Microsoft said it is delivering security changes to Hotmail users this week, including new user identity proofs and detection capabilities meant to thwart account hijacking.
Microsoft has begun rolling out new security features for Hotmail users
today centered around preventing and detecting account compromises.
The changes, which Microsoft first discussed
with eWEEK in May
, will take about a week to roll out to all users, Dan
Lewis, senior product manager for Windows Live Hotmail, told eWEEK. Once they
arrive, the changes will include both new proofs for user authentication
as well as detection capabilities meant to identify hijacked accounts.
In the area of proofs, users will be able to add a "Trusted PC" to
associate with their Hotmail account. If an account is compromised, all a
victim needs to do to reclaim his or her account is to log in from a trusted
Cell phones can be used as proofs as well, with Microsoft sending a code via
SMS message to allow users to reset their passwords.
"Account proofs are like a spare key to your account," Lewis said.
"If you set them up in advance, in the unlikely event that you forget your
password or someone hijacks your account, you can use them to 'prove' that you
are the rightful owner and kick out the hijacker."
Rather than allowing users to add or remove proofs with just their password,
users must validate an existing proof to change them once they are set up. With
this protection in place, even if attackers steal a user's password, they
can't lock the user out or create backdoors from themselves, Lewis said.
To protect against account hijacking
, Microsoft has added heuristic-based capabilities to detect
things such as changes in log-in behavior, spam being sent from the account or
other suspicious activity. When a compromised account is discovered, it is
blocked to prevent further abuse and vacation auto-reply messages and linked
accounts are suspended.
"Traditionally spammers created new accounts from which to send spam,
but as we cracked down on this abuse, they resorted to hijacking and exploiting
accounts of legitimate users," Lewis said. "Now, we are identifying
these co-owned accounts, and acting to block the hijacker from committing abuse,
and we are working with the rightful owners to help them reclaim the account."
The company also has plans to add SSL (Secure
Sockets Layer) protection for a full Hotmail session in the near future,
Earlier this year, Google put HTTPS on by default for Gmail and
added an alert to warn users of suspicious
activity involving their accounts