🦀 🦀 🦀 THE CRABS ARE GOING EXTINCT 🦀 🦀 🦀
Seriously thank you guys for the thought-out post on security. It sounds like Jagex is listening and making big steps in the right direction.
Edit: Downvoted for thanking the mods for giving us what we wanted, wild. I hope you all realize any company will take time to fix things....
Thank you. It is a first step of many steps and we will be keeping you guys and girls informed every step of the way.
Work with a third-party provider is underway to implement a system which searches the internet for breached password data. That way we can warn you if you’re using a password that might not be safe
Does that mean you're storing passwords in plaintext
We're not storing in plain text. We can't share the details, but all the required security procedures are in place.
With blizzard you legit send proof of your Driver's license/State ID to get into your account. Would this be realistic to implement, at least as an option?
You have to understand some items are billions of gp and take years to earn. When your past 4 years of effort are stolen from you it's heartbreaking. I would gladly risk being unable to play my account for a few days if it meant it were more secure.
Hey Boulder, any system requiring players to send in verification documents is unlikely. For data-handling reasons including data protection (e.g. GDPR compliance), we're leaning away from this sort of thing.
Bank PIN is useful mainly because Jagex never asks for it outside of the game. If a website or email asks for your PIN, you immediately know that it must be a scam. Jagex should emphasize that when setting a PIN because it's a good way of spotting phishing sites.
That's a great point, I'll see if we can build that into our advice/comms. Edit: We've updated the Bank PIN Support Article to include this specif tip, thanks again :)
I have a main account however about two years ago my friend logged into it and it was locked and I'm unable to recover it. If I tweet a jmod would that help in recovering the account? I have picture evidence of the multiple names the account used but yeah recovering is quite difficult =(
Nope, to recover an account we need to verify you are the owner and we just can't do that over Twitter - when your requests are denied does that happen quite quickly or does it take a while to hear back from us? If you are being denied quickly it means that very little (or none) of the base information you are submitting matches up, if it takes longer it's actually quite good news, it just means you need to improve the info a bit - and we usually let you know the specific areas to improve to strengthen the next request
I have a main account however about two years ago my friend logged into it and it was locked and I'm unable to recover it. If I tweet a jmod would that help in recovering the account? I have picture evidence of the multiple names the account used but yeah recovering is quite difficult =(
Unfortunately, tweeting a Jmod won't enable us to verify who you are, and verify that the info you provide is enough to prove you are the owner of the account - you can get info and advice here: https://support.runescape.com/hc/en-gb/articles/206666629-Denied-password-resets
Please consider a better version of Jagex Account Guardian, that was amazing tbh.
Thanks for your comment, I recall from the days of JAG that it was actually quite problematic, people forget their answers, typo the answers, use spam answers (jelly1, jelly2 etc.) or set answers that can be easily guessed or obtained through social engineering. At the same time, I also hear people (like yourself) saying it worked well ... as mentioned in the blog we are looking at account security overall so it's good to have that context and feedback and we will explore all options.
[deleted]
Yes, that would be one element of allowing complex passwords to be set
Live support needs to be added. They didn't even mention it in this post. Also ip tracking would make it trivial to tell if someone is the actual owner.
You are right, but this blog is about account security. Live support is a massive undertaking and a complex process if we are to ensure people are not held waiting in long queues, and we need to consider what type of support can be offered through a live chat system where user verification is challenging. One approach is to look at answer bots that can guide people to help in a 'live' experience, but still offer a traditional contact route to a human support channel if needed. We haven't scoped this yet but it's certainly something we have in mind when considering all support options we might introduce in the future.
I have a suggestion for jagex support. You should make players set up a 2 factor authentication when players sign into the game. For Example if a player signs into the game there should be a notification stating that (please set up a 2 factor authentication before playing) and if the player removes the 2 factor authentication from their account they won't be able to play the game without having a 2 factor authentication on their account.
We'd certainly be interested to hear how we can encourage auth take up, if we can incentivise it or have some other creative solution that increases auth take up that would be great, and we'd be interested to hear your thoughts on how best to approach that.
