Not too long ago, account hijacking was an issue limited mostly to financial service websites. Now the practice has grown to threaten other web services like email, disrupting millions of accounts every year. When an email account is compromised by hijackers, it violates the privacy of the account owner, can harm those in their address book, and adds additional costs to the services fighting the abuse. This type of identity theft costs users and services billions of dollars every year.
Microsoft is addressing the problem on multiple fronts. Last week we purged hijackers from legitimate Hotmail accounts that had been identified as compromised, and earlier this month we used legal action to take down a range of domains used by hijackers known as the Waledac botnet. Today, we are releasing new features to safeguard everyone’s account from hijackers. These updates help you protect your password and, in the unlikely event that a hijacker gains access to your account, provide a more secure recovery path so you will always be able to get your account back and kick the hijackers out.
Safeguarding accounts from hijackers
Hotmail starts by helping you keep your password safe from hijackers. Because hijackers:
Despite these precautions, account compromise can still happen. Today we are rolling out new features to detect the hijackers and help you to quickly and reliably take back your account.
- Use phishing schemes like fake “official” emails or websites that ask you to provide your password, Microsoft SmartScreen® technology filters over 5.5 billion spam emails per day and warns of suspicious emails and websites. Hotmail also helps you know an email is safe by adding a shield icon next to “trusted senders” we verify as legitimate.
- Use key loggers and other types of malicious software (malware) to steal your password, Hotmail has introduced the “single use code” a one-time password sent to your cell phone so that you don’t have to reveal your true password on public machines, risking its theft.
- Attempt to intercept passwords on unsecure Wi-Fi networks (known as “man in the middle” attacks), we use SSL encryption to secure all connections at login. Later this fall, we will also provide the option to use SSL for the entire Hotmail session.
- Try to guess your password by testing commonly used words, e.g., words in the dictionary, Hotmail protects your account by blocking login after multiple unsuccessful attempts. The number allowed depends on the reputation of the IP addresses being used.
Account recovery – kicking out the hijackers and keeping them out
Spammers traditionally created their own accounts, but as we’ve cracked down on this practice, they’ve resorted to hijacking and exploiting the accounts of legitimate users to send spam. With today’s release, we are taking a step forward by detecting compromised email accounts, those co-owned by the legitimate user and the hijacker. We detect them with high confidence using heuristics based on login and account activity, and stop the abuse by locking the hijacker out and closing back doors they may have set up, like using vacation auto reply messages to send spam. At the same time, we begin working with the rightful owner to reclaim the account, recognizing the urgency of the issue.
The fastest way to get your account back, whether it was locked or you simply forgot your password, is to reset the password using account proofs. Proofs are like spare keys. If you set them up in advance, you can later use them to prove you are the legitimate account owner. Up until now, we’ve offered two proofs, an alternate email address and a personal question paired with a secret answer. However, there were limitations to these. For example, only 25% of people with a secret question actually remembered their answer when needed.
Today, we are introducing two new kinds of proofs for account recovery.
- “Trusted PC” is a unique new proof that lets you link your Hotmail account with one or more of your personal computers. Then, if you ever need to regain control of your account by resetting your password, you simply need to be using your computer and we will know you are the legitimate owner.
- The second new proof option is your cell phone number, where Hotmail will send a secret code via SMS that can be used to reset your password and reclaim your account.
Additionally, today’s release is making account recovery more secure in Hotmail. Before you can add a new proof or change any existing ones, you will need to be able to access at least one existing proof. For example, if your account was already set up with an alternate email proof and you wanted to add a cell phone number as well, you would need to use the alternate email address to do it. This means that even if a hijacker steals your password, they can’t lock you out of your account or create backdoors for themselves. You will always be able to get your account back and kick the hijackers out.
If your account has no proofs set up and you lose access, then to get it back you will need to work with our support team at www.windowslivehelp.com/accountrecovery.
Account security is more important than ever, and with this release, and Hotmail is making your email account more secure than ever.
John Scarrow
General Manager - Safety Services
More...