolen account having an "I saw my friends stolen account being used by someone other than my friend" button. I mean after all who are the first ppl you tell that your account is gone?? your friends on your friendslist of course!! And because they are located all over the world and are on at all times of the day or night, the more likely it is to find your missing account... and report what world they saw them on.. and thus an ip is recorded. I also think that it may be beneficial if Jagex have a rethink about their email policy, Maybe just sending out the first (and only) email & Message box memo (after creating an account) contain the account creation details which are pertinent.. you know in a similar way to how many website hosts send an email so you know your details for accessing ftp etc... except a Jagex email be a one-off, and contain the name, password, server you logged into, date created, and an all important first ip... along with a friendly note to tell the user to keep all this info in a nice safe place just in case they need it. I am back!! Totally stony-broke... but I am back!! Link to comment Share on other sites More sharing options...
flimsy Posted August 1, 2006 Author Share Posted August 1, 2006 No-one thinks that these are good ideas?? or have I just repeated what someone else has already said? I am back!! Totally stony-broke... but I am back!! Link to comment Share on other sites More sharing options...
Kiriyama Posted August 1, 2006 Share Posted August 1, 2006 1.look it not Jagex's fault otherwise every1s account would have been hacked. 2. u just joined to spam Denizen of Darkness| PSN= sworddude198 Link to comment Share on other sites More sharing options...
Riku3220 Posted August 1, 2006 Share Posted August 1, 2006 it takes a few days for your recoveries to change go appeal now! before you lose your account forever! Link to comment Share on other sites More sharing options...
flimsy Posted August 1, 2006 Author Share Posted August 1, 2006 1.look it not Jagex's fault otherwise every1s account would have been hacked.Nowhere in the first post did I say it was Jagex's fault. The fault lies squarely the hacker's feet. However as you can see it is very simple for a hacker to get full control of someone's rs account once they have the account password... and unfortunately that is where Jagex's security measures fall flat... very flat. Hence the suggestions I made for improvement of their current security measures. 2. u just joined to spamOh really... and this coming from the king of 1 liners?? I signed up in December 2005, it's now August 2006... including this reply I have made a total of 3 posts. If I wanted to spam the boards I would be... YOU. My topic I feel is a valid one, and it is up to the forum mods whether it is spam. it takes a few days for your recoveries to change go appeal now! before you lose your account forever!Thankyou for your concern.. I am still sending in recovery requests... but alas I feel it may already be too late to get back my account, too late at least to save my bank items... and in that case I don't think I would want to have her back... unless the thief has a heart and at the very least leaves me with my picks, ores and natures... I can start again if I had at least those... but I highly, highly doubt it. Anyway back to the topic at hand... what do you guys actually think about the proposed security ideas... using the scenario I gave as a guide?? I am back!! Totally stony-broke... but I am back!! Link to comment Share on other sites More sharing options...
sligo Posted August 1, 2006 Share Posted August 1, 2006 You know, a lot of this can be solved pretty easily - Instead of logging in with your character's name, you must log in using a user name. Ok, this won't stop everything, of course, but here's what it does do: It takes away half the information a hacker needs in order to hack your aco[bleep]. The next layer of security: The system already records your last IP sign-in. If you log in using a different computer, and the IP doesn't match (of course), you must answer a special question that you have set up for this purpose - not your account recovery question. (If you have a dynamic IP, or typically log in at different computers, you can note this in your account so it doesn't do this - but it's your risk.) - Sligo I know that you believe you understand what you think I said, but, I am not sure you realize tht what you heard is not what I meant. Link to comment Share on other sites More sharing options...
