11-July-2009 Jagex Security Key Response

Andrew clears up arguments about the upcoming security key.

[hide=Jagex Security Key Response]"Hi,

I've noticed the Jagex Security Key poll is causing some heated debate, so thought I'd better pop in and post some clarifications.

The first thing to bear in mind, (which we really should have mentioned in the poll), is we are NOT looking to make a profit from this key. The price is to cover the cost of buying the device and shipping it. In fact these devices aren't particularly cheap and if we do go ahead with this I expect we will probably LOSE money doing it. To be able to get it down to $10 we would almost certainly have to either heavily subsidize the cost of the key (i.e sell it at a loss), or buy in such huge bulk that we would end up with a large number we'd never sell (Still making a loss). So this really ISNT about making some quick money. The main reason for the poll is to see if there is enough interest to make it practical at all.

Now you're probably wondering why we would even consider doing this if we would be losing money. The reason is simple, we're in this for the long run, not for a quick buck, and therefore player satisfaction is extremely important to us. And a player who has had their account stolen (even though due to a keylogger/virus on their own computer) is generally not very satisified! We feel that the benefit of keeping our players safe outweighs the cost, and so we are willing to potentially take a bit of a hit on this.

Which brings us on to the 'bank space' incentive. Which is exactly that... an incentive.

The problem we face is the VAST majority of players don't actually believe they need extra security (until it is too late), and it seems very hard to convince them otherwise. I've been working on computer security for years, and the problem is people assume if they have an antivirus and a firewall and don't tell people their password they are bound to be safe. This ISNT true! It certainly makes you safer, and is a very good idea, but it sadly doesn't make you invulnerable. Even if you are very careful - believe it or not you can still end up with a keylogger on your computer. For starters all of the commonly used web-browsers are written in C++, and repeatedly suffer flaws where if you visit a malicious webpage, even without clicking on anything your computer can be compromised. I'm more up to speed on computer security than most, but I still use a bank pin on my account, and will still be using a Jagex Security key on my account. Because I don't suffer from the delusion that I'm somehow magically immune.

So the problem we face is we know lots of our players lose their passwords, we also know those very same players point blank refuse to believe anything bad could possible happen to them, and think they are secure (until it is too late), and therefore probably won't buy a security key. The evidence for this is clear, just look at our own forums and all the people saying "I'm secure, I don't need a key!". So we started wondering what we could do about that. If we can incentive people to buy a key some other way perhaps we can still protect their account. Of course even if the key does ultimately protect them, they will probably never even realize that it happened, and will probably go on thinking that they didn't need it, but at least their account is secure.

We chose extra bank space for the proposed incentive, because a) we already give extra bank space to members anyway, so this doesn't unbalance things further in any way B) it kind of makes sense that the people with the fullest banks are the ones with most to lose, so the ones who most need a key.

So this isn't about RWT (any more than the members game we already sell isn't about RWT), and it isn't about trying to make a quick profit. It really is simply about keeping our players accounts secure.

If we were in it for a quick buck we would just sell the bank space and forget the loss making key idea entirely (then we WOULD make lots of money), we're not going to do that, because that's not what this is about.[/hide]

Good news from Andy G. I like that they're being absolutely firm about not turning this into some sort of rl money for rs benefits.

I don't see why people were so upset about Jagex making money off of it in the first place. They're a company. So I don't really care if they make a loss or not. It's good to see that Jagex care about their players though.

And you can never been too secure with your computer :P

That's a big "up yours" to all the haters. Good job on his part, too.

What would happen if an F2P bought a keyÉ

I'd assume that they'd get the bank space too.

If I brought this key, how much Bank space would I get? [F2P]

great move on jagex. i can't wait to hear more about this key.

Woot, they care.

It's a well written response, but still, I don't think it's how Jagex should be proceeding. They run an online game that can be played anywhere on any computer, this Security Key is just too much, in my opinion.

This has to set a new record for "most RSOF threads owned in a single post"

Good job clearing that up :thumbup:

Other page posts by Andrew

[hide=]

one other things I want to mentioned, which was also accidentally missed out of the poll.

 

 

 

This isn't actually a USB device, it is just USB sized. It WILL work with Linux and Mac. It is a little device with a small LCD screen (like a calculator has) which displays a 6 digit number which changes every minute. If you buy the key, then then you have to type that number in (As well as your password) to login. Because the number continually changes, and because each number can only be used once it defeats keyloggers and other password stealer.

 

 

 

The key doesn't actually plugin to your computer, so it works with all operating systems, and can't be read by a virus because it isn't connected to your machine.

Well I feel actions speak louder than words.

 

 

 

So just look at our recent efforts to detangle members from the free game. We've been working very hard to make it so the one thing we do sell (members subscriptions) DOESNT give an unfair advantage against free users.

