Forums

PS Blog - Account Security

Quick find code: 294-295-395-66107508

of 3
Mod Poerkie

Mod Poerkie

Jagex Moderator Forum Profile Posts by user

Welcome to the second in a series of four blogs from the Jagex Support Team. In our first, we detailed plans to upgrade our systems. This blog is about Account Security and will examine:


  • What we're working on now:

  • Strengthening passwords

  • Breached password usage warnings

  • Coming soon:

  • Email notifications and validations for account behaviour changes

  • Authenticator checks on the website

  • Investigating if we should implement an authenticator delay

  • And in the future:

  • Additional account security systems

  • Increasing account recovery security

  • Account security is a challenge for all businesses on the internet. The number of websites to which people submit personal data, and the frequency of efforts to access this data, means that breaches are happening ever more frequently.


    It's therefore no surprise that improving account security comes with some major challenges. But we are nonetheless committed to overcoming them, although we must also be realistic - these changes will take time.


    Here's a detailed look at the various challenges with account security and how we're going to solve them.


    Better Passwords


    Our first priority is to strengthen passwords, and work is already underway.


    We’re updating our systems to allow more complex passwords to be set, and adding user guides that help users create them. We're also looking into how we can support password managers.


    Work with a third-party provider is underway to implement a system which searches the internet for breached password data. That way we can warn you if you’re using a password that might not be safe, or even stop you from choosing an insecure password in the first place.


    We really need your help on this, as these new systems will only benefit you if you choose to use them. In general, when it comes to password security, the essential things to remember are:


  • Never use the same password for your RuneScape/Old School account as you do for your email

  • If you are in any way concerned about your account safety, then set a new password immediately

  • Use a different password for every service you use online

  • Email Notifications and Security


    Once password security is improved, our focus will shift to email notification.


    One of the quickest ways you can confirm you’re the owner of an account is by using the email address registered to it. This is a very common security method you have likely seen on other sites.


    We're going to start sending email notifications to your email address if we see strange changes in account behaviour, and in some circumstance we will require authorisation from that email address to login.


    However, the risk of using emails for security is that we don’t know if your personal email address is secure. And if the login details for your email are the same as your RuneScape/Old School account, then you’ve made it twice as easy for someone to find all the details they need.


    Essentially, the more secure your email address is, the more secure your RuneScape account is. If your email provider has extra security features like 2-factor authentication, then please use them (here are the links for Google, Yahoo and Outlook).


    Ultimately, these problems mean that in the long-run we want to move away from email and toward improved 2-factor authentication.


    2-Factor Authenticators


    One of the most secure things you likely own is a smart phone. Some have biometrics built in, most have additional password security and importantly people are generally very protective of them.


    We therefore want to use the security of your phone more to keep your RuneScape/OldSchool account safe, and the way to do that is 2-factor authentication (2FA) apps.


    Do note that we already offer 2FA and it is currently used by about 50% of active players. If you haven't already done so, then please setup 2FA as soon as possible! Our aim is for all of our players to use an authenticator and for it to apply to the game and website logins.


    One feature often requested by players is authenticator delays. There are several ways we could do this, such as delaying change requests or temporarily limiting trades. We haven’t ruled anything out just yet, but are mindful that there is a big risk of players getting locked out of their accounts or enduring restrictions if their phones are lost in the interim.


    We must also support users who need to change authenticator because they've lost access to their phone. These change requests already happen more times a day than Player Support could handle if they had to check everyone individually.


    Our preferred option, therefore, is additional account security systems.


    Additional Security and Account Takeovers


    We’re looking into additional security checks using the same type of technology used to tackle payment fraud. This system will allow us to react to new threats in real time, create different security models for different states of a RuneScape account (e.g. active player, dormant account, not email registered, authenticator supported etc...), and respond sufficiently fast to avoid the blocks that an authenticator delay could create.