Prismaric Posted August 2, 2006 Share Posted August 2, 2006 Flimsy, your absoulutely ridiculous. You say its jagex's fault or the hackers fault? How can this be? How did they know your password? YOU did something, YOU told someone, or someone that you've told told someone -.- YOur password just doesn't get out just like that. A hacker can't hack your account based on brute force - they just can't keep trying passwords non stop. That'll take more than a life time for a simple crummy 5 character password. Now, jagex has done enough to provent hackers. They have set a bank pin feature, and they do not give the passwords away easily on recovery questions. From what you have expirenced, they are refusing to give you the account because you simplaly do not have the right recovery questions. Now you blame it on Jagex. THe fault lies in your self. You either told someone your recovery questions or they know you well enough to guess it. So don't go blaming Jagex for the recoveries - thats a feature there to help you. If you chose poor recovery questions - its your problem since you have been informed when you set them. Go find the correct information before jumping to conclusions. TO change the recovery, you need substantial information. YOu actually need to know all of the person recoveries to do so. So the person who stole your account knew your recovery/knows you well enough and screwed you over by changing your recoveries. "All the slimeball needed to do was log in with my password to change the Q & A for Account Recovery" This is such crap. YOu can't change recovery questions with just a password. Go try it for god sake before you make a fool out of your self! And I agree with Sworddude198 1.look it not Jagex's fault otherwise every1s account would have been hacked. 2. u just joined to spam Thats true. Sending in a whole bunch of silly recoveries to spam them aint going to help you. They don't have an unlimited supply of people to read silly and useless requests. They actually have serious people who actually KNOW their stuff, who are trying to get their accounts back too. You know... they probally just put a filter on - if they repeatively decline your request - they're trying to tell you to screw off in nice terms :) To what I understand, the recovery questions has already been changed by the hacker - atleast thats what your implying. I don't think theres much you can do - honestly - except for wait for the "slimeball" to use your account and talk with him on runescape and kindly beg for your account back. In short, don't call them a slimeball. My recovery questions are very unique and they're not about me. My questions are unique and no one knows the right answer. My account has always been fine. I have recovered my account numerous times for the reassurence and I am glad how in-deapth Jagex looks before giving your account away. Let me ask you "and then he will still have to wait further before his new recoveries take effect" what if someone actually knew your recovery questions? And you wanted to change them before they get your account. Would YOU want to wait? In conclusion, I think your ideas are rather silly... Jagex arn't computer illiterate and they doing a awesome job right now, as far as trying to return the right accounts to the right owners. Your account is only as safe as you make it. -.- Link to comment Share on other sites More sharing options...
Prismaric Posted August 2, 2006 Share Posted August 2, 2006 But gee, nice account 90 SMITHING! 92 MINING! can make rune scimmies I beleive -.- Just checked high scores a second ago - The "slimeball" is probally having some fun - or having a nice laugh or two Link to comment Share on other sites More sharing options...
Tetsuya Posted August 2, 2006 Share Posted August 2, 2006 Prismaric, did you even bother to read even part of his post? I know it's alot to read. But if want to give some kind of lengtly answer to claim you are right, you should read it. The hacker changed his recovery questions. Secondly, telling other people isn't the only way hackers get passwords. Now, flimsy isn't even here to complain about being hacked. He's here to suggest an idea to make RS more secure. And I personally think these ideas are very good. Unlike you who just wants to use this topic as an oppertunity to troll. If you don't have anything constructive to say, then just dont say anything. Link to comment Share on other sites More sharing options...
xKhAoZx Posted August 2, 2006 Share Posted August 2, 2006 The hacker changed his recovery questions. Secondly, telling other people isn't the only way hackers get passwords. Oh really, how else could the hacker get the password... I mean.. you didn't download anything, did you? :o Link to comment Share on other sites More sharing options...
