Microsoft is tackling the growing issue of Hotmail account hijacking. Microsoft has introduced new security controls designed to help users better protect Hotmail passwords and recover compromised accounts more easily.
With somewhere around 360 million active Hotmail accounts, Microsoft’s Web-based e-mail service is actually the leading Web-mail platform–running in a virtual tie with Yahoo Mail and well ahead of Google’s Gmail. Being Microsoft and hosting a pool of 360 million potential victims paints a pretty big bull’s-eye on Hotmail and makes it an attractive target for attackers.
Account hijacking is a pervasive and growing trend for Web-based e-mail services like Hotmail. Compromised and hijacked accounts are sometimes hard to detect, and even harder to recover because an attacker might change key information which locks the legitimate owner out of their own account and makes it extremely difficult to recover.
A blog post on Inside Windows Live states, “The fastest way to get your account back, whether it was locked or you simply forgot your password, is to reset the password using account proofs. Proofs are like spare keys. If you set them up in advance, you can later use them to prove you are the legitimate account owner,” adding, “Up until now, we’ve offered two proofs, an alternate email address and a personal question paired with a secret answer.”
Related Story: How to use Microsoft Office Web Apps
The problem with these proofs–which are relatively standard across various applications and Web services–is that alternate e-mail addresses are trivial to discover, and secret answers like your mother’s maiden name or the city where you went to high school can also be found and pose a decreasing challenge for attackers to circumvent.
Microsoft is introducing two new proofs–proofs that rely on physical possession of a device as opposed to personal trivia questions. Microsoft will now let users designate a “Trusted PC”, granting supreme authority to reset the Hotmail account as long as the action is done from the designated machine. Alternatively, Hotmail users can add a cell phone number which Hotmail can send a text message to with a secret reset code.
As an added level of protection, Microsoft requires that Hotmail members use an existing proof in order to add or change a proof. The Inside Windows Live blog post explains, “For example, if your account was already set up with an alternate email proof and you wanted to add a cell phone number as well, you would need to use the alternate email address to do it. This means that even if a hijacker steals your password, they can’t lock you out of your account or create backdoors for themselves. You will always be able to get your account back and kick the hijackers out.”
An attacker may be able to compromise a person’s personal information and password via a phishing attack, or through malware or some sort in order to hijack the Hotmail account, but odds are good that the attacker won’t also have access to the individual’s PC and/or mobile phone. The new controls will make it much easier for users to protect and recover their Hotmail accounts.
Gmail offers ‘off switch’ for conversation view
If you were one of the apparently thousands of people who hated the fact that Gmail grouped together an email with all the responses to that email, today you get your wish. Google has made what they call Conversation View an option that you can turn on and off.
That means that instead of having one email in your inbox that includes all 16 messages from your colleagues about the monthly budget, you can now have 16 separate emails scattered throughout your inbox. (As with other Gmail changes, like Priority Inbox, this one will be rolled out over the next few days, so you may not see the option to turn off threading immediately.)
Now, of course choice is almost always a good thing and there’s no reason that people who like unthreaded conversations shouldn’t have that option. I’ll just never understand why they want it – and why it’s a big enough deal to spawn complaint forums that go on for pages and pages.
From what I can tell from reading through the complaints on the Gmail forum, people don’t like conversation view because they like to keep their inbox tidy and the threaded approach doesn’t let them kill off individual emails in a conversation. In other words, they want to keep their boss’s original email about the monthly budget, but not Joe’s harangue about people using too many pencils.
I like having a clean inbox, too, but I think the Conversation View haters are off-base. The treaded approach makes it much easier to keep track of the twists and turns of one topic. By default, you only see the messages you haven’t read yet; the previous messages are collapsed. But if the most recent message mentions Joe’s point about pencils, you can easily expand the previous messages to find it. Compare that with the unthreaded approach, in which you have to get out of the email you’re reading, search for messages from Joe and find the one that talks about pencils. Much more of a pain.
Another common argument from anti-Conversation View crowd is that all those messages they can’t kill are making their inbox too bulky. Come on people: A basic Gmail account now provides 7.5 GB of storage. Unless your threaded conversations include lots of people attaching high-def video files, those individual messages you can’t kill aren’t making a dent in your overall storage.
I’m not saying you shouldn’t have the option to turn off Conversation View – I’m just saying you shouldn’t exercise it.