    We believe this data driven account security method is our best chance tackle account takeover. It can work for all accounts and for all players. However:


  • If for whatever reason you can’t use 2FA, this will be your backup to protect your account. As a result, though, it will take a few seconds to run checks every time you login so users might encounter a slight delay.

  • This system will check millions of logins every day, and it would be wrong of us to assume it will get it right every time. Striking the right balance between brevity and security (in other words, letting the right users in and keeping the illegitimate users out, all without creating too much of a delay) will be a process, and we're unlikely to get it right straight away. We will be doing extensive testing before going live to perfect this, but please be patient with us. We are looking at how you’ll be able to contact us and resolve the situation ASAP if you do get incorrectly blocked.

  • If all goes to plan then this should all just happen without you ever seeing it or having to worry about it - unless you’re trying to steal someone’s account, of course. For that reason we won't be regularly updating players on progress.

  • The build and setup is going to take some time. This is a key priority for Jagex so it will be ready as soon as possible - current estimates point to a rollout in the first half of 2020. Despite the challenges, we think the benefits are worth overcoming the issues.

  • Recovery Abuse


    One of the biggest challenges we face when reviewing account recovery attempts is identifying if the request has been submitted by the account owner.


    Our focus for the next year is on stopping the hijackers before they even get to an account, but regardless we need to improve how we process account recovery attempts.. This may mean that appeal information requirements become stricter. It’s going to take some time to find that right balance between safety and swiftly getting players back into the game. At the moment we don’t feel we have it quite right, so work will continue on this.


    And from the team


    We understand how important account security is to you all, just as it is for us - we hear everything you're saying. And while we can't fix it overnight, we won't stop until things get better. We'll keep you posted on our progress but please keep talking to us, please keep sharing your concerns and please keep offering your suggestions. We're committed to doing everything we can.

    Thanks

    The Player Support Team

    Continue the discussion on Reddit, Discord or on this forum thread. Community Manager! @JagexPoerkie

    25-Jun-2019 13:54:46 - Last edited on 25-Jun-2019 14:05:17 by Mod Poerkie

    Matmano9
    Sep Gold Premier Club Member 2015

    Matmano9

    Posts: 6,208Rune Posts by user Forum Profile RuneMetrics Profile
    Words cannot describe the happiness I have to see Jagex working on this.

    I made a thread a while ago regarding this, unsure if it had a impact at all as to why you guys are finally deciding to focus on it. But I am just happy to see you guys are starting to consider it as a important thing to change.

    My Thread

    Will be following this closely. :-)
    I like to help people. Feel free to ask for advice/help. :-)

    My clan - Astral Turtles 2 year Runefester
    Need support? Account help
    Discord -
    Matmano9#0001

    25-Jun-2019 14:11:03 - Last edited on 25-Jun-2019 14:16:06 by Matmano9

    Sofa Hero
    Jun Member 2019

    Sofa Hero

    Posts: 8Bronze Posts by user Forum Profile RuneMetrics Profile
    I use protonmail.com. When I set up my 2FA, they gave me a list of 16 codes. I was to save these codes in the event I lost my phone. The cool thing is, each of these codes can only be used once. If I lose my phone I can get into my email with one of these codes, changing my 2FA or whatever I feel needs done.

    25-Jun-2019 14:13:52

    Matmano9
    Sep Gold Premier Club Member 2015

    Matmano9

    Posts: 6,208Rune Posts by user Forum Profile RuneMetrics Profile
    Sofa Hero said:
    I use protonmail.com. When I set up my 2FA, they gave me a list of 16 codes. I was to save these codes in the event I lost my phone. The cool thing is, each of these codes can only be used once. If I lose my phone I can get into my email with one of these codes, changing my 2FA or whatever I feel needs done.