flimsy Posted August 3, 2006 Author Share Posted August 3, 2006 First @ Tetsuya.. thankyou.. and you are right I'm not here to moan about my account simply to highlight a fault that I believe to exist with the current security measures... and I am a she not a he. @ sligo.. I like that idea... actually I like any idea which goes to further protecting our RS accounts. @ xKhAoZx.. No-one would purposely download a keylogger, and the only things we do download are not in anyway RS related. I regularly update & scan, check system process at all times... and whenever my AV sends up a warning I hunt out the culprit & kill it, but then I am not the only user here. And besides... how is not really the point of this topic. Prior to setting up my recovery questions we had detected some sort of trojan but that was removed immediately... and although this is most likely how my password was taken, it certainly isn't the only way. Prior to me actually seeing my account login I thought it was a glitch with the system, as we found several of the links on the mainsite weren't working properly. I go to login and find that I can't "Invalid username or password". Just to be safe we went to secure the kids accounts by changing their passwords. As I mentioned in my first post the change password link wasn't working properly "password server is down" and I wasn't prepared to sit there clicking on the link in order to change them, as someone on the official forum had been advised to do. We attempt to post a bug-report about this and found we couldn't.. we ended up at a blank page with "Mod:Bugtracker V4" written on it. We attempt to go through other links which involve ticketing (including billing) and end up at a blank page with "Mod:ticketing" on it. And as this had followed closely on the heels of an update I simply thought it was just a glitch and Jagex will sort it... although I'm surprised there weren't more reports in these or the official forums about website problems. I updated my AV & manually scanned.. found nothing. I used my daughters account to notify about the problem with report-a-bug on the website feedback forum (as she was still on member account) only to get the topic closed and told to post it in tech support... which we do... then it quickly get's buried by all the other topics. But after seeing how quickly our topic got buried on the official forums, I'm not at all suprised that I couldn't find any topics regarding problems with the website. Prior to actually seeing my account log in without me... I thought/hoped my changed password was related to all the problems I was experiencing with the main site, and not the actions of a slimeball. @ Prismaric You say its jagex's fault or the hackers fault? How can this be? How did they know your password? YOU did something, YOU told someone, or someone that you've told told someone -.- YOur password just doesn't get out just like that. A hacker can't hack your account based on brute force - they just can't keep trying passwords non stop. That'll take more than a life time for a simple crummy 5 character password.I lay the blame at the hackers feet, not at Jagex, NO I didn't tell anyone my password, & NO I didn't do anything in order for my password to get stolen... let alone my recovery answers. The only people who would even have an inkling as to what they are, are my kids.. and they certainly don't want to lose their RS gravy-train. Now, jagex has done enough to provent hackers. They have set a bank pin feature, and they do not give the passwords away easily on recovery questions. From what you have expirenced, they are refusing to give you the account because you simplaly do not have the right recovery questions. Now you blame it on Jagex. THe fault lies in your self. You either told someone your recovery questions or they know you well enough to guess it. So don't go blaming Jagex for the recoveries - thats a feature there to help you. If you chose poor recovery questions - its your problem since you have been informed when you set them.I didn't say they give the password away on recovery questions.. I said "the hacker just can go to the "set recovery questions" link on the main page, login using your password which he has somehow managed to get a hold of, and change/delete the Q & A's right there and then... there is no safeguard except another input box for the existing password (y'know the same one he logged in with)"NO.. I didn't give my password out.. NO.. no-one knows my recoveries. I know the feature is there to help us... but it IS flawed. When I began the account recovery process for my own account, the processing of my 2nd request was delayed by it still being the weekend in England (track recovery remained pending for more than 24h)... When my account recovery request was declined I went to submit again only to find.... MY RECOVERY QUESTIONS WERE REMOVED!! and no-one except myself knows the answers to the questions I had written myself. Go find the correct information before jumping to conclusions. TO change the recovery, you need substantial information. YOu actually need to know all of the person recoveries to do so. So the person who stole your account knew your recovery/knows you well enough and screwed you over by changing your recoveries.Far be it for me to want to post something as inflammatory as this without some form of proof. But this was the only conclusion I could come to, when testing how/why theories. When I attempted to change the recoveries on my daughters account... I was not faced with the questions that she used where I had to answer them... NO... instead I was faced with thisUse this form to change or set your recovery questions. If you have not set any recovery questions on this account' date=' we recommend that you do so immediately. If you do not wish to set new recovery questions at this time, click the logout link in the top right. The answers to your recovery questions can be used to set a new password on your account, so please make sure that you set these to sensible values that no-one else will be able to work out or guess. If you don't like the default questions that we have suggested, then please enter your own questions to answer (just delete the ones that are there.)