[deleted]
We can't share the details, but all the required security procedures are in place.
What's the email address from a jagex email? I know people can modify what their email looks like, it's easy to spot the fakes, but I just honestly never open emails from anything jagex related because you guys used to say "we'll never email you"
This article has all our official contact emails and a few tips on how to spot phishing emails.
Do note that we already offer 2FA and it is currently used by about 50% of active players. If you haven't already done so, then please setup 2FA as soon as possible!
I'm curious how much of that "50% without 2FA" statistic are bots and how badly the number is skewed because of it.
I'll check that out - we've used the word 'active' so that usually means playing regularly over a set period, which wouldn't include bots as most are removed within their first session - I'll double check though. That said, even if it includes bots, it won't skew the figures that much, I would estimate single digits at most
Thank god for 2FA on the website "coming soon." My main support of authenticator delay was because there was no support for 2FA on the website (potentially explicitly against? I don't remember).
Considering you can access account settings (including change password and authentication -- I know these require interacting with an email), and through the website you can access subscription information, which is a recovery detail, this should have been a no-brainer when implementing 2FA.
Thanks for your response. Any subscription info you can obtain through account settings would be of very very little use in a recovery attempt (for example the password you used to actually access the account settings in the first place would carry more weight), but I don't wish to detract from your key point of support for auth on web log in - which you rightly identify as a necessary security measure.
Adding authentication to the website is a HUGE step forward in account security. All of these upcoming changes seem great. Keep up the good and hard work Jagex.
Thanks for your comments, I'll make sure the team working on web auth know their efforts are appreciated.
[deleted]
There are no plans to charge for any additional security, we want accounts to be secure, there won't be a 'paid security feature'. In terms of smart phones, although you don't have one, many people do - 2fa really does make a lot of sense and is widely accepted as a 'norm' for online security. Our Auth is also available to people who don't have a smart phone, I'll admit it is a slightly more clunky set up than with a smart phone, but it does at least allow everyone access to the benefits of 2fa.
I also think that re-introducing security questions could be a good thing. Granted, it isn't perfect, but does it have to be?
A lot of people seem to get hijacked through their email. Jagex doesn't ask anything other than having access to it. Jagex could ask to answer a security question before sending the email.
Many services still use recovery questions. There has to be a reason why. Most seem to use them in the way I described, but I could be wrong.As for the previously mentioned problems, there has to be a way to mitigate most of that, right? Jagex could allow us to change them when our account has been in "good standing" for 12+ months. Or when Jagex determined that an account has been hijacked.
Just a thought...
All good points, feedback will really help us make informed decisions moving forwards so thanks for your comments.
What about a 60days recovery master password that i can set? It wiuld take 60days for master password to set in place. Only time u enter it is to recover your account. Itll give legit account owners access to their account on demand. Warning u 60days counting down on logon that it is gonna be placed incase u did get hijacked. Itll also take 60days to remove it if u forgot the password with recoveries while giving u an ingame notification about it being removed. U can add this to different increment of time from 60days to 90,120 plus. Less then 60 is too easy for hackers to own the account.
Thanks for the feedback, my initial thought is that if people forget their current password, they would also forget their 'master password'- and in that scenario you would still need a route round it. Your feedback has been noted though, as we said in the blog 'we haven’t ruled anything out just yet' - so do keep the suggestions coming!
I just found an email from sunday in my spam folder saying it changed my email address. I have an authenticator and a PIN on my bank account. I never check my spam. And yes it was from @a.runescape.
How the hell did this happen? I cancelled the email change but I still can't log in anymore?!?!
That sounds like a phishing email, the way you have described it is exactly like the first example we provide in our suspicious emails article. Please set a new password for your acc ASAP
Allow us to scan our personal ID card / driver's license to our account info page (unable for us to see after it's uploaded). If we ever lose access to our account because of a forgotten password then ASK US TO SEND A PICTURE OF OUR ID CARD / DRIVER'S LICENSE. Don't let anyone recover accounts without it. Or allow us to authenticate ourselves with a real-life bank credentials.
