Microsoft Touts Hotmail Security Adds; Users Complain of Account Hacks

Microsoft will beef up security in the revamped Windows Live Hotmail, including tying a user's account to a specific PC, a company executive said today.

Some Hotmail users whose accounts have been recently hacked say Microsoft's security improvements can't come too soon.

The updated Hotmail is slated to start rolling out June 15, and should reach all users within six weeks, said Walter Harp, Hotmail's director of product management.

Microsoft is adding what Harp dubbed "proofs" to Hotmail to secure accounts against hijacking, or let users more easily recover control if their account has been snatched by criminals. Among those proofs will be one that links a specific computer to a user's account.

"You'll be able to set your computer as a proof," said Harp, referring to the link between a PC and an account.

Other Web services, including Facebook and Google 's Gmail, already offer similar ties to stymie account hijacking. Facebook, for example, recently added a setting that lets users approve the devices they use to log in; if an account is accessed from an unapproved device, the user is notified.

Google tracks log-ins and warns Gmail users of suspicious patterns, such as an attempt to log-in from a foreign country, or multiple failed log-in attempts.

"We think we've done it a little better than Gmail," argued Harp. "My mom's not going to get it if Gmail told her she had tried to log in from a different IP address."

Although the PC-to-account link won't be offered as one of Hotmail's new identity proofs until later this year -- likely this fall, said Harp, when Microsoft again updates the service -- others will debut at the launch next month of what Microsoft has codenamed "Wave 4" of its Web e-mail service.

"Your mobile phone will be an additional proof," said Harp, explaining that if a user loses control of his or her account -- and thus has no way to reset the password to regain access -- Hotmail will notify the user by phone, then send a new password to that phone. "We'll do that if either a human or malware gets into your account," Harp said.

Phones play another role in Hotmail's enhanced security: Users can request that Microsoft send a one-time password to their phones via SMS. Harp envisioned this being used by people logging in at public places, such as Internet cafes, libraries or unprotected Wi-Fi hotspots. The feature came out of conversations with focus groups in less-developed countries, where more people connect to the Internet at cafes.

"The general idea is that you'd use this to be particularly cautious at a public computer, which for all you know may be infected with keylogging malware," said Harp.

Hotmail will also include a new feature tagged "Trusted Sender," which visually identifies legitimate mail from about 100 senders, mostly financial institutions like banks, that are commonly spoofed by identity thieves.

When asked to compare the new Hotmail security features with rivals such as Gmail and Yahoo Mail, Harp declined to go toe-to-toe with the competition. "The race isn't so much with the other [Web e-mail] services, but with the miscreants," he said.

Matt Rosoff, an analyst with Directions on Microsoft, disputed Harp's claim that rivals weren't at the root of Hotmail's changes. "Without the competition from Google['s Gmail], Microsoft would have much less incentive to improve Hotmail," said Rosoff.

But Harp did tout the fact that Hotmail has all of Microsoft behind it, including the company's security team. "We bring all of Microsoft's know-how, not just the Hotmail's team, to the table," said Harp.

As an example, Microsoft will offer the Internet Explorer 8 (IE) "SmartScreen Filter" technology on its Windows Live properties. SmartScreen Filter is a combination anti-phishing and malware blocking tool in IE8 that warns users when they try to reach a potentially-dangerous URL.

Hotmail users running rival browsers, including Google's Chrome, Mozilla's Firefox, Apple's Safari and Opera Software's Opera, will receive that same protection later this year in a follow-on update to the June launch of Wave 4, said Harp. Other parts of Windows Live, including Messenger, Microsoft's instant messaging client, will have it immediately next month.

But some users wished Microsoft had stepped up its Hotmail security efforts earlier.

Although Microsoft today denied that there has been a recent uptick of Hotmail account hijackings, numerous users of the service have claimed that their inboxes have been hacked, and that their contacts have been purged .

Several users who used Twitter today to report that their Hotmail accounts had been hacked also wanted better security now .

"[Microsoft] to give Hotmail a make-over [is] too little too late if the number of times my account has been hacked is an indicator," tweeted James Milligan today, referring to a Wednesday story on The Daily Telegraph 's Web site about Hotmail improvements.

"Hotmail adding a bunch of new features ... how about focusing on security from hackers? And more help for hacked accts?" tweeted Bill Robb Tuesday.

Robert McMillan of the IDG News Service contributed to this report.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Knowledge Center.

Subscribe to the Daily Downloads Newsletter

Comments