Yesterday Microsoft‘s Dick Craddock posted a blog describing a new feature that was recently added to Hotmail. This feature allows users to easily report when they think a friend’s email account has been hacked. Overall this is quite a clever idea, and a good move from Microsoft towards better securing their Hotmail service. This announcement comes hot on the tail of a publication of a report that shows that spammers are switching to using compromised accounts, instead of sending mail directly from bots.
The idea behind the feature is that when an account becomes compromised, it is then often used to send spam to friends of the compromised user. This new system allows those friends to act as an early warning system, in addition to Hotmail’s other account compromise detection. Hotmail will even send notifications to Google‘s Gmail team and Yahoo!‘s mail team if they find out that accounts from those providers have been hacked.
It’s very positive to see steps like this being added by online mail providers, and I would not be surprised to see other providers follow suit. Microsoft is also enhancing their weak password detection, to force users to use stronger passwords. This is also a good idea, helping to protect against attackers manually guessing a user’s password, but will be less effective at stopping account compromises from malware. Most modern info-stealing malware will intercept all web passwords and send them back to the attacker, so unfortunately it does not make much difference if your password is “123456” or if it looks like a cat ran across your keyboard.
While we are at it, here are some other neat webmail security features you may not have been aware of:
- Hotmail allows users to use a “Single use code” to login when they are logging into the site from an untrusted machine (e.g. Internet cafe, public shared machine, your hacker friends laptop, etc). There is a link just below the Sign in button on login.live.com
- Google Gmail provides the option of using two-factor authentication, which requires you to have access to your phone in order to login. This means that an attacker would need to have physical access to your phone in addition to your account details in order to access the account.
- Earlier this year, I created a blog advising users to lie when filling out their password recovery questions. Password recovery questions can still be one of the weakest links in the security of webmail.
What will be interesting to see is how attackers respond to this move, especially if other providers copy Hotmail. It will force attackers to use a different approach to whom they spam from a compromised account. Obviously this is a game of cat-and-mouse, with the security industry gaining an upper hand for some time, before the balance flips back and forth between the two – but any technology that makes the life’s of cybercriminals more difficult, and directly cuts into their bottom line, is definitely a welcome one in my book.
Leave a reply
