Another Old School Runescape Account Hacking

TOPICS:
Old School Runescape Accounts, Runescape 2007 Accounts, OSRS, Old School Runescape

Posted By: Mei Satsuki September 8, 2016

It is really frustrating that there are news everywhere about Old School Runescape Accounts getting hacked. I don’t know what is Jagex is doing or maybe the hackers of OSRS Accounts are just too good. Either way, this has to stop.

Suggestion on How to Protect Old School Runescape Accounts

A frustrated OSRS player whose account got hacked has an interesting post suggesting how to protect OSRS Accounts:

 Old School Runescape Accounts, Runescape 2007 Accounts, OSRS, Old School Runescape

I beg you to read the entire post, and spread it around as much as possible. This is an extremely flawed system that needs to be corrected, ASAP.

My account was recently hijacked via the broken account recovery system, and thanks to lovely Jagex, the hackers got away with over 2.3b worth in osrs items and money. And my account could possibly be linked to RWT now. How is this even possible? Why didn’t my authenticator stop this? The only way I should be able to get hacked is if someone literally steals my phone irl. So unless this is fixed (or Jagex can compensate me for 2b gp), I don’t plan to ever come back to RuneScape, after being a loyal member for nearly 10 years. Why would I continue playing to rebuild my bank and spend loads of time doing it, if the same thing can just happen again?

(user: Love Seven)

Let’s go over the entire recovery information and see what the hackers could have possibly known, and what is impossible for them to know.

  • Recovery Questions:Impossible (0/5)
  • Payment email:Impossible
  • Postal or zip code:Impossible
  • Payment type:Guessable (multiple choice)
  • Duration:Guessable (multiple choice)
  • Transaction ID:Impossible
  • If credit card, last 4 digits:Impossible
  • Setup Date: Unlikely, butpossible
  • Previous Passwords:Impossible
  • Login with FaceBook:Impossible (I don’t even have a FaceBook account)
  • Account Creation Date: Unlikely, butpossible
  • Creation Location:Possible
  • Internet Service Provider (Creation and Most Recent):Impossible
  • Moved House?:Guessable (50/50 – yes/no)
  • If yes, When? :Impossible

So out of the 15 criteria, someone could possibly find out only 40% of the information by extensive research across all social media platforms and digging through months and years of posts, videos, etc.

Yet, despite knowing LESS THAN HALF of the information required, Jagex still handed over possession of my account on a silver platter. Just like that. Disabled my authenticator, and changed the registered email.

So here’s the suggestions:

  • If a person is unable to provide at least 70% of the recovery information, the recovery should be denied.
  • If they can provide at least 70%, they must provide the authenticator code if it is enabled.
  • If they can’t provide the authenicator code, or don’t have it enabled, send an email to the registered email on the account that their account is attempting to be recovered, and a confirmation link to proceed with the recovery.
  • If the link is not accessed within 12 hours, the recovery attempt is denied.

 This is a post by 7MakesMeHappy and he makes a lot of sense. Why doesn’t Jagex do this? This is a great suggestion and there will be a way for players who got hacked to recover their Runescape 2007 accounts from the hacker.