The Safety Dance - Internet SecurityEdit This Entity
There's been a lot of talk about computer safety lately. I thought I'd take the opportunity to explain a few pointers that might help you out in your online adventures. This would apply to the majority of RuneScape players; whether you're a skiller, a monster hunter, a PKer, a merchant, a clanner, or a bot.
Hacking is often pretty damaging to a player. It happened enough in the past, but it has been happening a lot more lately. Keyloggers aren't the main way someone can have their account stolen anymore. Even those with completely secure computers can have their accounts compromised. With the addition of email registration with RuneScape accounts, it has made recovering accounts much easier; for you and for them. If your email gets compromised, your RuneScape account can be compromised too. To most, it would seem common sense to keep their accounts secure. What happens if there's circumstances beyond your control? For example, with with what happened here? Essentially, there was an exploit with Microsoft's password reset page that allowed you to change the password of any email account instantly to what you chose it to be. That's a pretty big hole.
That's why most recommend setting up two step verification with providers such as Gmail. In exchange with being handcuffed to your phone all day long (texting already does this, so I suppose this adds a straight jacket), you get a very secure account, as even if someone knew your password, they would need your phone to access the account. A good thing to keep in mind.
With the recent compromises and database dumps of DI forums, RuneHQ, Tip.it and Zybez, millions of passwords, emails, IPs and login information were released to the general public. Many were hacked within a few days (it takes a while to turn the MD5 gibberish into actual words). Major fansites are very secure despite what happened. However, that does not make it an excuse to use the same password for everything. Use a different password for RuneScape than you do for Joe's fansite or even Zybez. The best passwords you can make can be made using a random password generator. Try to keep them at least 8 characters or longer. If you have a password that is generated using a random password generator, there are no words that can be looked up in a dictionary. This, with addition to the length, increases the amount of time it takes for the password to be cracked. If you feel you can't remember them all, keep them in in a secure location in the back of an old bus pass and store them somewhere.
Remember that all of this can be rendered useless if you give your password to a friend. Never give your password to anyone for any purpose. Even if they are a trustworthy person, their computer can be keylogged or they can be victim to a phishing scam. Either way can lead to the loss of your account.
There are other methods as well. The word "social engineering" gets thrown around a lot. What does it mean exactly? In terms of computing, it is where your accounts can become compromised based on your real life information. With sites such as Facebook and Myspace, it has become incredibly simple to find pictures and information about people that can be used for account recovery. A great way to counter this is to change your RuneScape recovery questions to complete gibberish. This way, if you have 'where was your first vacation?' as a question, it won't be 'Italy', it will be 'vecru6r6p' instead, so no one can figure it out through your Facebook. A good tool to use is a random password generator, similar to what was mentioned previously. Make sure you write them all down and put them somewhere safe. Otherwise it'll only hinder you if you really lose your account.
By no means does this replace the need for up-to-date anti-virus software. There are still threats around that you have probably never heard of. For example, you might click on a website and they might ask you to run Java. Do you trust it? If no, then you probably should not allow it to. This is an example of what's called a "Java driveby". Once you accept it to run, it can install malware onto your system. It's just that quick. If your antivirus protection is up-to-date then you should be able to detect it easily. However, do not just depend on your antivirus software. Be smart with what you click too. Yes, that means not downloading coolsmilies.exe from thisisalegitsite.com. Remember: the best defence is not having to use it.
Regular scanning with anti-viruses are a must. Even though you may believe that you have not clicked on any funny links, perhaps a popup came up and you didn't notice it. Remember to do a full system scan at least once every week or week and a half. Smart or quick scans are quicker, but they don't scan your whole computer. They just scan the most likely locations for malicious software to be. To be less invasive, perhaps set your computer to scan while you sleep or are going out. Keeping your computer on for one night a week for a virus scan isn't going to harm it any.
What about phishing? Phishing is where a user is tricked into giving away their login information to a website pretending to be legitimate. In many cases, players may not even know their account is compromised until it's too late.
The most popular place these are found are in emails. With Jagex granting the ability to link your email account with your Jagex account, it took an already large problem and made it exponentially larger (imagine the size of the Earth being the original problem and the sun being the new problem). So we're screwed huh? Fortunately, most of them are fairly predictable. If they claim your account was banned, hacked, received a black mark, or thrown into hell like the Squeal of Fortune should be, then it's most likely a scam email. Personally, as a general rule, I never click on any RuneScape related email. The odd exception being of course confirmation and if I was recovering my account. After all, anything important such as Player Mod nominations, black mark increases, mutes, bans, or replies will be sent to your Jagex inbox.
If you feel paranoid and want to check if you're on a phishing site, check the URL at the top before you enter anything in. Don't ever trust a site by its content. Often people are very creative with their sites to make them seem legitimate. However, the URL would be different. For example, secure.runescape.kom instead of secure.runescape.com. In most modern browsers you can see the link as you hover your mouse over it. Remember: if it's stinky, no clicky.
It may seem like common sense, but to many it isn't.
Microsoft Security Essentials
Random Password Generator
Random Password Generator