Citigroup, Sony, FBI affiliate Infraguard , Best Buy, Pbs and Nintendo have been hacked in the past few weeks alone. While all breaches may be varied in terms of scope and damages I think we should take a long hard look at the security of RuneScape due to the sheer frequency of the rising cybercrime.
It’s common knowledge in the computer world when creating a password to select a mixture of upper and lowercase characters, numbers and symbols to make a secure password. However, I find it worrisome that RuneScape does not distinguish the difference between upper and lower case characters. This eliminates 26 crucial characters from our passwords that realistically could provide exponential security to our accounts. As if this wasn't bad enough, the only characters allowed are A-Z and 0-9. This eliminates multiple symbols such as $ and { . These characters are essential to having a secure password.
When you have 36 characters at your disposal as Jagex allows us currently, that gives you 60.4 million combinations for a five character password. Add upper and lowercase characters and you now have 916 Million combinations at your disposal (it’s 380 Million with just Upper/Lower case letters with no numbers). Throw in common symbols (
These limitations wouldn’t as bad if Jagex didn’t recently make players more at risk by opening up a can of worms working with my least favorite website: the privacy scoundrels known as Facebook. We have an old mantra in security at my office – you are only as secure as your weakest link. While Facebook does allow for more secure passwords than RuneScape, I’m always critical of an idea to authenticate from another site with a separate account that is not controlled by the site I am logging into. How long will it be before fake RuneScape links/apps circulate through Facebook to scam young teens? How many people will get their profiles hijacked from watching fake videos of Osama Bin Laden's death or by trying to see who viewed their profile? I’ve seen numerous adults and university students have it happen to them, so I feel it’s a greater risk for Jagex to allow a login from one of the most often scrutinized websites when it comes to privacy.
I’d like to think Jagex has a decent recovery system in place, but I’ve seen numerous posts from people at “war” with their hackers for information and we’ve all heard stories of Chessy018 and other “sketchy” things that have happened. Here are a few comments that were posted right on the Tip.It Forum by people whose accounts were compromised:
"I never went on any malicious sites, told anyone anything, or clicked any weird emails. I do not have a bank PIN; I sure do now."
"I have always been focusing on keeping my account secure and i have said to other people that has been hacked that they should secure their account more. However i think i couldn't possible made my account more secure than it was. Yet is was "hacked"..."
"Funny thing is that the lock mechanism doesn't work. When i logged on it was locked, but the items i weared was still stolen, so I'm left with 28mil less wealth and not a single message of apology from jagex because their system is a failure. I want to be able to select which MAC/IP addresses i can connect from. That is the secureness."
One comment in particular stands out – but for all the wrong reasons:
“So I guess the "hacker" had guessed my password recovery answers. Admittedly, one of them could be found on my Wikipedia page, and two others weren't that hard to guess. I mean, just because I never explicitly told people what my favorite vacation spot was doesn't mean people couldn't deduce it from reading my blog, etc. Gotta love social engineering.”
Did the hackers really engineer all of his personal information? Were they using the same ISP? Hack his e-mail? We may never know, but we can still ask ourselves, "How did this happen?" Could people social engineer accounts from another country just by going off of public information? This has happened to Sarah Palin and Paris Hilton and both hackers were prosecuted. Does Jagex go after hackers? Do they care? They are too vague and secretive in this department. It should be reasonable to be able to set your account to access from a certain country or ISP to help prevent social engineering.
Not long ago Jagex mentioned a USB dongle to provide a secure login. It was largely lambasted by the community and even the Times writer Catherby_Curmudgeon seemed upset by the idea. Jagex needs to offer Two-Step Authentication - Yes it’s extra work and a pain, but we NEED IT. Besides, who wouldn’t want more security or Jagex's offer of extra bank space? Gmail has it and I gladly gave them my mobile as a back up number so I could get a special verification code sent to me by text every 30 days per computer. This ensures that only machines I sit down at and keep a cookie for my Gmail on will be allowed to access my account, regardless of whether or not you know my password.
This is my plea to Jagex: please make us more secure by either allowing us to use the characters we NEED for secure passwords or going forward with the dongle for peace of mind.
How do you feel about the security? Have you ever hid the fact you were hacked out of pride? Tell us YOUR feelings and stories.
Jagex, if you're out there and if you care, I'd love to interview someone from your company as a followup to this article - if you're willing.
