Increasingly, it seems like you can’t read the news without seeing a headline about a security issue exposing customer account information for criminals to exploit.
As a guy who works every day to keep the Microsoft account system (formerly Windows Live ID) secure, each time I read something like this my heart goes out first to the people whose accounts are victimized by these criminals, and secondly to my colleagues at the compromised companies. Bad guys only have to be right once, defenders have to be right 100% of the time – and I’ve been impressed by the competence and dedication of my peers across the industry.
Of course, as has been extensively covered, these attacks shine a spotlight on the core issue – people reuse passwords between different websites. This highlights the longstanding security advice to use unique passwords, as criminals have become increasingly sophisticated about taking a list of usernames and passwords from one service and then “replaying” that list against other major account systems. When they find matching passwords they are able to spread their abuse beyond the original account system they attacked.
We don’t blog much about our security work – no need to give the bad guys more ideas on how to attack our customers. However, given the events of this week, we’ve had enough questions that I wanted to take the time to share at a high level how we protect our customers from these attacks, and re-emphasize what each of you can do to better protect yourself.
Many sources of leaked credentials
Let’s start with how we find out about these customers who are at risk.
We regularly get notified of lists of compromised external account info (email addresses and/or passwords from other networks) from different sources. They contact us so that we can make sure our customers are protected if they use the same password for their Microsoft account. Sometimes it’s one of the many worldwide law enforcement agencies who reaches out. Sometimes it’s an ISP. Sometimes it’s another company who runs an identity system. And occasionally lists are published on public websites for the world to see.
The amount of detail and fidelity of these lists of customers varies – often these are incomplete or encrypted lists that don’t put real customers at risk. But occasionally they are lists of complete usernames and passwords that are a real threat to our customers.
How we protect our customers
When we get a list, first, we check to see if it actually matches any accounts and passwords in our system. This is done in an automated and secure way so no human actually sees the account info of our customers.
You’d be surprised how often the lists – especially the publicly posted ones – are complete garbage with zero matches. But sometimes there are hits – on average, we see successful password matches of around 20% of matching usernames. A recent one only had 4.5% overlap. This is actually exciting because it means that, on average, 80% of our customers are following safe password practices, and this reflects a growing sophistication in our customers.
Next, we look to see if there is evidence of criminal activity, like sending spam. If we do see signs of criminal activity, we suspend the account and ask the rightful owner to go through account recovery to regain control. In other cases we simply ask the customer to change their password (before any harm can be done).
Occasionally we get information about a set of customers, but there isn’t enough account information to identify who has reused passwords and is therefore at risk. Then we have a judgment call – do we ask 100% of those customers to reset their passwords, even though only 20% are probably at risk? Or do we leave the 20% at risk to avoid inconveniencing the 80%?
Where there is a credible threat, the answer is simple – we err on the side of protecting customers. This is a drag for those of you who are very careful with your passwords, and I do apologize for that inconvenience, but I hope you forgive us for protecting your neighbor. It might be you some day.
If your account is ever on one of these lists, here’s what you will see when you next sign in to Hotmail, SkyDrive, Xbox or another Microsoft service with your Microsoft account. (You might also see something like this if you have a password that is too common).
When you see this, please pardon the inconvenience and take a moment to change your password to a new, unique password.
How you can protect yourself
Follow the simple steps below to better protect yourself from criminals looking to take advantage of you.
Also remember that we will never send you email asking for your password or other security or account information. Any email asking for this information is always a phishing scam designed to lure you into disclosing your password or other account information.
- Always choose strong, unique passwords. Here’s how.
- Add security proofs to your account, and check them regularly to ensure they are up to date. You can add a phone, email address, or trusted PC as a proof, and these are used to recover your account if you ever lose access. Here’s how.
- Be careful using your account in public places, and especially on shared PCs. Shared PCs like those in hotels and Internet cafes are notoriously insecure, and often have malicious software installed that will steal your password. If you have to use one, sign in with a single-use code instead of your normal password. Here’s how.
- Be careful sharing personal information – passwords, email addresses, physical addresses, credit card info – these pieces of info can all be used to attempt to access your account.
- Install protection against viruses, spyware, and malware on your computer, and keep it up to date. There are many excellent choices available, including Microsoft Security Essentials, which is free.
- Make sure your browser phishing filters are active. For IE, click the Tools icon on the toolbar, point to Safety, and then click Turn on SmartScreen Filter. For other browsers, check your help files for instructions.
- Ensure you are on the correct site before entering personal info. Beware of websites that seem too good to be true (offering amazing deals) and always check the address bar to ensure it’s the right URL.
As a final note, of course we have security systems that are constantly evolving to block unauthorized access to your account even if the attacker has your password. These systems reason about normal patterns of login, location, and other factors, and will block unauthorized access or at times will provide an additional identity challenge to make sure that you are really you. But criminals do sometimes get around these systems, so having good, strong, unique passwords and following our security tips is always a good idea.
Thanks for helping us keep you safe.
Eric Doerr
Group Program Manager – Microsoft account
More...