14 DAY TRIAL // Microsoft has introduced new features to Hotmail to make it easier for users to regain control of compromised accounts and prevent attackers from hijacking them in the first place.
Email addresses are one of the most critical accounts Internet user have, especially since most people don't delete messages containing sensitive information, like account passwords for other services, credit card statements and so on.
There are many ways by which an email account can fall into the hands of hackers. Phishing, computer trojans, Man-in-the-Middle (MitM) attacks on insecure wireless networks or brute force attempts, are just some of them.
Another method is social engineering. Giving enough time and research, a determined attacker can generally find out the information necessary to answer security questions and perform a password reset.
To counter this last type of attack, Microsoft has introduced two new "account proofs" to Hotmail.
"Proofs are like spare keys. If you set them up in advance, you can later use them to prove you are the legitimate account owner," John Scarrow, Microsoft's general manager for safety services, explains.
In addition to the traditional alternate email address and security question, users can now associate a trusted PC and a phone number with their account.
The trusted PC can be used to automatically prove the legitimacy of a user trying to perform a password recovery, while the mobile number will receive a secret code via SMS during the password reset process.
But these additional protections would be useless if attackers, who gain unauthorized access to an account, would be able to change the phone number on record or add their own computer as a trusted PC.
To prevent this, making any modifications to the proofs requires access to at least one of them for confirmation.
"This means that even if a hijacker steals your password, they can’t lock you out of your account or create backdoors for themselves.
"You will always be able to get your account back and kick the hijackers out," Mr. Scarrow, concludes.