Posted by /u/JagexInfinity on the /r/Runescape Reddit.

We want to address your concerns about RuneScape account security. Over the past few weeks we've continued to see the odd post reach the front page of this Reddit regarding our recovery system and how it is flawed. Today we want to clarify our approach to account security.

In this post we aim to set out:

• Examples where people mask what has really happened combined with some references to support our view that compromised accounts often lead to hijacking
• Provide information about how we approach account recovery
• Provide an insight into the resources & efforts we place in ensuring account recovery is as effective as it can be
• Share some tips you can use to sense check your own RuneScape account security
• Commentary to show the huge impact strong account security can have on most hijackers
• Invite your feedback and comments

---

Two sides to every story
Very often the picture that somebody paints regarding their account doesn’t accurately reflect the true situation. For context we’d like to give some examples of what you might read together with a more accurate interpretation.

Format
What you might read
A more accurate interpretation

---

My account was hacked by the awful recovery system
Somebody else knew enough information about my account to recover it

I have a really secure account
I use the same password on multiple sites, haven’t set up the Authenticator, don’t have two-step e-mail, and I find the bank pin an unnecessary inconvenience

It wasn’t me that submitted the recovery request
The person I used to share my account with submitted the recovery request

All of my information is very secure
I once gave my password to someone, they set an e-mail on my account for convenience and I persuaded them to apply some membership

I’m very security conscious in relation to sharing my personal information
My social media privacy settings are quite weak, lots of people I play RS with know my full name, where I live and I often speak to them on Skype

It should be obvious that it is not me recovering my account, just check the IP address
I’ve played my account in lots of different places and I sometimes use a VPN

It’s my account
Somebody else made this account and gave it to me, so as far as I’m concerned it’s my account. I can’t say that to Jagex, though I do have a convincing backstory.

Here’s some examples from Reddit where we’ve investigated an issue which initially looked like a Customer Support error. In reality these situations actually fell into the criteria shown above where account information was compromised.
Example 1:
Example 2:
Example 3:
Example 4:
Example 5:
Example 6:
Example 7:

---

Under the hood

In Customer Support we manually investigate a quarter of a million account recovery appeals a year.
These recovery appeals almost always fall into one of these three categories:
Category 1: Absolutely not the account owner contacting us - blatant attempt to hijack or steal another players account
Category 2: Absolutely the owner contacting us - rock solid account history - happy to get them back in game
Category 3: Something similar to the examples we’ve given where information is compromised

People in category 1 obviously want to stay under the radar so you won’t hear much from them. The majority of people that fall into category 2 don't create posts on Reddit to shout about their seamless experience – they’re back in game ‘Scaping. This means that when people in category 3 post it massively sways public perception that their experience and personal story is reflective of our account recovery process.

We can understand how people may come to that conclusion. However, we wanted to take this opportunity to put the record straight and we hope that when you see future posts similar to the examples we’ve given, you might just consider that there are usually two sides to every story.

---

Just the facts

Just so that everyone is absolutely clear we are happy to provide the following statements:

• All JMods who deal with account recovery requests go through three months of initial training.
• There’s an ongoing in-house programme of refresher training.
• Our internal quality checks mean that all support staff are randomly sampled to ensure consistency of decision making.
• We will never give an account to someone based on a simple tweet or request to do so.
• Our systems enable us to track historical activity on an account to help us determine ownership.
• Information provided in an appeal is always cross referenced to factual information stored on our systems.
• If in doubt we will always seek more information. We never given the benefit of the doubt if we are ever unsure.
• We rate evidence provided to us based on its quality, for example providing credit card information is much stronger than knowing a skill level.
• We do this as a job. We've seen every story out there, every cheating site template and we can spot hijackers, VPNs, false information and clearly 'doxd' information from a mile away.

---

A hijackers nightmare

Now let's look at a situation where all of the above security advice has been followed, and a hijacker is attempting to access your account.
When the hijacker tries to log in using a password they found on a leaked database, it won’t work because you’ve used a unique password for your RuneScape account.

Even though your password is unique, they’ve managed to guess, as it’s your favourite sports team. Despite using the correct password, the Authenticator will trip and block the hijacker.

Undeterred, the hijacker decides they need to remove the Authenticator from your account. However, they need to validate that request from your registered e-mail, which is protected by two-factor authentication.

Frustrated at the barriers they’ve come up against, the hijacker resorts to sending you to a phishing website, to get as much information as they can about you to try and navigate some of your security. You don’t fall for this due to your security awareness, and the hijacker is left with no alternative but to contact Jagex and pretend to be you.
The good news is, because your social media profiles are secure, you don’t share your private information the hijacker is unable to put together a convincing recovery request.

All of the information that Jagex require can’t be provided. The JMod reviewing the appeal recognises the attempted hijacking, denies the request and passes the information captured in the request to a specialist team to pursue.

---

Let's talk

To summarise, we've got your back. We're not easily fooled and hundreds of thousands of players never experience any problem with account hijacking at all. When people are hijacked they've almost always indirectly allowed it in some way by not following common sense account security practices.

With that said we're open to any suggestions and feedback regarding account recovery. We've already seen suggestions there should be an optional delay on disabling the Authenticator - we'll have a think about that but it could potentially inconvenience a large number of people when just having a secure e-mail address means it wouldn't be necessary.

We'd love to hand this over to you now for your comments and feedback. We're genuinely interested to hear your views on account recovery.
Thanks for reading,

Nathan & Steve
(Mod Infinity & Mod SteveW)

As someone who has had someone hack my email via my secondary email address, hack my old twitter, my old facebook and email jagex from my account as well as trying to hack my paypal to get my card info, the account recovery system is pretty good imo. As long as you know some basic stuff about your account like first time you bought membership, old display names, old mute(s) etc you'll be fine.

ALSO WRITE DOWN YOUR BILLING REFERENCE NUMBERS FROM MEMBERSHIP/BONDS/SPINS ETC!! ALSO 2 STEP AUTHENTICATION ON EVERYTHING