JagexInfinity

A daily figure is a bit tricky, but...

Zezima's account has received over 88,000 account recovery attempts! The number of fraudulent attempts has slowed down, but they still come through. Bonus stat: that account has also been reported over 2,300 times!

There's been loads of changes made, and we've also got the Old School version of the game you can play as well if you prefer the more retro feel and style of the game. For me, I'd take it slow, enjoy the game with the new NXT client, play through some of the new quests and I bet you'll get back into it in no time. :)

We're looking to reintroduce permanent ban appeals sometime in 2017, which will provide players who believe they were hijacked at the time of the offence to submit their account for review.

So it's something which we see a fair bit on reddit - and while it's on the list of requests for our web team to review, there are a few considerations...

1. From the data available to us, and from the accounts we review - having a delay on the removal of an authenticator wouldn't have actually prevented the hijacking. We'd also have to build a way for us to alert players within RuneScape that a request to remove the authenticator has been made, as the hijacker would have access to the registered e-mail, and would just delete any e-mails sent from us. There's also a reliance on the player who's been hijacked to log into game during the delay removal period to be notified there's been a request to remove the auth. We'd also need to look at how long the delay is, if it's opt in/out, etc

2. While we understand the request is to have it as an optional feature, from our experience lots of people might set up delays but when they need to actually remove a feature, get frustrated with waiting, and contact Jagex to speed up the removal. We see it a lot with bank PINs, and so we need to be conscious about that. It's definitely not a reason to not do it - but it does feature on our 'to think about list'. For context, in the real world, if you wanted to update something to do with your personal banking, provided you pass their security checks, they wouldn't put a delay on making those changes. There's already a way to prevent the authenticator disabled, and we want to focus on ensuring players are aware of that, which is by keeping their registered e-mail safe.

3. We want to offer new, convenient, easy ways for players to keep their accounts secure which will have the biggest impact - not just update existing features which we don't feel would change a whole lot. This is an ongoing discussion at senior management level - as there's are naturally lots of projects and priorities being worked on. The majority of accounts hijacked don't have an authenticator enabled in the first place. I imagine if a hijacker tries to access an account & recognises it's got an authenticator, they just move onto the next account, and don't try and breach the registered e-mail etc.

4. It isn't considered critical, as it's not a flaw in the system. By that I mean if people have a secure registered e-mail, good security awareness, don't share their accounts, etc then they won't need to have a delay on their authenticator to prevent unauthorised access. With that said - we want to offer as many options as possible which work for the community - and there are lots of internal discussions happening about new features etc.

So - it's on the list, we hear you loud and clear, but equally we want to make sure the team (when they can) works on the most impactful, advanced security features which will genuinely improve account security for everyone.

It's something we've been running on a trial basis for a few months now, specifically with Tech Support related issues. So far so good - but we're not yet in a position to roll out it across all contact types, but yes - it may well possibly be a thing very soon!