[/quote']& 5 new questions with the option to change them. If you get something different, then I must be playing a different game. To be truthful though my tests were inconclusive 1. I don't really intend to change my daughters recoveries 2. For some reason the site won't let me anyway "error processing request".. and FYI I get the same "error processing request" if I used her questions & answers. But... simply going by the fact that I wasn't given the option to answer any previously set questions is what leads me to believe that all a hacker would need to do is SET NEW RECOVERIES.. ... and a quote from the knowledgebase itself:To change your recovery answers please either go to the main RuneScape website and click on the 'Set new recovery answers' link in the Account Management section of the menu down the left side of the screen or click here You will then need to log in entering your username and password. A page will then load which will allow you to set new recovery questions by confirming your current password and then entering the new questions and answers. Remember that your recovery questions should have answers which are difficult to guess, will not change often and you will not forget. Once you have entered all the necessary information click the 'Submit Questions & Answers' button at the bottom of the page and your new recovery questions will then be changed. "All the slimeball needed to do was log in with my password to change the Q & A for Account Recovery" This is such crap. YOu can't change recovery questions with just a password. Go try it for god sake before you make a fool out of your self!I suggest you go try it yourself as well.. The process is go to Account Management>Set new recovery questions link login with password input password in current password box, change recovery questions, change recovery answers submit. After that I don't know what happens... but I assume it will do exactly the same thing which occurs when you first set up recovery questions on an account via this link. And I agree with Sworddude198 1.look it not Jagex's fault otherwise every1s account would have been hacked. 2. u just joined to spamsame reply.. except for #2 you I don't believe to be a spammer. Thats true. Sending in a whole bunch of silly recoveries to spam them aint going to help you. They don't have an unlimited supply of people to read silly and useless requests. They actually have serious people who actually KNOW their stuff, who are trying to get their accounts back too. You know... they probally just put a filter on - if they repeatively decline your request - they're trying to tell you to screw off in nice terms :)To date I have sent in 11 requests.. 8 of which have been declined despite giving them info like, Bank-PIN, subscription PINs, account creation time, IP info, subscription dates, method of payment etc... To what I understand, the recovery questions has already been changed by the hacker - atleast thats what your implying. I don't think theres much you can do - honestly - except for wait for the "slimeball" to use your account and talk with him on runescape and kindly beg for your account back. In short, don't call them a slimeball.at last some understanding.. By the time my 2nd recovery request had been declined, my recovery questions had been removed. And I know there is not much else I can do except continue to send in requests or wait to see if my account will log in again, and unfortunately the slimeball (pun intended) wasn't on long enough (when I saw my account log in) for me to beg for my account back (simply enough time for him to turn off friendslist) and that has been the last instance I saw of me.. and rather than calling the account thief a slimeball what should I call him??... I know what I would like to call him and it isn't anywhere near as tame as "slimeball". The account itself I don't care about... the content of my bank I don't care about... my name though... my name... I just want my name... he can keep the account and the levels she has.. I just want my name... and seeing as I can't have my name back... then I want my account back so I can keep my name. My recovery questions are very unique and they're not about me. My questions are unique and no one knows the right answer. My account has always been fine. I have recovered my account numerous times for the reassurence and I am glad how in-deapth Jagex looks before giving your account away.Well my questions & answers were unique as well, questions were ones I wrote myself, not the pre-selected ones available. Answers were only known by me, and up until last weekend I would've agreed with you... I thought my account was safe too. Unfortunately for me this has not proven to be the case. Let me ask you "and then he will still have to wait further before his new recoveries take effect" what if someone actually knew your recovery questions? And you wanted to change them before they get your account. Would YOU want to wait?From my understanding (what I've read on the forums) when you change your recoveries you already have to wait for new recoveries to take effect. And also if you read the scenario you would see why waiting is beneficialWith the safeguards I'm suggesting in mind, imagine this scenario... the slimeball has changed the account password, he has to wait for the bank pin to change in order to be able to change the recoveries we had set... and then he will still have to wait further before his new recoveries take effect... in that time an account recovery is initiated which will freeze all pending recovery changes and PIN changes, allowing time for the owner to prove their account is theirs, without fear of losing all their bank items. In conclusion, I think your ideas are rather silly... Jagex arn't computer illiterate and they doing a awesome job right now, as far as trying to return the right accounts to the right owners. Your account is only as safe as you make it. -.-If you think my ideas for improving the security of our RS accounts are silly and if you are satisfied with your current account protection then Good On Ya. I however am not. My stolen account was my most levelled account but she certainly isn't the only account we have, and I would like to see our other accounts better protected. But gee, nice account 90 SMITHING! 92 MINING! can make rune scimmies I beleive -.- Just checked high scores a second ago - The "slimeball" is probally having some fun - or having a nice laugh or twoWell he's not having fun or my stats would've moved by now. He certainly struck gold though and would've had a good laugh as I was holding 880k in my inventory when I logged out last. It was late when I last played and I had inadvertantly pulled out all my cash... and because of this I was going to put her back on subscription the following morning because I couldn't put the cash back in!! #-o But that is irrelevant to the topic at hand. I am back!! Totally stony-broke... but I am back!! Link to comment Share on other sites More sharing options...
