Security upgrades in the new Hotmail

Security upgrades in the new Hotmail

  • Comments 22
  • Likes

We were excited to share with you last week a preview of the brand new Hotmail, available starting later this summer. To follow up, we wanted to share a little more detail around some of the security investments we’ve made in the new Hotmail.

Security remains the number one concern of people who use email and a top priority for all Microsoft development efforts, products, and services – Hotmail included.

Among the several security enhancements we made in the new Hotmail, here are a few in particular that we’d like to call out.

Account recovery

The new security platform elements we've built up around Hotmail now enable you to use your cell phone or other items as proof of account ownership. For example, if you lose your password, or, worse, if your account gets compromised, we can now send you an account recapture code via SMS to regain access to your account.

Single-use codes

This new security feature is designed to further protect you when you sign in from a public computer, such as those found in internet cafés, airports, and coffee shops. When you request a single-use code, the code is sent via SMS to the phone number associated with your Windows Live ID. It acts as a one-time substitute for your password. By using a single-use code, you won't have to type your password into a public computer, thereby helping to prevent it from being stolen by key loggers and the like.

Request a single-use code Use a single-use code to sign in
Request a single-use code… …then use the code to sign in to Hotmail

Full-session SSL

In addition to providing SSL encryption at login for all accounts, the new Hotmail will soon support the option to maintain SSL encryption between you and our servers during your entire Hotmail session.

Trusted senders

Hotmail will help you to visually identify trusted senders in your inbox, particularly banks and other institutions commonly used for phishing scams. We put safety logos next to only those senders that we recognize as legitimate so that you can more easily spot malicious imitators.

John Scarrow
General Manager - Safety Services

22 Comments
You must be logged in to comment. Sign in or Join Now
  • bRonCOde
    24 Posts

    @ryan burkhardt Now that hotmail rolll out started, can you give more details, about which deltasync clients will support full session SSL (WLM wave3, WLM wave4, Outlook connector, others?) and how to configure it.

  • @langware - Single-use code is proving to be a valuable tool in providing people confidence when they are on the go.  There are several things we can do to improve on this including providing codes via email that someone can get before their trip and stick in their wallet for example.  We felt the SMS version of this would get more usage as people don't have to plan ahead for their singe use code needs.  That said there is no security reason for not doing this at it will be on our list to investigate in Wave 5.

  • @rotodendo:  SSL will be opt-in. We will continue to support POP.

  • langware
    154 Posts

    I see that single-use signon passwords have been implemented. Nice! However, what about those users who do not have SMS enabled on their cell phone. Why not offer another option where a user can request that several single-use passwords be sent to their email address .... or some other alternative for users who do not have SMS on their cell phones.

  • Nice, I like this because I have Office installed on 3 computers and have now bought a new computer, so I could not previously get Office programs, I had to use OpenOffice which is extremely annoying in the compatibility department.

  • Will full-session SSL enabled by default? With ActiveSync coming, will POP still be supported?

  • Nater
    147 Posts

    Quoting:  ***@nater sorry to hear you don't love deltasync as much as we do. you are correct in that deltasync, like imap, is not a push protocol. we have built a very scalable push infrastructure with messenger and do use that to provide a push experience for desktop clients where customers are using messenger. the data shows that this is a large percentage of our userbase. ***  It's not cool to run Windows Live Messenger 24/7 when you have literally 0 Messenger Contacts in it.  IMAP would have been decent enough, as long as it didn't require us users to completely change the way we work in our email clients the way Google Mail does.  What made it impossible to take the code Live Messenger uses to check for mail and putting it in Live Mail?

  • langware
    154 Posts

    The single-use code is a good idea .... but remember that many of your customers are not advanced users and may not have (or use) cell phones with SMS .... yes, I know that seems far fetched, but you do need to consider those users when designing your security enhancements.

    Full session SSL and trusted senders are also good ideas.

    However, there is much more that Microsoft could do to address account hijackings (and the resulting effects such as: accounts being used to send spam, accounts locked because of the spam sent from them, passwords reset, archived emails being deleted, contacts being deleted etc, etc).The number one issue that is currently resulting in the Hotmail forum of the Windows Live Solution Center being overwhelmed by posts is account hijackings.

    The security enhancements described above are a good first step. Please consider some of the following:

    1. An option that allows users to specify a default IP address. If an attempt to sign on to Hotmail does not originate from the user's default IP address, then the user's secret question(s) must be successfully answered before the sign on is accepted. Yes, I know that dynamic IP addresses change, but this option would go a long way toward preventing hijackers from using ones account (the default IP address could be updated by the user when it changes, and disabled if/when one will legitimately be using a different computer).

    2. An option to warn the user if there was more than one computer currently signed on to the account (possibly indicating that a spammer was in the process of hijacking the account). In addition, a table showing the last 10 sign-on attempts to the user's account could be optionally displayed showing the IP address and date/time of each sign-on. This could be used to warn the user to immediately change their password and secret question (if the user observes that someone else is accessing their account).

    3. Insert a warning (telling the recipient not to respond) into every phishing message that claims to be from Microsoft and asks for the recipient's Hotmail password. These phishing messages are a scam and only result in user's accounts being hijacked (if the user responds to the official-looking message). The trusted sender option might make this suggestion moot as long as the phishing messages do not also contain a counterfeit "safety logo".

