Forums

Security Improvements

Quick find code: 185-186-154-66064365

of 37
Salubrious

Salubrious

Posts: 9,880Rune Posts by user Forum Profile RuneMetrics Profile
This thread is created with the intent to encourage Jagex to utilise some simple methods that would greatly harm the hijacking community.

Please read the thread before posting and keep feedback constructive. If you have an entirely seperate idea, please create a seperate thread for it. This is to keep this on topic. Thank you.


If you don't want to read the thread properly, but want to know what it is about, see the summary, here.

Contents:

Post 2 - Pin addtions - click here
- Post 3 - Pin additions - Advantages and Disadvantages
-- Post 4 - Pin additions - frequently asked questions

Post 5 - Content ID - click here
- Post 6 - Content ID - Advantages and Disadvantages
-- Post 7 - Content ID - frequently asked questions

Post 8 - Set the 7 day pin option as default || Block proxies on account creation and recovery.

+ Post 9 - Ways to promote PIN usage

+ Post 10 - Too long, did not read (SUMMARY)
__.,;'*
,.__
salubrious

force log account
|
account security

15-Nov-2014 23:56:17 - Last edited on 29-Apr-2015 20:25:54 by Salubrious

Salubrious

Salubrious

Posts: 9,880Rune Posts by user Forum Profile RuneMetrics Profile
What?
I'd like to see a
PIN required once per login session before we enter the wilderness, red portal or drop/stake items
.
This could be toggleable, for example, anything above 1m or 2m in carried wealth requires you enter a PIN.
I have heard of a grave rework (in fact, removal, discussion from HLF) so I'm not going to suggest stuff for that here.

Why?
Hijackers can drop items and kill accounts to retrieve the wealth the victim's account has in their inventory and on their worn equipment.

Requiring a PIN before entering the wilderness, red/purp dangerous portal, or dropping 'high value' items would greatly restrict what hijackers can do.
Phishers would be given an awful lot of grief, and malicious individuals whom recover accounts could be significantly delayed in reaching the victims items. This means that the victim has time to recover their account back, should all else fail.

How?
Wilderness Entry Methods that require a PIN for this to work:
+ Wilderness wall
+ Edgeville dungeon
+ Daemonheim
+ Ardougne lever
+ Edgeville lever
+ Dareeyak Teleport (ancients)
+ Carrallangar Teleport (ancients)
+ Annakarl Teleport (ancients)
+ Ghorrock Teleport (ancients)
+ Ice Plateau Teleport (lunars)
+ Tele Group Ice Plateau (lunars)
+ Wilderness Volcano (lodestone)
+ Entering via death plateau
+ Entering via ice path (god wars)
+ Entering via ghorroks snowball
+ Waka canoe
+ Corporeal beast cave
+ Lava titan option
+ Chaos tunnels

High value items
currently give a warning before you can drop them. They
don't have a PIN
though.
Please add a PIN to this.

Staking items already in your inventory does not need a PIN.
Please add a PIN to this.

The
red portal
currently offers a warning.
Please add a PIN
, because the red portal
acts the same as the wilderness
__.,;'*
,.__
salubrious

force log account
|
account security

15-Nov-2014 23:56:29 - Last edited on 02-Dec-2015 11:03:11 by Salubrious

Salubrious

Salubrious

Posts: 9,880Rune Posts by user Forum Profile RuneMetrics Profile
Advantages of PIN additions:
+ Would stop hijackers being able to transfer victims items immediately, giving the victim time to recover their account.
+ Gives the hijacking and customer support teams extra time to handle large numbers of hijackings on the occasion they occur.
+ Protects a users items during support 'deadzones', such as very late night to early morning and on weekends.
+ Reduces luring somewhat, giving users who have just worldhopped a little bit of a warning.


Disadvantages of PIN additions:
- Does not protect against hijacked sessions such as when a victims computer has a backdoor or RAT, because they may already be logged in.
- May take time to impliment and test because of the variety of ways users can enter the wilderness.
- Thresholds for the value you can take into the wilderness may be unreliable if you have untradable items such as minigame hybrid armour, which has a high value but no actual monetary worth. This may mean you have issues taking it into the wilderness.
__.,;'*
,.__
salubrious

force log account
|
account security

15-Nov-2014 23:56:35 - Last edited on 16-Nov-2014 03:13:04 by Salubrious

Salubrious

Salubrious

Posts: 9,880Rune Posts by user Forum Profile RuneMetrics Profile
Pin additions FAQ

Question: Will this intervene with my warbands session?

