The Jagex Account Guardian (JAG) was an account security feature that provided enhanced security, blocking unknown devices from accessing your account. It was first mentioned on 29 August 2012, released on 11 September 2012. Although it was supposedly discontinued on 15 May 2017, it still seems to work on accounts that have it enabled. Although the functionality of the system remains undisclosed as stated by Jagex, it seemed to use modern device-recognising technologies to authenticate a user access to logging in. This included a combination of the user's MAC address, their IP address, an encrypted security token saved on the user's system, and possibly by other means which remain unknown. Its primary aim was to prevent against phishing and hijacking; additionally, it discouraged account sharing. It has since been replaced by the RuneScape Authenticator.
A player could choose the device(s) that they wish to grant access to for the account. Unknown devices need to pass email and security checks before access was permitted. If a player played from multiple locations, they could add new devices at anytime and could have as many as they'd like. Devices could be given access on a temporary or permanent basis.
With the introduction of JAG, the recovery question feature was removed and replaced with a permanent recovery question system within JAG. The questions provided may not be customised, therefore the pre-set questions aim at answers that only the real owner of the account would provide. Answers may not contain capital letters. The question choices included:
- Secondary email address for J.A.G / account security
- Where was your first vacation / holiday?
- In what city or town did your mother and father meet?
- What was your favourite place to visit as a child?
- What is the last name of your favourite teacher?
- Who was your first best friend – first name?
- What is your favourite sports team?
- What is the first book you remember reading?
- What was the first video game you bought?
- What was the first music album you bought?
- What is your mother's middle name?
- What is your oldest cousin's first name?
Flaws and concernsEdit
In the event that a hijacker was able to obtain a player's questions and answers (whether by keylogging, social engineering, or some other means), he or she would have permanent access to that player's JAG settings, notwithstanding a changed password. It is strongly advised that one should never give out ANY information whatsoever; doing so opens up more doors for the hijacker.
Aside from JAG recovery questions, a hijacker may gain full access to the account through the Customer Support Centre on the forums. This alternative method requires them to present to the customer support team as much possible information pertaining to the account in hope to claim ownership of the account, so it is very important to keep all information online completely undisclosed.
The idea that recovery questions cannot be changed once they are set presented some other issues with the JAG system. Although this would be rare since the questions aim at very personal questions and ones that are hard to forget, however if a player who forgets the answers to their questions, they would be locked out of the JAG security system, and possibly their account. Such players may attempt to log in and remember or properly guess their answers, however only 3 tries were permitted every 24 hours — after which the account was locked for 24 hours to all non-permanent access.
Jagex's official response to these two concerns was to remind players to choose security questions they would not forget, and to keep their login details secure.
On the official FAQ page for the Jagex Account Guardian, Jagex stated that their method of identifying devices is top-secret. This is a case of security through obscurity.
Players who identified themselves as under 13 would not have the ability to use J.A.G., and would receive this message upon trying to, although it was open for a short period of time after its' release.
- Use a mixture of letters and numbers in your password as it will strengthen your password, making it more difficult for it to be cracked.
- Avoid giving out your Facebook, Twitter, or any other social media username as this contains an endless amount of information that a hijacker will use — even if your privacy settings hide everything.
- Avoid giving out an e-mail address or Skype username (as it may contain your e-mail address). Doing so will allow the hijacker to link as many pieces of information together as possible to begin collecting vital information pertaining to your Jagex account.