People spend thousands of hours playing this game. To me my account is worth thousands of hours that I can't get back if it ever gets hacked (a BTW). Allow us to take this seriously.
Thanks for your feedback, we have discussed real life ID options and we are open to looking at all solutions. It does present a couple of significant challenges. Firstly obtaining, processing and storing that volume of personal data does have huge data privacy implications and secondly many of our users may not have ID they can provide. It's a sensible suggestion of course, and is used by other companies - but is certainly not a straight forward solution that would work for everyone all of the time.
Don't ignore my comment cause im 18 hrs late!
RE: Sending players emails .I get one of these scam emails 3 times a week. I know its a scam becausea) it doesn't use my player nameb) Jagex only contacts us thru the player inbox aside from password resets.c) hovering over the link reveals it to be a phishing website.
You can also see the email address has been spoofed to be IDENTICAL to the jagex one.
If Jagex start sending emails to players which may include actions, how will anyone be able to tell what is and isn't fake anymore? And I'll admit, the first time I saw this one, I panicked and almost submitted my details.
That phishing email is widely known about, in fact it is the very first example we provide in our suspicious emails advice article.
You are spot on that not having a personalised greeting and the link pointing to a phishing site are clear giveaways that it is not from us, but I also accept we could do more to educate people about phishing so they are not deceived. It's also true that genuine notifications from us could be confused with phishing attempts, that isn't a reason to not do it, but it does also mean we need to carefully consider our messaging and raise awareness of how to spot phishing.
I'll make sure your feedback is included in our planning, thanks for taking the time and trouble to raise the point.
So does this mean we will now have Case Sensitive passwords and passwords longer than 20 characters?
Jagex mods won’t see this but a suggestion. For every new login from a new IP or device maybe make us require the usual 2FA code and then like confirm it through email for example; if you get email saying “you attempted to log into a new IP(show location and device) if this is you please confirm by clicking this link” and if it’s not you just say you can ignore the email and secure your account. You only have to confirm the IP once and we can go into our account settings to remove any device/IP so we can 2FA/confirm by link in email again. The email authorizing link should also have a set time where it expires like in an hour or 24 hours.
Basically authorizing our login through email even with the 2FA code. So even if email is compromised they would need still need the 2FA code(Google Auth and hopefully Phone Number SMS) as well as get notifications of login attempts. This should also lower phishing attempts as you know when to expect the email as you login to a new device/IP.
Process should be like this:: Goes from typing username or email/password and clicking login, than you get email/SMS notification of a new login, then the login would need 2FA code, then when the 2FA code is entered correctly a email authorizing the login should be sent(in the client or website it should say waiting for confirmation after entering 2FA code). After you authorize and you have access to account you don’t have to do email authorizing unless you go on another IP or remove the IP/device from account settings.
Also I would love 6 digit Bank PINs since most smart phones nowadays require 6 numbers to unlock.
Thanks for the feedback, it does sound like you would introduce a lot of friction into the log in flow, especially as IP changes regularly, especially for VPN users. Your process does also rely on Auth set in the first place, which we know currently only covers about half of all accounts. That said, it's not my intention to dismiss your suggestion, in fact the complete opposite, it has been captured in our feedback - thanks!
What is being done about RWT, gold farming, and gold selling? The reason why people are getting hacked/scammed/recovered so often is because their in game items have real life value that can currently be relatively easily transferred or sold... Are there plans on making stricter rules/bans for people who buy gold from shady websites? I know of several people who have bought/sold gold in the past but never had any consequences to their accounts
We share your frustration, it's hard to see how we could be 'stricter' than permanent banning people though? RWT is a complex problem, what I can say that is although it is not directly related to this blog, our team do ban about 6 million accounts a year for this sort of rule breaking, and they are continually looking at ways to deal with RWT.
Isnt having email notifications about account changes just going to give phishing scammers a new base for getting peoples information?
That is true, it's not a reason to not do it ... but it does appear under the 'cons' list for this approach.
devtrackers.gg