Jagex Account Guardian
The Jagex Account Guardian (JAG) is an account security feature that provides enhanced security, blocking unknown devices from accessing your account. It was first mentioned on 29 August 2012 and released on 11 September 2012. Although the functionality of the system remains undisclosed as stated by Jagex, it seems to use modern device-recognising technologies to authenticate a user access to logging in. This includes a combination of the user's MAC address, their IP address, an encrypted security token saved on the user's system, and possibly by other means which remain unknown. Its primary aim is to prevent against phishing and hijacking; additionally, it discourages account sharing.
A player may choose the device(s) that they wish to grant access to for the account. Unknown devices need to pass email and security checks before access is permitted. If a player plays from multiple locations, they can add new devices at anytime and can have as many as they'd like. Devices can be given access on a temporary or permanent basis.
With the introduction of JAG, the recovery question feature was removed and replaced with a permanent recovery question system within JAG. The questions provided may not be customised, therefore the pre-set questions aim at answers that only the real owner of the account would provide. Answers may not contain capital letters. The questions choices are:
- Secondary email address for J.A.G / account security
- Where was your first vacation / holiday?
- In what city or town did your mother and father meet?
- What was your favorite place to visit as a child?
- What is the last name of your favourite teacher?
- Who was your first best friend – first name?
- What is your favourite sports team?
- What is the first book you remember reading?
- What was the first video game you bought?
- What was the first music album you bought?
- What is your mother's middle name?
- What is your oldest cousin's first name?
Flaws and concerns
In the event that a hijacker is able to obtain a player's questions and answers (whether by keylogging, social engineering, or some other means), he or she will have permanent access to that player's JAG settings, notwithstanding a changed password. It is strongly advised that one should never give out ANY information whatsoever; doing so opens up more doors for the hijacker.
Aside from JAG recovery questions, a hijacker may gain full access to the account through the Customer Support Center on the forums. This alternative method requires them to present to the customer support team as much possible information pertaining to the account in hope to claim ownership of the account, so it is very important to keep all information online completely disclosed.
The idea that recovery questions cannot be changed once they are set presents some other issues with the JAG system. Although this would be rare since the questions aim at very personal questions and ones that are hard to forget, however if a player who forgets the answers to their questions, they will be locked out of the JAG security system, and possibly their account. Such players may attempt to log in and remember or properly guess their answers, however only 3 tries are permitted every 24 hours — after which the account is locked for 24 hours to all non-permanent access.
Jagex's official response to these two concerns is to remind players to choose security questions they will not forget, and to keep their login details secure.
On the official FAQ page for the Jagex Account Guardian, Jagex stated that their method of identifying devices is top-secret. This is a case of security through obscurity.
Tips
- Use a mixture of letters, numbers AND symbols in your password. Since the system does not allow symbols normally and a password can contain symbols, there is only one way to achieve this.
- Make a fail attempt to log in on the RuneScape website by purposely typing your password incorrectly.
- Click the Forgot Password? link and you will be redirected to the Account Recovery page. Enter your login name in the box and click submit.
- On the next page, you will be prompted for the recovery e-mail linked to the Jagex account. Proceed by entering the email registered to the account and click the link in the e-mail you will receive from Jagex.
- On the next screen, you will then be prompted with the new password and confirm password boxes. Input the desired password and click Submit.
- Congratulations, you have set a password with symbols!
- Avoid giving out your Facebook, Twitter, or any other social media username as this contains an endless amount of information that a hijacker will use — even if your privacy settings hide everything.
- Avoid giving out an e-mail address or Skype username (as it may contain your e-mail address). Doing so will allow the hijacker to link as many pieces of information together as possible to begin collecting vital information pertaining to your Jagex account.
External links
- What is Jagex Account Guardian? (en) (webpage). RuneScape Wiki. (Archived from the original on 2012-11-05.)*