Answer: No. You can toggle a threshold for when you recieve the warnings - assuming you don't take more than 1m or 2m to warbands, it probably wouldn't effect you even if you didn't toggle it!


Question: I PK in the red portal a lot - will this be annoying for me?

Answer: It won't be, unless you world hop a lot. The PIN is entered once per game session. You can however set a threshold of how much you can carry before the PIN is required, for example, you could set the threshold to 2m gp value, and as long as your carried items amount to less than 2m, the PIN will not disturb you.


Question:

Answer:


Question:

Answer:


Question:

Answer:
__.,;'*
,.__
salubrious

force log account
|
account security

15-Nov-2014 23:56:42 - Last edited on 16-Nov-2014 03:01:27 by Salubrious

Salubrious

Salubrious

Posts: 9,880Rune Posts by user Forum Profile RuneMetrics Profile
In addition to this, I would like to suggest that Jagex begin to expand how they use the YouTube content ID feature. Correct use of this tool could automatically remove the majority of malicious videos, such as those phishing giveaways and fake gold generator downloads.

What is Content ID?

Content ID is something YouTube use to detect copyrighted content. Jagex are currently a member of the Content ID program. When you upload a Jagex related YouTube video, they hold the rights to game content of theirs that is shown, alongside the brand identity itself. Content ID gives them the option to copyright claim content.


Jagex never copyright claim content that doesn't breach their game rules - if you follow the rules in your video, they aren't going to claim it. If it is a video containing botting software or something, they will likely claim it because it breaches their rules and they don't want it there.
Now, what if they added these obvious giveaway videos to it?
So, they start claiming these videos automatically on upload. RIP phishers. They start off a new one, Jagex can just claim it and use it as a sample to kill all the identical phishing videos.


Why?

It will stop phishers and malware spreaders being able to upload their scammy rubbish.


How?

If management or the copyright team get on it and contact youtube about it, it could easily be done.
__.,;'*
,.__
salubrious

force log account
|
account security

15-Nov-2014 23:56:48 - Last edited on 16-Nov-2014 02:14:03 by Salubrious

Salubrious

Salubrious

Posts: 9,880Rune Posts by user Forum Profile RuneMetrics Profile
Advantages of Content ID:
+ Automatically removes content Jagex have defined as unwanted, such as malicious videos advertising a virus you download which claims to give you in game benefits.
+ Could be used to combat phishing if the same videos are used regularly - it could automatically terminate instances of that video, saving accounts and support time.
+ Requires a relatively low amount of work on the Jagex end, as they are already registered for Content ID.


Disadvantages of Content ID:
- Requires a staff member to dedicate time to updating it consistently every few days.
- Some takedowns may be disputed, so the staff member may need to review them.
__.,;'*
,.__
salubrious

force log account
|
account security

15-Nov-2014 23:56:55 - Last edited on 22-Mar-2015 03:22:09 by Salubrious

Salubrious

Salubrious

Posts: 9,880Rune Posts by user Forum Profile RuneMetrics Profile
Content ID FAQs

Question: Would this hurt me? I am a videomaker.

Answer: No, it won't effect you, unless you upload dodgy content like gold generators. Jagex currently have this system in place - it automatically detects all RuneScape videos. They release them from copyright though, because they like people making videos. It is free advertising for them. They can however refine their detection criteria or add more, or add entirely new things, which would catch gold generators and phishing giveaways and the like.


Question: I'm worried that my content will be claimed by this system.

Answer: It is unlikely that it will be claimed unless it matches the malicious content they are targeting. You would however have the option to appeal any takedowns done by the Content ID system. These appeals are sent to the person who took down your content, or the copyright owner of said claimed content. If it is false, they will lift it, and the video will be restored, and your account standing not effected.


