Microsoft Hotmail gets account theft protection
In a posting on the Windows Team blog, Microsoft has announced two new functions aimed at enabling Hotmail users to recover their accounts should they be taken over by criminals. Previously, an attacker who had obtained a user's password via phishing, a trojan or unencrypted Wi-Fi could lock the user out of their account simply by changing the password. Unless the actual user had entered an alternative e-mail address for a password reset and had remembered the security question, there was no way of reclaiming the account.
Microsoft has now introduced the ability to have a password reset code sent via SMS, allowing users to regain control of their accounts. This does, however, require the user to have entered their mobile number prior to having their account taken over. The SMS message contains a code which can be entered on the Microsoft web site to reset the account's password.
Microsoft has also introduced a "Trusted PC" function which links a specific PC to the Hotmail account, allowing it to be used to reset the password without requiring the actual password. These functions are also useful for the absent-minded.
To prevent the bad guys from simply changing these new options, they can only be changed in combination with the other options. To change the mobile phone number, for example, the user has to give their consent through one of the other options (email, Trusted PC or security question). Microsoft has also announced that the entire Hotmail session will in future be SSL encrypted – previously it was only the login process which was SSL protected.