Microsoft Hotmail Security Enhancements Coming

Microsoft said it is delivering security changes to Hotmail users this week, including new user identity proofs and detection capabilities meant to thwart account hijacking.

Microsoft has begun rolling out new security features for Hotmail users today centered around preventing and detecting account compromises.

The changes, which Microsoft first discussed with eWEEK in May, will take about a week to roll out to all users, Dan Lewis, senior product manager for Windows Live Hotmail, told eWEEK. Once they arrive, the changes will include both new proofs for user authentication as well as detection capabilities meant to identify hijacked accounts.

In the area of proofs, users will be able to add a "Trusted PC" to associate with their Hotmail account. If an account is compromised, all a victim needs to do to reclaim his or her account is to log in from a trusted machine.

Cell phones can be used as proofs as well, with Microsoft sending a code via SMS message to allow users to reset their passwords.

"Account proofs are like a spare key to your account," Lewis said. "If you set them up in advance, in the unlikely event that you forget your password or someone hijacks your account, you can use them to 'prove' that you are the rightful owner and kick out the hijacker."

Rather than allowing users to add or remove proofs with just their password, users must validate an existing proof to change them once they are set up. With this protection in place, even if attackers steal a user's password, they can't lock the user out or create backdoors from themselves, Lewis said.

To protect against account hijacking by spammers, Microsoft has added heuristic-based capabilities to detect things such as changes in log-in behavior, spam being sent from the account or other suspicious activity. When a compromised account is discovered, it is blocked to prevent further abuse and vacation auto-reply messages and linked accounts are suspended.

"Traditionally spammers created new accounts from which to send spam, but as we cracked down on this abuse, they resorted to hijacking and exploiting accounts of legitimate users," Lewis said. "Now, we are identifying these co-owned accounts, and acting to block the hijacker from committing abuse, and we are working with the rightful owners to help them reclaim the account."

The company also has plans to add SSL (Secure Sockets Layer) protection for a full Hotmail session in the near future, he added.

Earlier this year, Google put HTTPS on by default for Gmail and added an alert to warn users of suspicious activity involving their accounts.