New Windows Live Hotmail Features Tackle Account Hijacking Problem

Two new security features rolling out to Windows Live Hotmail are designed to make it harder for attackers to compromise accounts and to better identify already hijacked identities.

Hotmail users will be able to report suspicious behavior coming from an email address belonging to one of their friends, in case of a hijacked account.

In addition, customers leveraging Hotmail will be required to set strong passwords for their accounts, making it harder for cybercriminals to break in through brute force “dictionary” attacks.

Spam can be considered somewhat of a trademark symptom of hacked email accounts, and the new “My friend’s been hacked!” option under the “Mark as” menu is designed to let users report potential hijacks.

“Our compromise detection system is always working in the background to detect unusual behavior. When we detect bad behavior from an account (like an account that suddenly starts sending spam), we mark that account as compromised,” revealed Dick Craddock, Group Program Manager, Hotmail.

“When you report that your friend’s account has been compromised, Hotmail takes that report and combines it with the other information from the compromise detection engine to determine if the account in question has in fact been hijacked. It turns out that the report that comes from you can be one of the strongest “signals” to the detection engine, since you may be the first to notice the compromise.”

Windows Live Hotmail accounts that have been reported as hijacked are essentially blocked so that attackers can no longer leverage them to send more spam.

The real owner of a hijacked account that has been blocked will be able to recover the email address and get control back, Microsoft said.

The feature works not only with Hotmail accounts, but also with services from additional providers such as Google and Yahoo, Craddock said.

“We’ve had this feature turned on for only a few weeks, and we’ve already identified thousands of customers who have had their accounts hacked and helped those customers reclaim their accounts. And we’ve found it to be very effective and fast. Accounts that you report as compromised are typically returned to the rightful owner within a day,” he explained.

But at the same time, Microsoft has worked to kill perhaps the main source of hijacked accounts, weak and common passwords.

The software giant will actually force users to set up strong passwords by blocking common phrases and words from being used in the first place.

Windows Live Hotmail users won’t be able to have ‘12345’ or ‘ilovecats’ as their account password, or to swap an existing password for one of the two examples above, or others like them.

“This new feature will be rolling out soon, and will prevent you from choosing a very common password when you sign up for an account or when you change your password. If you're already using a common password, you may, at some point in the future, be asked to change it to a stronger password,” Craddock added.