Forums

Service Side Security

Quick find code: 74-75-360-66103332

Sethii
Oct Gold Premier Club Member 2018

Sethii

Posts: 57Iron Posts by user Forum Profile RuneMetrics Profile
This post is in retaliation to a friend that got banned despite not logging in for months.
(Likely compromised, I will concede fault as 2FA wasn't enabled; everything will be addressed once the ban is lifted.)

This will be talking about flaws in the systems which I feel the service could have provided which would further prevent such things. While users are responsible for their account security, the service we are using are responsible for providing a secure platform and good support.

* We had no idea about this ban until she tried to login. The only notification was in game. The point of notifications is so we can see them quickly, if one isn't logging in often, providing this notification in game isn't helpful. I do like the concept of in game messages as it can prevent phishing, but it would be nice to have an option to forward these to our email.

* Foreign location checks, this could've been avoided by doing what services like Blizzard, Netflix, or Google already do, on login at a new location, send an email to let the user know that the login credentials were used, and/or to provide a link to authenticate the request. This would have been handy to immediately discover the potential breach and is common.
This is helpful as said "hacker" most likely didn't change the password/email because that would make her aware of the unauthorized access.

* Poor passwords, the password field is horrible:
** The passwords should allow symbols and no 20 char limit.
** We should be able to paste into the client so it's more password manager friendly. (Both myself and said friend use a simpler password that's easy to manually type because we can't generate and paste strings into the client, everywhere else unique generated 80~ character passwords are used.)

* Banned accounts are not able to change their email address or enable 2FA which seems a bit annoying as after unauthorized access, we'd like to do these things.

31-May-2019 13:23:48 - Last edited on 31-May-2019 14:01:59 by Sethii

Thunder Jinx
Feb Member 2010

Thunder Jinx

Posts: 14,104Opal Posts by user Forum Profile RuneMetrics Profile
The issue really is on your own side.
Many of us have never been hacked because good hackers go after things that actually make them money.

I know a few people who have had their accounts locked because they changed location on their VPN, so Jagex does do location check and locks your account and you can quickly unlock it through your registered email address.


You were not hacked because someone was able to brute force it. Perhaps you had one that was easy to guess because it was password123 or you were keylogged or fooled to log into a phony RuneScape site.
Darkness rises when silence dies.

Save time and money
join
Fast Sc
friends chat for BXP across many skills!

31-May-2019 14:09:03

Sethii
Oct Gold Premier Club Member 2018

Sethii

Posts: 57Iron Posts by user Forum Profile RuneMetrics Profile
Regarding the second point, that's interesting and I wasn't aware that was a thing, however clearly it isn't as good as it could be, once again following the examples like Google, Blizzard, or Netflix.

Regarding the bottom point, I never said how I thought she got hacked, it may have been brute forced, guessed, keylogged, phished or anything else. I could only presume a type of brute force, or using credentials from a breach of another service. (As stated due to lack of copy/paste this is using a simpler password.)
Regardless of the above, no notification was provided and no lock was in place despite it being a different location.

This post is not to shift blame on Jagex, it's to say more can be done on their side to prevent this to protect all users. This isn't about her account specifically, but RuneScape globally.

31-May-2019 14:25:15

Quick find code: 74-75-360-66103332Back to Top