Question:

Answer:


Question:

Answer:


Question:

Answer:
__.,;'*
,.__
salubrious

force log account
|
account security

15-Nov-2014 23:57:02 - Last edited on 16-Nov-2014 03:04:16 by Salubrious

Salubrious

Salubrious

Posts: 9,880Rune Posts by user Forum Profile RuneMetrics Profile
The 7-day PIN option should be the default option, instead of 3 days.

This is because the time when an account is most vulnerable is during a holiday. The owner won't be able to always get back on their account in a 3 day period. 7 days gives them significantly more time.

If the owner is logging in regularly, enough to notice a 3 day pin issue, then they probably would have secured quickly. The cases where they don't notice, that 7 day pin can make the difference between them losing their bank and quitting, and coming back from holiday just in time, and playing safely after scanning and changing details.

----------------------------------------------------------------------------------------------


Block the use of proxies on account creation and when recovering.
Blocking proxies on account creation would
decrease the amount of accounts made by goldfarmers and hijackers
. Of course, proxies are added all the time, but
blocking known ones will limit what ones they can use
, and will, in the end, pay off
and make it far easier to find them in the future
.
Blocking account recovery over recognised proxies would reduce hijacking too -
someone who is recovering their account should not need to use a proxy
- if they are the real owner there is no point hiding their IP. Hijackers often use proxies for account hijacking and recovery.
Doing this would limit the hijackers and goldfarmers options.

If a proxy is spotted/recognised, it could be added to a list of 'auto deny' ips. This would not effect normal players because they wouldn't be using proxies and it is often hosted servers specifically which are used to run proxies or virtual machines, which would be used by hijackers in the first place. Normal internet providers would not be effected. Recognised VM servers that are rented by them as proxies, however, may be blocked.
__.,;'*
,.__
salubrious

force log account
|
account security

15-Nov-2014 23:57:09 - Last edited on 22-Mar-2015 03:21:25 by Salubrious

Salubrious

Salubrious

Posts: 9,880Rune Posts by user Forum Profile RuneMetrics Profile
Not everyone uses their PIN. If they did, a lot of hijacking would be stopped or delayed, likely in time for it to be stopped. Regardless, even those who do, due to the reasons outlined above like the wilderness not being PIN protected, are still at risk.

7 day pins are optional, and can be toggled to 3 days. Obviously, the 7 day pin provides way more protection and is the most effective.

With the above additions, it would be good to promote PIN usage to more people.

Ways to promote getting a PIN

+ A free preset slot

+ Extra bank space

+ An extra spin per day or on the weekends

+ An item from solomons

+ An override

+ A little bit of weekly bonus experience or a small lamp that can be claimed from the stronghold of security once per week

+ A hybrid cape - this would probably appeal most to F2P players, but would be a great incentive for them to get a PIN.


If the PIN is disabled by the player after obtaining whatever benefit it is, the item/benefit would become unusable. It would become usable again when the player has an active PIN.
__.,;'*
,.__
salubrious

force log account
|
account security

15-Nov-2014 23:57:17 - Last edited on 16-Nov-2014 03:09:26 by Salubrious

Salubrious

Salubrious

Posts: 9,880Rune Posts by user Forum Profile RuneMetrics Profile
Too long did not read (summary)


+ Add bank pins to the wilderness, dangerous purple portal, red portal, item staking, and item dropping. It will stop hijackers stealing your worn items even when you have a PIN. Without this, the PIN required when trading is useless. (PIN needs to be entered just once per login session. World hopping is a different login session.)

+ Make the default PIN option 7 days, instead of 3.

+ Use Content ID to remove hijacking spam videos from YouTube, which will reduce hijacking and give everyone an easier time, apart from the hijackers who will cry.

+ Disable account creation and recovery when using a recognised proxy.

----------------------------------------------------------------------------------------------


Other notable hijacker hindering ideas include...

+ Increase the time block between incorrect bank pin attempts to stop bruteforcing of bank pins by hijackers
OR
...
+ Automatically lock an account after a large number of incorrect PIN entries.
__.,;'*
,.__
salubrious

force log account
|
account security

15-Nov-2014 23:57:24 - Last edited on 11-Jan-2016 23:17:31 by Salubrious

Quick find code: 185-186-154-66064365Back to Top