    This is good, but ensure the codes are kept safe. A hard copy would be best, AKA on paper in a safe.
    I like to help people. Feel free to ask for advice/help. :-)

    My clan - Astral Turtles 2 year Runefester
    Need support? Account help
    Discord -
    Matmano9#0001

    25-Jun-2019 14:17:17

    A Vitalis
    Mar Gold Premier Club Member 2015

    A Vitalis

    Posts: 1,073Mithril Posts by user Forum Profile RuneMetrics Profile
    2FA/Authenticator is nice and all, but it shouldn't be mandatory. Not everyone owns a smartphone, and I refuse to use Chrome for anything other than downloading a browser that's a little more transparent about what it does with your data. I hope we're not seeing a push towards it being mandatory to play at all.
    The truth is you're the weak, and I'm the tyranny of evil men. But I'm tryin'. I'm tryin' real hard to be the shepherd.

    25-Jun-2019 19:47:27 - Last edited on 25-Jun-2019 19:48:46 by A Vitalis

    WIK i
    Jul Gold Premier Club Member 2018

    WIK i

    Posts: 9Bronze Posts by user Forum Profile RuneMetrics Profile
    hey mod poerkie i have a question what about does accout who got hacket and perm ban i mean i had an account cast bob that got hacket and one day i recover it back its was perm ban would you help it out i Think that acc got perm ban for no reson sorry for my English :/ plz help me out ?

    25-Jun-2019 20:04:16

    Tom of Kent
    Jul Gold Premier Club Member 2009

    Tom of Kent

    Posts: 57Iron Posts by user Forum Profile RuneMetrics Profile
    I'm all for increased security.

    About account recovery: I've two accounts, both are over 10 years old and I have no Idea about any of the specifics. I doubt if I could satisfy the current standard to reclaim hijacked accounts, let alone increased security there.

    Please come up with a way to assure that I can recover a hijacked account without needing to know how and where I created the account.

    25-Jun-2019 22:36:13

    Mr Rey Ray
    May Gold Premier Club Member 2016

    Mr Rey Ray

    Posts: 5,702Rune Posts by user Forum Profile RuneMetrics Profile
    Yes I couldn't agree more, this is a step in the right direction.

    I'm glad you're going to push players to use authentication as that is such a great way to keep your account secure. Two minutes to set up an authentication on Email+Runescape can save you being hijacked.

    I am pleased this will be coming to us in 2020.

    Will be amazing to see when this is rolled out :)


    Make sure fellow Scapers to use Authenicator and set a bank pin in game.
    | Leader of IVY Click here for Account Help | An International Pvm/ Skilling Clan |
    Guest in our Clan Chat for an Invite

    25-Jun-2019 22:53:04

    Dreamweaver
    Aug Member 2003

    Dreamweaver

    Posts: 3,762Adamant Posts by user Forum Profile RuneMetrics Profile
    Excellent news! Passwords (or better, pass-phrases: please allow spaces in the new implementation!) have needed some love for a long time, so this is truly great. I appreciate that these changes will take time and testing to implement, but thank you for communicating what is happening.

    I did notice that there's an implementation bug with 2FA as it currently stands. These codes are supposed to be strictly single-use, but I can log into the account using an authenticator code, and then use the same code to unlock my bank in-game (assuming it's still valid timewise). Ideally, the in-game code request should not accept the same token number as the first game login. Hopefully that will be caught with the improvements that are underway.

    A note for the player who is skeptical about Google (and from a privacy perspective I heartily appreciate that view): you don't have to use Google Authenticator. Any trustworthy authenticator app will work because the underlying protocol is a standard. Personally I use Authy because I like how it can be protected by a PIN and/or fingerprint on my phone too. Authy offers a desktop app also, for people without a phone, or who choose not to use a mobile app for whatever reason. And Authy is certainly not the only player in town. There are options out there!

    Research what works well for you and your situation, but *DO* use two-factor authentication. It is the single most effective way of securing your account beyond a long unique password/pass-phrase.

    Thanks again!

    Dreamweaver

    26-Jun-2019 05:36:53

    Quick find code: 294-295-395-66107508Back to Top