Microsoft Hotmail gets account theft protection

[reghakr]

In a posting on the Windows Team blog, Microsoft has announced two new functions aimed at enabling Hotmail users to recover their accounts should they be taken over by criminals. Previously, an attacker who had obtained a user's password via phishing, a trojan or unencrypted Wi-Fi could lock the user out of their account simply by changing the password. Unless the actual user had entered an alternative e-mail address for a password reset and had remembered the security question, there was no way of reclaiming the account.

Microsoft has now introduced the ability to have a password reset code sent via SMS, allowing users to regain control of their accounts. This does, however, require the user to have entered their mobile number prior to having their account taken over. The SMS message contains a code which can be entered on the Microsoft web site to reset the account's password.
Microsoft has also introduced a "Trusted PC" function which links a specific PC to the Hotmail account, allowing it to be used to reset the password without requiring the actual password. These functions are also useful for the absent-minded.

To prevent the bad guys from simply changing these new options, they can only be changed in combination with the other options. To change the mobile phone number, for example, the user has to give their consent through one of the other options (email, Trusted PC or security question). Microsoft has also announced that the entire Hotmail session will in future be SSL encrypted – previously it was only the login process which was SSL protected.

Source: http://www.h-online.com/security/news/item/Microsoft-Hotmail-gets-account-theft-protection-1097726.html

 

[wolwol]

Hi Reghakr, That sounds great - but I've faced an entirely different situation that could potentially be the 'next big thing' in 'free email account abuse'
Imagine this: My Hotmail account had been around for a few years, and hence the address was fairly much in the public realm. When one day out of the blue I tried to log in and got the notice, "too many failed attempts to log-in - please try later"
Hmm~ well interesting because I was at work and hadn't attempted to login at all. I hadn't lost or forgotten my password. I waited the 24 hours MSN support suggested to no avail. Still locked out.
My guess - some script kiddy has probably tried to hack the account to gain access. OR some looser neighbor has acquired my email address and while they eat tea attempts to enter random passwords just to keep the account locked.

So... that means anyone who knows my email address can simply just attempt to login and lock my damn account (and keep it locked) I would prefer to have my account hacked and have them send mail on my behalf than to have some random have me locked out indefinitely.
Oh BTW going through the security option to change the password works, but the account still persists to be locked.
This would easily be scripted to harvest accounts and attempt logins NOT to gain access but to REDUCE access.

 

[BCXtreme]

Hi Reghakr, That sounds great - but I've faced an entirely different situation that could potentially be the 'next big thing' in 'free email account abuse'
Imagine this: My Hotmail account had been around for a few years, and hence the address was fairly much in the public realm. When one day out of the blue I tried to log in and got the notice, "too many failed attempts to log-in - please try later"
Hmm~ well interesting because I was at work and hadn't attempted to login at all. I hadn't lost or forgotten my password. I waited the 24 hours MSN support suggested to no avail. Still locked out.
My guess - some script kiddy has probably tried to hack the account to gain access. OR some looser neighbor has acquired my email address and while they eat tea attempts to enter random passwords just to keep the account locked.

So... that means anyone who knows my email address can simply just attempt to login and lock my damn account (and keep it locked) I would prefer to have my account hacked and have them send mail on my behalf than to have some random have me locked out indefinitely.
Oh BTW going through the security option to change the password works, but the account still persists to be locked.
This would easily be scripted to harvest accounts and attempt logins NOT to gain access but to REDUCE access.

I've never heard of something like that before. Frankly I don't think that the person responsible is trying to prevent you from using your account (that serves no purpose to them); rather, I think what you are seeing is a side effect of someone earnestly trying to gain control of the account. Hackers don't try to gain control of email addresses to prevent you from using them, they want control so that they can use them for spam, viruses, or even illegal activity.