 

 

 

Indeed about the only members benefit you CAN still use on a free world is in fact... extra bank space.. we can't really remove that particular one without horribly breaking everything, so again it's a logical choice for the incentive, as we already have it anyway.

 

 

 

When you look at all the potential revenue we have given up not selling items, and all the work we have been doing to make the free game more free, it seems very unfair to STILL try and claim we are just hypocrites who are in it for the money.

 

 

 

Of COURSE we aren't going to start selling items in the game or introducing our own form of RWT. If we wanted to do that we would a) have done it years ago, and B) we would do in a way which actually made us money! Not this!

The device is powered by a built in battery, which lasts about 5 years.

 

 

 

In terms of people losing their device, yes we would obviously need a system for that. Most simply people who lost it would just be able to buy a new one, and we would just send it out to their address (much like if you lose your credit card your bank sends you a new one).

 

 

 

If they didn't want to buy a new one we would need a mechanism where the old one could be canceled. The trick here would be verifying the legit owner was doing the canceling. There are number of possibilities, we could just mail a cancellation code to the owner (since each key can only be lost once we could built the potential cost of doing that into the initial price), or we could go with a time based reset mechanism (where you have to wait a couple of weeks if you lose it and don't want to buy a new one).

 

 

 

It's still at a very early stage and all the details aren't worked out. At the moment we are just trying to get an idea if there is any interest and if the idea is practical at all. But some banks have been using these things for a while now, so they are quite well proven that they do work.

Fair play to Andrew setting the record straight ASAP.

I personally didnt like to think that the security key was for a quick buck but in conjuction with the extra bank space it did look that way. C'mon though how many games companys are willing to spend money to ensure that there players accounts are becoming more secure at the players end?

:thumbup: Jagex

Reading Andrew's posts from other pages, it sounds like he is pretty discouraged about it. Sounds like they're losing money if they go through with it, just to protect our accounts. I hope they go through with it :?

Glad he cleared this up, but it still seems like they are selling bank space to me.

Frankly, I think they'd do better if they just spent the money they claim they are losing on hiring more costumer support members and maybe even bring back the option to send Jagex a message about an issue in game. O well I guess by doing this they will save time on account recovery requests. I think the amount of people who will buy it is dependant on the amount of bankspace they offer with it.

If I brought this key, how much Bank space would I get? [F2P]

I'm willing to guess a line to a line and a half. :?

That was the kindest middle finger to all the RSOF idiots I've ever seen haha.

Reading Andrew's posts from other pages, it sounds like he is pretty discouraged about it. Sounds like they're losing money if they go through with it, just to protect our accounts. I hope they go through with it :?

Stop fooling yourselves, I'm sure they expect to make money out of it, they lose first then gain:

Jagex probably saw that people who got hacked quit playing very often (and thus stop paying for members). Logical solution is to make sure people don't get hacked.

My example might not be the exact truth but I'm sure that it's close and that Jagex DOES make money out of it when looking at the bigger picture.

So these will probably be similar to these authenticators I'm guessing?

[hide=Blizzard Authenticator][/hide]

I'm thinking of a few flaws that could come out, even though i would probably get one.

Think about it. They need to MAKE SURE that they are sending these things TO THE PROPER PERSON, and there is NO CHANCE you can somehow get ahold of another's (By pretending to be them that is). Yea, you still need the correct pass with it, but whats stopping someone who already knows a person's pass, to order one, somehow get it, and then basically have 100% control. One thing that I could definitally see happen.

I see a problem with F2P as well. Think about it, Jagex has Member's billing info. They can probably get most right (See above) from that. F2P hasn't given jagex any info, being more prone to that.

Of course, if those are made not possible, then yea, this thing could be great.

I would buy fro 10$, but 10$ + shipping...and inflation in my country....oh god, would end up being around 50$

Dragons Might: If the person has the other person's account and they haven't tried to get it back they probably don't care. F2P can just give them their info. The one thing I will be pissed at Jagex for would be if they add these people to mailing lists. Otherwise, as long as people actually buy this and it turns into a useful feature for Runescape, this will be a bonus.

So these will probably be similar to these authenticators I'm guessing?

 

 

 

[hide=Blizzard Authenticator][/hide]

Yes, very similar to that.

My mother is an accountant, and to protect accounts she works with, her company uses authenticators like that. These aren't silly little bank PINs, these are security devices that are incredibly difficult to bypass unless you physically have it in your hand. I'm very happy that Jagex is truly concerned in keeping people's accounts safe.

The main thing that I'm interested in is the price.

I hope he scraps this whole idea which he probably will. I am glad good old Andrew came out and secured my confidence in the game I love.