Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Hotmail to add more security features

Hotmail to add more security features

  • Comments 1

Hotmail has recently announced that it is going to be releasing more security features to its web interface over the next few weeks.

Microsoft is adding what Harp dubbed "proofs" to Hotmail to secure accounts against hijacking, or let users more easily recover control if their account has been snatched by criminals. Among those proofs will be one that links a specific computer to a user's account.

"You'll be able to set your computer as a proof," said Harp, referring to the link between a PC and an account.

Google tracks log-ins and warns Gmail users of suspicious patterns, such as an attempt to log-in from a foreign country, or multiple failed log-in attempts.

"We think we've done it a little better than Gmail," argued Walter Harp, Hotmail’s director of product management. "My mom's not going to get it if Gmail told her she had tried to log in from a different IP address."

I concur with what Harp is saying.  For most users, if you are told that you have logged in from a different IP address you might as well be speaking a foreign language.  This may be difficult to believe, but most people are not fluent in geek-speak.  The ordinary user cannot make the mental connection between an IP address and the physical location where you are.  It’s like when I go to Wikipedia and it tells you how to pronounce a word but uses crazy syntax and characters that I cannot read, and thus the pronunciation guide is of no help to me whatsoever.

Of course, one of the advantages of web mail is that you can login from anywhere.  When I’m traveling, I find it useful to login and check my mail whether I’m hunting down spammers, or being hunted down by spammers, in China or Peru.  Of course, I would expect that there are certain flags in place that allow the user to say “Yes, it’s okay, I’m traveling so don’t worry about this one.”

In any case, the theory behind this is to be able to allow the user to detect deviations from normal patterns of behavior.  If you normally login in from Las Vegas and some phisher steals your credentials and logs in from… oh, let’s say Latvia, that is clearly an anomaly.  You will probably want to be notified and immediately reset your credentials.  Sometimes, security is all about detecting divergences from established baseline behavioral patterns.

The article continues:

"Your mobile phone will be an additional proof," said Harp, explaining that if a user loses control of his or her account -- and thus has no way to reset the password to regain access -- Hotmail will notify the user by phone, then send a new password to that phone. "We'll do that if either a human or malware gets into your account," Harp said.

Phones play another role in Hotmail's enhanced security: Users can request that Microsoft send a one-time password to their phones via SMS. Harp envisioned this being used by people logging in at public places, such as Internet cafes, libraries or unprotected Wi-Fi hotspots. The feature came out of conversations with focus groups in less-developed countries, where more people connect to the Internet at cafes.

"The general idea is that you'd use this to be particularly cautious at a public computer, which for all you know may be infected with keylogging malware," said Harp.

I particularly like the idea of using SMS phone verification.  The idea behind this is that while a user might be able to have several different email accounts that are easily stolen, most people only have one mobile phone at a time that they are actively using. While some people do have more, a person will guard their phone because it is expensive to get it replaced.  In addition, people bond themselves fairly tightly to their phone numbers because it is a pain to get everyone to update their contact information for you.  So, if you get locked out of your account, you can still get your password reset by following a process and have your password resent to your actual identity – your phone, which you physically carry on you or you know its physical location.  Unless the intruder has stolen your phone as well, you can quickly regain access to your account and kick the intruder out.

Using mobile phones to authenticate is also an interesting idea.  I can see how useful this would be in that sitting down at an untrusted location (such as an Internet cafe in the developing world) might fill you with some trepidation because a keystroke logger could steal your information.  Instead, you use your own trusted device to login to your account.  Realistically, I wonder as to the efficacy of this feature.  If you’re going to login with your phone when you’re traveling, especially abroad, you need a phone that connect to the local telephone cell phone network.  Given the diversity of cell phone carriers worldwide (GPRS, GSM, CDMA2000, DoCoMo, UMTS, etc) and given how quasi-interoperable they are (read: not particularly ), will the average web mail user really care to use their cell phone to login?  Or will they not be thinking security and just log in anyhow?

I like the idea, not sure about the rate of uptake.


Hotmail will also include a new feature tagged "Trusted Sender," which visually identifies legitimate mail from about 100 senders, mostly financial institutions like banks, that are commonly spoofed by identity thieves.

This is another idea that I like.  It’s an idea that I think has been long outstanding.  Domains that are commonly spoofed – like Paypal, eBay, Facebook, Citibank, HSBC, Chase, etc – should have some sort of trusted validation flagged in email so the user knows who they are communicating with.  This is one of the most useful features of sender authentication.

The drawback is that there are a lot of institutions out there, particularly banks in Europe (you know you are… actually, you probably don’t) that don’t have identity records set up (ie, SPF, SenderID or DKIM).  This trusted sender feature won’t have any affect on them and so they will still probably have some problems with phishing attempts.  Still, this is a good step in the right direction.

The downside is that it remains to be seen whether or not users will actually learn to recognize their Trusted Senders and notice that when a communication comes from such an institution and is Untrusted, their suspicions arise (ie, shorthand for determining the message is a spoof).  My prediction is that initially people won’t notice at all but over time, things will change and uptake will start to pick up.

Leave a Comment
  • Please add 2 and 5 and type the answer here:
  • Post
  • Multiple phone numbers to allow at least 1 overseas mobile would save a lot of grief when I am travelling and my phone provider has no signal due to poor arrangements with other phone companies . ie I use a local phone sim overseas that works everywhere and doesnt cost an arm and a leg > My Aussie provider Testra has poor service , massive charges and no signal outside major towns when travelling

Page 1 of 1 (1 items)