Hotmail has recently announced
that it is going to be releasing more security features to its web interface
over the next few weeks.
Microsoft is adding what
Harp dubbed “proofs” to Hotmail to secure accounts against
hijacking, or let users more easily recover control if their account has been
snatched by criminals. Among those proofs will be one that links a specific
computer to a user’s account.
“You’ll be able to
set your computer as a proof,” said Harp, referring to the link between
a PC and an account.
Google tracks log-ins and
warns Gmail users of suspicious patterns, such as an attempt to log-in from a
foreign country, or multiple failed log-in attempts.
“We think we’ve done
it a little better than Gmail,” argued Walter Harp, Hotmail’s director
of product management. “My mom’s not going to get it if Gmail told her
she had tried to log in from a different IP address.”
I concur with what Harp
is saying. For most users, if you are told that you have logged in from
a different IP address you might as well be speaking a foreign
language. This may be difficult to believe, but most people are not
fluent in geek-speak. The ordinary user cannot make the mental
connection between an IP address and the physical location where you
are. It’s like when I go to Wikipedia and it tells you how to pronounce
a word but uses crazy syntax and characters that I cannot read, and thus the
pronunciation guide is of no help to me whatsoever.
Of course, one of the
advantages of web mail is that you
can login from anywhere. When I’m traveling, I find it
useful to login and check my mail whether I’m hunting down spammers, or being
hunted down by spammers, in China or Peru. Of course, I would expect
that there are certain flags in place that allow the user to say “Yes, it’s
okay, I’m traveling so don’t worry about this one.”
In any case, the theory
behind this is to be able to allow the user to detect deviations from normal
patterns of behavior. If you normally login in from Las Vegas and some
phisher steals your credentials and logs in from… oh, let’s say Latvia, that
is clearly an anomaly. You will probably want to be notified and
immediately reset your credentials. Sometimes, security is all about
detecting divergences from established baseline behavioral patterns.
The article continues:
“Your mobile phone
will be an additional proof,” said Harp, explaining that if a user loses
control of his or her account — and thus has no way to reset the password to
regain access — Hotmail will notify the user by phone, then send a new
password to that phone. “We’ll do that if either a human or malware gets
into your account,” Harp said.
Phones play another role
in Hotmail’s enhanced security: Users can request that Microsoft send a
one-time password to their phones via SMS. Harp envisioned this being used by
people logging in at public places, such as Internet cafes, libraries or
unprotected Wi-Fi hotspots. The feature came out of conversations with focus
groups in less-developed countries, where more people connect to the Internet
“The general idea is
that you’d use this to be particularly cautious at a public computer, which
for all you know may be infected with keylogging malware,” said Harp.
I particularly like the
idea of using SMS phone verification. The idea behind this is that
while a user might be able to have several different email accounts that are
easily stolen, most people only have one mobile phone at a time that they are
actively using. While some people do have more, a person will guard their
phone because it is expensive to get it replaced. In addition, people
bond themselves fairly tightly to their phone numbers because it is a pain to
get everyone to update their contact information for you. So, if you
get locked out of your account, you can still get your password reset by
following a process and have your password resent to your actual identity –
your phone, which you physically carry on you or you know its physical
location. Unless the intruder has stolen your phone as well, you can
quickly regain access to your account and kick the intruder out.
Using mobile phones to
authenticate is also an interesting idea. I can see how useful this
would be in that sitting down at an untrusted location (such as an Internet
cafe in the developing world) might fill you with some trepidation because a
keystroke logger could steal your information. Instead, you use your
own trusted device to login to your account. Realistically, I wonder as
to the efficacy of this feature. If you’re going to login with your
phone when you’re traveling, especially abroad, you need a phone that connect
to the local telephone cell phone network. Given the diversity of cell
phone carriers worldwide (GPRS, GSM, CDMA2000, DoCoMo, UMTS, etc) and given
how quasi-interoperable they are (read: not particularly ), will the average
web mail user really care to use their cell phone to login? Or will
they not be thinking security and just log in anyhow?
I like the idea, not sure
about the rate of uptake.
Hotmail will also include
a new feature tagged “Trusted Sender,” which visually identifies
legitimate mail from about 100 senders, mostly financial institutions like
banks, that are commonly spoofed by identity thieves.
This is another idea that
I like. It’s an idea that I think has been long outstanding.
Domains that are commonly spoofed – like Paypal, eBay, Facebook, Citibank,
HSBC, Chase, etc – should have some sort of trusted validation flagged in
email so the user knows who they are communicating with. This is one of
the most useful features of sender authentication.
The drawback is that
there are a lot of institutions out there, particularly banks in Europe (you
know you are… actually, you probably don’t) that don’t have identity records
set up (ie, SPF, SenderID or DKIM). This trusted sender feature won’t
have any affect on them and so they will still probably have some problems
with phishing attempts. Still, this is a good step in the right
The downside is that it
remains to be seen whether or not users will actually learn to recognize their
Trusted Senders and notice that when a communication comes from such an
institution and is Untrusted, their suspicions arise (ie, shorthand for
determining the message is a spoof). My prediction is that initially
people won’t notice at all but over time, things will change and uptake will
start to pick up.