5 Tips to Keep Your Account Secure

Hey everyone,


I wanted to share some account security tips specifically related to OSRS that I feel are important for any serious scaper to follow. It always hurts me a little bit on the inside when a clannie posts about their account getting hijacked and losing countless hours of progress on their account, especially if it could have been preventable. I’ll admit, there are plenty of awesome guides on the internet that are tens of times better than anything I could write or explain. I just want to list the few most important tips I feel that everyone should consider to implement if you haven’t already for keeping your OSRS account secure, and in turn, keep the baddies away.




Tip 1: Use a unique email address for your OSRS account that is only associated with your OSRS account. 


Your email address linked to your OSRS account IS your lifeline. Meaning, if someone hijacks your email, they will have access to your OSRS account in game. It doesn’t even matter if you have Two-Factor Authentication on your OSRS account, as the hijacker can instantly disable it if they have access to your email, reset your password, and then login your account in-game. 


When I say to use a unique email address for your OSRS account, I mean you shouldn’t sign up to any fansite or social media sites with it. Database leaks occur more often than they should, and when they do, your email address as well as other sensitive info such as your age, phone number, name, passwords, etc may have been leaked. I know it can be annoying to create/keep up with many email accounts, but it really is important to do this to keep your account secure. You can check to see if your email has been breached/leaked via haveibeenpwned.com. If it has, time to make a new email!






Tip 2: Use Two-Factor Authentication on both your email and OSRS accounts. 


Not utilizing 2FA for your email account associated with OSRS is probably the biggest mistake people make related to account security. As I said before, if your OSRS email is compromised, then expect your account’s next login location to be from somewhere other than your home, as it doesn’t even matter if you have 2FA on your OSRS account. It’s best practice to have 2FA on both your email and OSRS account, because even if someone knows any of your passwords, they still won’t be able to login your account. With 2FA on both your email and OSRS account, the only way I could think of someone hijacking your account is via recovering your account.





Tip 3: Use unique passwords for both your email account associated with OSRS as well as your actual OSRS account.


Meaning, they should not be the same as the other, and they should not be passwords you have used in the past. Remember when I mentioned database leaks? Well, if your info is leaked, and you use the same password for every single site that you use… well then, now someone can easily gain access to all of those sites, *especially* if you don’t have 2FA activated.
 





Tip 4: Use a bank pin, and when you log out, always bank all your items.


I know most people use a bank PIN, but there are some people that just can’t seem to be bothered with the extra time it takes to enter it. That’s understandable I guess, but if you use Runelite, you can use the Bank plugin and activate the keyboard bankpin to make it take less than a second to enter your pin. You’ll also get 8 free bank spaces for having a pin, as well as 8 for using 2FA, so I really see no reason not to. Another thing I feel strongly about is to always bank all of your items, especially valuable ones every time you log out. This is because if someone hijacks your account (and assuming you are not ratted/keylogged), then they’ll have to wait out the time you set to cancel your pin before they can take anything. So hypothetically speaking, if someone were to manage to recover your account (which automatically removes your authenticator as of now), all of your goodies should be safe, assuming you get access to it before your pin is removed.




Tip 5: Know what social engineering is and how to avoid it.

Social engineering is a way hijackers gain information about you and your account to ultimately hijack it. Let me give you an example: Let’s say you are in a Facebook group called OSRS Memes for Spoonfed Teens. You recently got a valuable drop (say, a Hydra’s claw) on around 80KC, and you decide to share it with them. That’s great and all, but you left your display name on the picture: now everyone in that group knows your real life name, your display name, and potentially your email address and phone number associated with Facebook, if you’ve chosen to have that info displayed to the public. To make things worse, you’ve decided to reuse that email for many sites, and although you’re using a unique email now for your OSRS account, it was once set as your previous email linked to your OSRS account. And on top of all this, your email address was a victim of a database breach that includes old password information that you had previously used on your OSRS account. All of a sudden, a hijacker can use this information to make a fairly compelling account recovery attempt on your account (hypothetically speaking, they could even guess your ISP information from your IRL location you have listed on FB, and include that in the recovery attempt). It’s pretty scary and spooky to think about, but this does happen sadly. It's okay to share your drops and achievemnts with your friends, I do this all the time in fact, just be wary of what sites you post it on and if it's possible that sensitive info could be traced back oo you. Overall though, if you follow the tips I listed above, and are smart about internet security 99.999% of the time you shouldn’t have to worry about any of this happening to you.



Note I didn’t mention other tools such as keyloggers or a RAT that hijackers can use to gain access to your account. I figure most people have general knowledge of what those are - but in general, just make sure you don’t download shady stuff, don’t click links sent to you from people you don’t know, and consider having an antivirus on your system, and you should be okay.

I hope if you’ve been hijacked in the past, and if you haven’t implemented any of these steps, that you may consider it. It sucks that we have to, but in this day and age, it’s just the reality of what needs to be done to be safe. Let me know if you have any questions, or have anything to add. Stay happy, stay safe, and happy gains to all! 

Great tips, Tinnitus! Thank you for compiling those and sharing them here.

The only other additions I have fall under the "clicking on links" which you mentioned.

Whether in-game, via e-mail, or on social media sites do not click on links even if they appear to be from Jagex. These various phishing methods include:


In-Game

- Being contacted via in-game private messaging by players representing themselves to be Jagex employees. They usually offer the chance to become a player moderator because they claim they've noticed you acting helpful and mature. They then direct you to a particular site in order to supposedly sign up to be a player moderator.

- In-game spam chat directing players to a link for a YouTube or Twitch stream.

- Being contacted via in-game private message by another player directing you to a site other than the official RuneScape site. Do not go to that site. Only put your login and password into the official RuneScape site that you have clicked on yourself, not using links provided by another player.


E-mail

- Receiving an e-mail that appears to be from Jagex which may include such topics as receiving free membership, having a particular offense on your account, or resetting your password (when you didn't request a password reset). Do not click on any links in the email but go directly to the Jagex website if you need to contact them or reset your password.


Social Media Sites

- When visiting YouTube or Twitch streams, do not enter your RuneScape name/password into any links provided during the streams.

- On sites such as Facebook even if it appears to be a Jagex page, do not follow any links or enter your RSN/password. These pages are made to look like Jagex pages and may offer such things as free membership. Any Jagex sponsored events such as those offering free membership will be advertised on the Jagex website and will make clear the procedures to be followed to obtain the benefits being offered.

Cheers for the info, Spirit! Matched my format quite nicely, so it's a nice extension of the things I listed. I wager many people that are hijacked were victims of phishing, so that's great info to add. Thanks for spending the time to add that. I hope some clannies that may not be aware of the things we listed on here come across this and give it a read. Getting hijacked is truly one of the worst things I can think one when it comes to online gaming.

For older accounts;

For the love of baby jesus don't have your ingame name be your login name.

King_Axolotl wrote:For older accounts;

For the love of baby jesus don't have your ingame name be your login name.

Good point. Your login name is very valuable (relating to account security and recovery) and currently has no way to be changed. It's a great idea for it to be different than your display name so you aren't publicly displaying it. For those of you who created your account after 2012ish and use a login email, make sure that your registered email is different than your login email as well.