    In addition to the security upgrades described in the above blog, additional significant and definitive actions are needed to stop the current epidemic of account hijackings.

  • Bob
    7 Posts

    Hello, I am still on the current Hotmaill version. I just noticed for me, the "attach' button is the plain attach button. I use to have the ability to attach multiple photos all at once. Any advice? Thank and I really look forward to the new Hotmail and Live Essentials package. I've been a Hotmail user since about 1997

  • @bRonCOde "...the new Hotmail will soon support the option to maintain SSL encryption between you and our servers..." you'll get more details when we are closer to release on client compatibility.

  • One important point to make with regards to account security is the importance of physical security or unauthorized access of your devices.  A couple of points have been made concerning loaning your phone to someone else or having it stolen.  These are important issues and in the case where someone has control of your device, computer or cell,  your ability to be compromised is increased dramatically.  Single-use Code was specifically designed to address the mainstream concerns of accessing your account from a non-trusted PC and having your credentials key-logged.  Gaining access to your SMS device dramatically increases the difficulty of such an exploit.  Single-use Code was not designed protect against the case of a stolen or a loaned device.  There is an interesting article on Wikipedia that discuss the unique challenges with “Physical Access” en.wikipedia.org/.../Physical_access.  Although this article talks more specifically about computer access the principals still apply.

    Here is a specific clip that points out the challenge here;

    Michael Meyers' Network+ Certification All-in-One Exam guide notes that "the best network software security measures can be rendered useless if you fail to physically protect your systems,"

  • bRonCOde
    24 Posts

    @ryan burkhardt Does your SSL response apply to wave3 live mail on XP (which can't be upgraded to wave4)? Can you point to or give directions for configuring full-session ssl in the clients?

  • @ bRonCOde we expect to allow users to have the option to use clients without ssl if they choose or otherwise lock down deltasync client access until the end to end communication supports ssl.

    @nater sorry to hear you don't love deltasync as much as we do. you are correct in that deltasync, like imap, is not a push protocol. we have built a very scalable push infrastructure with messenger and do use that to provide a push experience for desktop clients where customers are using messenger. the data shows that this is a large percentage of our userbase. you can always adjust your client's sync schedule to be more agressive than the defaults if you want a near push experience.

    cheers,

    ryan - hotmail protocols

  • WP7Geek
    6 Posts

    What if my cellphone is stolen and someone uses the Single-use code feature to access my hotmail account?

  • BenT
    7 Posts

    John, sorry for this off-topic post,  but I can view the video on this blog. However, when I try to view it in Windows Live Email, it says I need the Silverlight plug in even though I already have it installed.

  • SMS is one of the worst ways of password recovery. So if, for example, one of our acquaintance knows our birthday, is using our mobile, he gets to recover our password. Thank you for the top level of security you are brining. Full proof. Sir/ Ma'am, I must say, you people are living geniuses.

  • 7flavor
    352 Posts

    Can single-use codes be generated in Hotmail on a home PC and used remotely? What if I don't want to give my mobile number to receive the single use code by SMS? Also, please add the single most feature people are asking for in Hotmail. IMAP and Secure IMAP.

  • Guys,

    I am using hotmail since 1995, this is my primary email account and i always want it to be safe, secure and protected.

    Have seen lots of cool stuff which i really wanted.......

    New hotmail seems to be amazing...........single-use code feature is amazing guys, now i don't need to enter my password in internet cafes, airports etc. i feel, i will be more secure now.......

    I can't wait anymore to use new hotmail..........

    Please avail it soon.....................

    All the best.

  • Nater
    147 Posts

    ActiveSync is a Mobile Sync protocol.  It's not for Desktop Clients.  Obviously DeltaSync is for Desktop and ActiveSync is for mobile. --  DeltaSync is pure crap, though.  Windows Live Mail does not get mail pushed to it unless Windows Live Messenger is running with it (When Messenger says there is a message, it causes Windows Live Mail to Sync and get it), so basically you have to set WLM to start Messenger whenever you start mail, if you want it to get mail pushed to it.  That's a pretty ridiculous requirement, especially for those of us who never use the messenger client, anyways.  I haven't tried to see if the Outlook Connector works that way.  I just know the Connector doesn't support Push Email in Outlook 2007 or 2003, making it fundamentally useless unless you seriously use Windows Live Contacts/Calendar to manage Contacts/Calendar.  Even then, Windows Live Mail/Essentials is better suited for working with Windows Live Services than Outlook (which is biased towards Exchange, which I use and adore :P).

  • bRonCOde
    24 Posts

    1) Will DeltaSync clients be able to use full session ssl, specifically:

    a) Windows Live Mail wave3 (XP)?

    b) Windows Live Mail wave4?

    c) Outlook Connector?

    d) Others, if any?

    2) Will Exchange ActiveSync clients be able to use full session ssl?

    3) Are there any desktop windows mail clients that speak Exchange ActiveSync?

  • brianm76
    61 Posts

    @BoInTheMix I don't think they normally do public beta releases.  WIndows Live and Hotamail teams really excited for the upcoming release but a year + without updates on both fronts and then all the changes at one time will be overwhelming for some and irrelevant to many others.  There is thinking things through, then there is overthinking and showing up to the game way too late.  I am disappointed that you continue to tout the features of the new hotmail update and the WIndows Live updates yet there has been no release yet.  By the time you finally release it many people just won't care :(

  • i cant wait! i would like to know when we get the beta?