Daruina Posted August 3, 2006 Share Posted August 3, 2006 You know, a lot of this can be solved pretty easily - Instead of logging in with your character's name, you must log in using a user name. Ok, this won't stop everything, of course, but here's what it does do: It takes away half the information a hacker needs in order to hack your aco[bleep]. The next layer of security: The system already records your last IP sign-in. If you log in using a different computer, and the IP doesn't match (of course), you must answer a special question that you have set up for this purpose - not your account recovery question. (If you have a dynamic IP, or typically log in at different computers, you can note this in your account so it doesn't do this - but it's your risk.) - Sligo Sligo, you're a genius! Did you just think of this? Link to comment Share on other sites More sharing options...
sligo Posted August 3, 2006 Share Posted August 3, 2006 Actually, no. I've suggested these before. Unfortunately, changing the way you log in to RS would be very difficult for Jagex to accomplish. If they were to ask, I could suggest to them a way to do it, but it wouldn't necessarily be easy to do. - Sligo I know that you believe you understand what you think I said, but, I am not sure you realize tht what you heard is not what I meant. Link to comment Share on other sites More sharing options...
hockpeeps Posted August 3, 2006 Share Posted August 3, 2006 unfortunatly (i read everything) your post only applies to f2pers. Members can easily get there acounts back by entering there billing info into the acount recovery page. Thus Zezima will never be hacked cuz he takes very good care of his acount security im sure. Also jagex doesent care enoguh about f2per acounts to care if they are stolen or not thxs vibro for the sig ^_^. Link to comment Share on other sites More sharing options...
i123i Posted August 3, 2006 Share Posted August 3, 2006 Sheesh I read maybe half of what you said and I wanted to point out it is possible to cancel recovery questions already set, choose the third option on the recover an account thing and get all the answers right and you're owned. Also, I call bull crap on all of this. I've been in cahoots with the underground autoing community, I've seen keyloggers be placed in files and the person was banned. I've seen client code editting be done, you do realize that a person can edit the java files of the Runescape.jar and have it send your password to an email address? It's not possible to HACK on runescape. GET IT THROUGH YOUR HEAD PEOPLE. You googled rs hax or something when downloading a file and got a very hard to find/undetectable keylogger. They have them if you didn't know. Also since I am not going to read the rest of what you wrote I'd like to ask what AV you use, Firewall and what programs you've downloaded within the past week. Ten to 1, I'd spot the problem right there. Jagex's security is fine, your end wasn't upkept. Link to comment Share on other sites More sharing options...
flimsy Posted August 3, 2006 Author Share Posted August 3, 2006 Sheesh I read maybe half of what you said and I wanted to point out it is possible to cancel recovery questions already set, choose the third option on the recover an account thing and get all the answers right and you're owned. Also, I call bull crap on all of this. I've been in cahoots with the underground autoing community, I've seen keyloggers be placed in files and the person was banned. I've seen client code editting be done, you do realize that a person can edit the java files of the Runescape.jar and have it send your password to an email address? It's not possible to HACK on runescape. GET IT THROUGH YOUR HEAD PEOPLE. You googled rs hax or something when downloading a file and got a very hard to find/undetectable keylogger. They have them if you didn't know. Also since I am not going to read the rest of what you wrote I'd like to ask what AV you use, Firewall and what programs you've downloaded within the past week. Ten to 1, I'd spot the problem right there. Jagex's security is fine, your end wasn't upkept.Unlike you I am not part of any underground autoing community, nor am I an advocate of cheating in any way shape or form. Runescape to me is just a game that I play not a way of life. I have Nortons Internet Security & AV which constantly gets updated. Files I download buddy are not RS related, and for the most part aren't programs.. I do have other interests than this!!.. The simple fact that you or anyone else has the audacity to come in here and claim that I would readily download a hack for Runescape is just stupid. You don't know me!. As for your "cancel recovery questions" you so readily pointed out to me... it WILL NOT WORK if you don't know what the slimeball has changed your password to!! And whether my security is up to scratch is not the point of this thread... next time I suggest you do read before you post! And again if you are happy the way things are then... Good On Ya.unfortunatly (i read everything) your psot onyl applies to f2pers. Members can easily get there acounts back by entering there billing info into the acount recovery page. Thus Zezima will never be hacked cuz he takes very good care of his acount security im sure. Also jagex doesent care enoguh about f2per acounts to care if they are stolen or notWhile what you say is probably true.. how swiftly Jagex currently deals with account recovery with f2p/p2p is really not the point. It still doesn't negate the purpose of this topic which is twofold: 1. it highlights how easily a hacker can take complete control of your account with just your password. 