They stole the rugs and dyed them. Truly the most evil thing they could do!
They stole the rugs and dyed them. Truly the most evil thing they could do!
when can we expect the Arceuus Spellbook teleports implemented into the Portal Nexus?
Not you again.
[removed]
Behave yourself mum.
You’re breathtaking
No, you're breathtaking!
I like me some wholesome OC.
Don't ignore my comment cause im 18 hrs late!
RE: Sending players emails .I get one of these scam emails 3 times a week. I know its a scam becausea) it doesn't use my player nameb) Jagex only contacts us thru the player inbox aside from password resets.c) hovering over the link reveals it to be a phishing website.
You can also see the email address has been spoofed to be IDENTICAL to the jagex one.
If Jagex start sending emails to players which may include actions, how will anyone be able to tell what is and isn't fake anymore? And I'll admit, the first time I saw this one, I panicked and almost submitted my details.
That phishing email is widely known about, in fact it is the very first example we provide in our suspicious emails advice article.
You are spot on that not having a personalised greeting and the link pointing to a phishing site are clear giveaways that it is not from us, but I also accept we could do more to educate people about phishing so they are not deceived. It's also true that genuine notifications from us could be confused with phishing attempts, that isn't a reason to not do it, but it does also mean we need to carefully consider our messaging and raise awareness of how to spot phishing.
I'll make sure you...
Read moreAllow us to scan our personal ID card / driver's license to our account info page (unable for us to see after it's uploaded). If we ever lose access to our account because of a forgotten password then ASK US TO SEND A PICTURE OF OUR ID CARD / DRIVER'S LICENSE. Don't let anyone recover accounts without it. Or allow us to authenticate ourselves with a real-life bank credentials.
People spend thousands of hours playing this game. To me my account is worth thousands of hours that I can't get back if it ever gets hacked (a BTW). Allow us to take this seriously.
Thanks for your feedback, we have discussed real life ID options and we are open to looking at all solutions. It does present a couple of significant challenges. Firstly obtaining, processing and storing that volume of personal data does have huge data privacy implications and secondly many of our users may not have ID they can provide. It's a sensible suggestion of course, and is used by other companies - but is certainly not a straight forward solution that would work for everyone all of the time.
I just found an email from sunday in my spam folder saying it changed my email address. I have an authenticator and a PIN on my bank account. I never check my spam. And yes it was from @a.runescape.
How the hell did this happen? I cancelled the email change but I still can't log in anymore?!?!
That sounds like a phishing email, the way you have described it is exactly like the first example we provide in our suspicious emails article. Please set a new password for your acc ASAP
What about a 60days recovery master password that i can set? It wiuld take 60days for master password to set in place. Only time u enter it is to recover your account. Itll give legit account owners access to their account on demand. Warning u 60days counting down on logon that it is gonna be placed incase u did get hijacked. Itll also take 60days to remove it if u forgot the password with recoveries while giving u an ingame notification about it being removed. U can add this to different increment of time from 60days to 90,120 plus. Less then 60 is too easy for hackers to own the account.
Thanks for the feedback, my initial thought is that if people forget their current password, they would also forget their 'master password'- and in that scenario you would still need a route round it. Your feedback has been noted though, as we said in the blog 'we haven’t ruled anything out just yet' - so do keep the suggestions coming!
I also think that re-introducing security questions could be a good thing. Granted, it isn't perfect, but does it have to be?
A lot of people seem to get hijacked through their email. Jagex doesn't ask anything other than having access to it. Jagex could ask to answer a security question before sending the email.
Many services still use recovery questions. There has to be a reason why. Most seem to use them in the way I described, but I could be wrong.As for the previously mentioned problems, there has to be a way to mitigate most of that, right? Jagex could allow us to change them when our account has been in "good standing" for 12+ months. Or when Jagex determined that an account has been hijacked.
Just a thought...
All good points, feedback will really help us make informed decisions moving forwards so thanks for your comments.
[deleted]
There are no plans to charge for any additional security, we want accounts to be secure, there won't be a 'paid security feature'. In terms of smart phones, although you don't have one, many people do - 2fa really does make a lot of sense and is widely accepted as a 'norm' for online security. Our Auth is also available to people who don't have a smart phone, I'll admit it is a slightly more clunky set up than with a smart phone, but it does at least allow everyone access to the benefits of 2fa.
Adding authentication to the website is a HUGE step forward in account security. All of these upcoming changes seem great. Keep up the good and hard work Jagex.
Thanks for your comments, I'll make sure the team working on web auth know their efforts are appreciated.
Thank god for 2FA on the website "coming soon." My main support of authenticator delay was because there was no support for 2FA on the website (potentially explicitly against? I don't remember).
Considering you can access account settings (including change password and authentication -- I know these require interacting with an email), and through the website you can access subscription information, which is a recovery detail, this should have been a no-brainer when implementing 2FA.
Thanks for your response. Any subscription info you can obtain through account settings would be of very very little use in a recovery attempt (for example the password you used to actually access the account settings in the first place would carry more weight), but I don't wish to detract from your key point of support for auth on web log in - which you rightly identify as a necessary security measure.
Do note that we already offer 2FA and it is currently used by about 50% of active players. If you haven't already done so, then please setup 2FA as soon as possible!
I'm curious how much of that "50% without 2FA" statistic are bots and how badly the number is skewed because of it.
I'll check that out - we've used the word 'active' so that usually means playing regularly over a set period, which wouldn't include bots as most are removed within their first session - I'll double check though. That said, even if it includes bots, it won't skew the figures that much, I would estimate single digits at most
What's the email address from a jagex email? I know people can modify what their email looks like, it's easy to spot the fakes, but I just honestly never open emails from anything jagex related because you guys used to say "we'll never email you"
This article has all our official contact emails and a few tips on how to spot phishing emails.
[deleted]
We can't share the details, but all the required security procedures are in place.
I have a suggestion for jagex support. You should make players set up a 2 factor authentication when players sign into the game. For Example if a player signs into the game there should be a notification stating that (please set up a 2 factor authentication before playing) and if the player removes the 2 factor authentication from their account they won't be able to play the game without having a 2 factor authentication on their account.
We'd certainly be interested to hear how we can encourage auth take up, if we can incentivise it or have some other creative solution that increases auth take up that would be great, and we'd be interested to hear your thoughts on how best to approach that.
Live support needs to be added. They didn't even mention it in this post. Also ip tracking would make it trivial to tell if someone is the actual owner.
You are right, but this blog is about account security. Live support is a massive undertaking and a complex process if we are to ensure people are not held waiting in long queues, and we need to consider what type of support can be offered through a live chat system where user verification is challenging. One approach is to look at answer bots that can guide people to help in a 'live' experience, but still offer a traditional contact route to a human support channel if needed. We haven't scoped this yet but it's certainly something we have in mind when considering all support options we might introduce in the future.
[deleted]
Yes, that would be one element of allowing complex passwords to be set