Microsoft is tackling the growing issue of Hotmail account hijacking. Microsoft has introduced new security controls designed to help users better protect Hotmail passwords and recover compromised accounts more easily.
With somewhere around 360 million active Hotmail accounts, Microsoft's Web-based e-mail service is actually the leading Web-mail platform--running in a virtual tie with Yahoo Mail and well ahead of Google's Gmail. Being Microsoft and hosting a pool of 360 million potential victims paints a pretty big bull's-eye on Hotmail and makes it an attractive target for attackers.
Account hijacking is a pervasive and growing trend for Web-based e-mail services like Hotmail. Compromised and hijacked accounts are sometimes hard to detect, and even harder to recover because an attacker might change key information which locks the legitimate owner out of their own account and makes it extremely difficult to recover.
A blog post on Inside Windows Live states, "The fastest way to get your account back, whether it was locked or you simply forgot your password, is to reset the password using account proofs. Proofs are like spare keys. If you set them up in advance, you can later use them to prove you are the legitimate account owner," adding, "Up until now, we've offered two proofs, an alternate email address and a personal question paired with a secret answer."
The problem with these proofs--which are relatively standard across various applications and Web services--is that alternate e-mail addresses are trivial to discover, and secret answers like your mother's maiden name or the city where you went to high school can also be found and pose a decreasing challenge for attackers to circumvent.
Microsoft is introducing two new proofs--proofs that rely on physical possession of a device as opposed to personal trivia questions. Microsoft will now let users designate a "Trusted PC", granting supreme authority to reset the Hotmail account as long as the action is done from the designated machine. Alternatively, Hotmail users can add a cell phone number which Hotmail can send a text message to with a secret reset code.
As an added level of protection, Microsoft requires that Hotmail members use an existing proof in order to add or change a proof. The Inside Windows Live blog post explains, "For example, if your account was already set up with an alternate email proof and you wanted to add a cell phone number as well, you would need to use the alternate email address to do it. This means that even if a hijacker steals your password, they can't lock you out of your account or create backdoors for themselves. You will always be able to get your account back and kick the hijackers out."
An attacker may be able to compromise a person's personal information and password via a phishing attack, or through malware or some sort in order to hijack the Hotmail account, but odds are good that the attacker won't also have access to the individual's PC and/or mobile phone. The new controls will make it much easier for user's to protect and recover their Hotmail accounts.