2. proposal of ways to make your accounts more secure, whether it is f2p/p2p... and as a result more likely for them to be returned to their rightful owners with most of their items intact. I have been thinking more about the bank-pin feature of the game.. there is a minor problem with that aspect of security... and yet at the same time it is currently the best security measure we have for our accounts... albeit still flawed. A hacker can claim that he has forgotten your Bank-Pin in order to get a new one installed. Now imagine that you have had your Bank-PIN on your account for the past 9 months (Bank PINs introduced Sept-2005)... you are a regular player... on everyday if even for a short while... constantly using your Bank-PIN to access your Banked items. Now imagine that your account has been stolen... and the thief doesn't know your Bank-PIN (unless you've been really careless, and in that case he only needs to "change Bank-PIN"), he goes to the bank accesses your bank and at the PIN screen clicks "I don't know it".. he then has to wait 3 - 7 days (depends on your settings) before he is able to set a new one, and once he gets the new Bank-PIN he then has access to your items. The problem is.. that there seems to be no check in place to protect users who have had their Bank-PINs for a long time.. and then along comes a slimeball who clicks "I don't know it". Their also is no way for you to stop a Bank-PIN change without having access to your account. Now seeing as I personally feel that this Bank-PIN feature is the best part of RS security, I would like to see it used as part of the recovery process itself.. eg: on account recovery page have a button which will bring up the Bank-PIN screen overlay (without ability to access items of course), or even on the page itself a mini version of the Bank keypad where the real user (who knows the Bank-PIN) can input the numbers.. if the PIN is correct it will stop any current changes being applied to the Bank-PIN, an IP is recorded to compare to account history and the account locked until true ownership of account can be established, especially in the case of an "I don't know it" claim, this could perhaps make the process of account recovey quicker?. This will also aid if you have been careless with your Bank-PIN in that it will stop any attempt to change your Bank-PIN. I would like to see more ideas for improving account security submitted please. Also post if you have constructive statements regarding improving RS account security... Or if you just wanna post saying YES to a safer account. I don't want any posts which state the obvious "Keep your password safe at all times" or "Use a decent AV & Firewall"... or posts which assume that I have done something in order to bring my current predicament upon myself.. it is irrelevant. If you feel that Jagex's security is fine then say so, without condemning this topic.. but do read the first post and keep to the topic at hand. This is not a thread about recovering your RS account. It is about finding ways of improving the protection for your RS account in the event your account gets stolen. I am back!! Totally stony-broke... but I am back!! Link to comment Share on other sites More sharing options...
i123i Posted August 4, 2006 Share Posted August 4, 2006 you can cancel your current recoveries without the password if you knew anything. You go to recover my account or whatever and then select the third option, answer your recoveries right and your recoveries you currently have SET are GONE. I know what I'm talking about. Also, I said I "was" with the autoing community before, READ MY WHOLE POST THROUGHLY before commenting on what I said(a bit hypocritical on my part I admit). I pretty much was pointing out things you said that were wrong if you didn't notice. Also, when you talk about the autoers, atleast understand that when you auto, you can have a life outside RS and still "nolife" the game(I didn't start this, you brought it on yourself with that comment). Most autoers use their accounts to make money in real life so to some(mostly kids under 16) it is a job for them to do it. Okay, so maybe you didn't download "rs hax"- that was an example :P. But, I was trying to get a point across- no one gets hacked out of the blue. Want me to go to one of the communities I used to be in, ask them and then screenshot every response(editting out names and four letter adjectives of course) for proof? Also, your security ties into this somehow otherwise you wouldn't have been KEYLOGGED(seeing as how it isn't possible to hack in runescape). Your topic is completely flawed because a "hacker" cannot simply hack your account. IMPOSSIBLE. To do that they would have to hack jagex's servers and get their password database and then even if they did do it, they wouldn't hack you(yes, hack is the correct term now)- they'd hack Zezima and Cursed You before even thinking about anyone else's(generally any high lvl with cash is a target). How many [developmentally delayed]s can wait 3-7 days before they get their account back? Impossible to wait that long/Jagex having a problem with recovering your account for that long. OKAY, now I'm done picking apart your post and eating it to now dribbling on about how Jagex can our accounts more secure. The bank pin on the recovery screen is a good idea(don't they already have this? or is this a real life bank pin?). I really can't think of anything that they could do because it is for the user to make sure they're protected. Link to comment Share on other sites More sharing options...
flimsy Posted August 5, 2006 Author Share Posted August 5, 2006 Also, your security ties into this somehow otherwise you wouldn't have been KEYLOGGED(seeing as how it isn't possible to hack in runescape). Your topic is completely flawed because a "hacker" cannot simply hack your account. IMPOSSIBLE. To do that they would have to hack jagex's servers and get their password database and then even if they did do it, they wouldn't hack you(yes, hack is the correct term now)- they'd hack Zezima and Cursed You before even thinking about anyone else's(generally any high lvl with cash is a target).Quite frankly if it is possible to hack into government department computers or high level business computers then it will be possible to hack into Jagex.. but that isn't point at all. And as hockpeeps pointed out earlier... Zezima & Cursed You accounts will be the least likely to be attacked because they would have taken the most care with their account security... and they will have the most recorded histories in the game from which to get them back even if they were taken.you can cancel your current recoveries without the password if you knew anything. You go to recover my account or whatever and then select the third option' date=' answer your recoveries right and your recoveries you currently have SET are GONE[/color'].How does this disprove my point? If anything it should tell you that a change indeed needs to be made! My recoveries were changed... and not by ME!! And because I followed the knowledgebase information which told me to use the 2nd option if someone changed my password & recoveries.If we have not locked your account then use the 'Recover a lost password' link or click here. You will then need to supply your login name' date=' email address and the type of query it is. Scroll down on the drop down menu to either 'Someone else has changed my password' or 'Someone else has changed my recovery questions' depending on which applies, [b']if both apply then use 'Someone else has changed my password'[/b]. Please then follow all of the on-screen instructions filling in as much information as possible. If you do not know or cannot remember all your account information, please try and provide the earliest information you have for each of the categories requested. This will ensure that your request is dealt with as quickly as possible. We can only issue a new password to an account once we are satisfied that it will be returned to the correct owner. To recover your account using the recovery questions, simply send in as many of them as you can. If you enter enough and the recovery answers you enter are correct and they have not been changed by a hijacker then you will be able to recover your account immediately without having to wait for the password support request to be processed,.And how did he change my recoveries?? In the same way as I had set them... either using my own password to change them before he changed it, or changing the password before he changed my recoveries! Either way account gone... My Q & A gone!To change your recovery answers please either go to the main RuneScape website and click on the 'Set new recovery answers' link in the Account Management section of the menu down the left side of the screen or click here You will then need to log in entering your username and password. A page will then load which will allow you to set new recovery questions by confirming your current password and then entering the new questions and answers. Remember that your recovery questions should have answers which are difficult to guess, will not change often and you will not forget. Once you have entered all the necessary information click the 'Submit Questions & Answers' button at the bottom of the page and your new recovery questions will then be changed. Okay, so maybe you didn't download "rs hax"- that was an example :P. But, I was trying to get a point across- no one gets hacked out of the blue. Fine you made your point... but it is NOT the point of this thread.How many * can wait 3-7 days before they get their account back? Impossible to wait that long/Jagex having a problem with recovering your account for that long.Then explain for me why many people who do lose their accounts can wait for weeks for their accounts to come back to them' date=' both f2p & p2p alike... granted more likely f2p?? and just as many (probably more) never get them back (or simply because they get tired of being denied)... and these are people who have played years longer than my family has. Now I feel the need to explain something to you. My account which was stolen is actually my second acc which I created on RS. I created her after my daughter made her character which bears her RL name. Wai bears my RL name and so was the only character I wanted to develop.. my other, well, basically she is a low lvl character that I got tired of watching die over & over & over again.. her lifespan was maybe a month. So when I created Wai I did so with a plan, which was to get her to level 10 without dying once =). Time went on our Mains continued to develop. When Bank-PINs were introduced... I installed one. Security stronghold came along... I set up Q & A on all our accounts (previously didn't set any, and I sooo wanted the boots). I was like you, and thought that was enough security to have, along with my AV & Firewall. Not so... no matter how my account password was stolen.. the fact remains that once my password was gone, my account was gone. The account protection measures [i']are[/i] insufficient. My recourse for recovering my account is insufficient. Not all of us have ever been involved in online gaming communities before... let alone years... and not all of us have ever encountered a situation where an online persona would literally require protection. Nor would I ever have considered that there were people actually willing to steal a game character?? A made up person?? PIXELS!! And for what??? A few more pixels?? This is not a dig at anyone, it just comes as a shock to me. I originally found out about RS through a site I regularly use, where a woman was talking about this free online RPG game that she has played with her kids. This is why I joined RS... To play alongside my kids... and being a big fan of old RPGs Now when I found that I couldn't login onto my stolen account, the first thing I did was updated AV & scanned... nothing. So I go to do a recovery request... instant denial... fine.. go back try again... with more info in little box... again instant denial... ok, send for tracker ID recovery request for more thorough comparison with playing history... denied. Started to panic a little bit... so went to change passwords on the kids accounts just to be safe... found we couldn't ("password server is down". Went to report-a-bug about "password server is down" found we couldn't do that either (white page with "Mod:Bugtracker_V4" written on it)... In fact many of the links which require ticketing were not working for us (white page with "Mod:Ticketing" written on it). Sent in 2nd recovery request... again denied. Went to send in 3rd recovery request only to discover that my Questions were no longer showing up!! Filled it in anyway and sent... again denied... and it has been like that ever since. They asked for subscription PINs, IP info, Account creation info... I gave all the info I could to the best of my recollection... I even gave them Account Bank-PIN, method of payment, subscription dates, character description, game Bank content, friends names on friendslist, quest info... and yet here I am, still not myself... and I'm not holding my breath to get her back... but I will continue to send in new recovery requests at every denial. Posts on official forums QF 29-30-325-27185935 & QF 25-26-736-28541286 illustrating the behaviour we are currently experiencing when we attempt to change the passwords on my kids existing accounts. "error processing request". We also get "error processing request" when attempting to "set new recoveries" on a new account I created to test the how/whys with. We also get "error processing request" when attempting to change the existing recoveries on my kids accounts via the "set new recoveries" link. Considering as how only a month ago we could access these pages properly definitely makes me think that something is going on somewhere... but... I'm not the only one experiencing them. Up until the time when I actually saw my stolen account login on RS, I thought it was a glitch associated with the others I have just mentioned, and because it followed closely on the heels of an update (4 were added after stronghold update)... already 2 account recovery denials & still I wasn't too worried... but then I saw my name light up briefly on my friendslist and my heart fell... confirmed account stolen. 3rd account recovery... questions which had previously shown up were gone. I am annoyed at how easily my account was gone, and I'm obviously disappointed that I still haven't been able to reclaim my account. But all of this is irrelevant to the purpose of this topic.OKAY, now I'm done picking apart your post and eating it to now dribbling on about how Jagex can our accounts more secure. The bank pin on the recovery screen is a good idea(don't they already have this? or is this a real life bank pin?). I really can't think of anything that they could do because it is for the user to make sure they're protected.Thanks for at least thinking that the Bank-PIN screen on with recovery is a good idea.. no they don't already have this... The PINs which they currently request on the recovery screen are for RL cc, pay-by-phone & pay-by-sms transactions. It is the actual Bank-PIN keypad I would like to see as part of the recover account page... It is to me the best form of protection that Jagex has on our accounts (mouse control vs keyboard). And unless someone saw you mouse in your Bank-PIN whilst you played RS, or you told someone... then this in my view, will aid in protecting your account more, and of course swiften account recovery. And we all know it is up to the user to make sure their accounts are protected... But if Jagex truly felt that way, they wouldn't have felt the need to install the Bank-PIN or have Recovery Q & A protections in the first place... and don't get me wrong... I am glad that they do have them... but it could be more effective. And hehe SNAP!! I just found a post on official forums in which they want to see the Bank-PIN used to aid in account protection/recovery too QF 24-25-793-28549925 This idea I like in particular. Well anyway, I suggest it asking for your bank PIN aswell as your pass when changing your recovery questions or pass, and if they go to get the bank PIN changed, that the usual 7 day wait still be in effect before you can change you PIN and get into the change pass/revoery questions areas. And another topic of interest QF 24-25-208-28660704 An Update: A week too late but I at least I got my account back! Woohoo I am back!! Totally stony-broke... but I am back!! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now