Hotmail enhances security

One of the most interesting features - which a Trend Micro senior threat researcher has picked up on - is the ability to report a friend's Hotmail account as potentially having been hacked.

Robert McArdle of Trend Micro says that the new feature is quite clever and a good move from Microsoft - the operator of Hotmail - towards securing the web mail facility.

This announcement, he said, comes hot on the tail of a publication of a report that shows that spammers are switching to using compromised accounts, instead of sending mail directly from bots.

"The idea behind the feature is that when an account becomes compromised, it is then often used to send spam to friends of the compromised user", he says in his latest security posting.

"This new system allows those friends to act as an early warning system, in addition to Hotmail's other account compromise detection", he adds, noting that Hotmail will even send notifications to Google's Gmail and Yahoo's email teams if they find out that accounts from those providers have been hacked.

The Trend Micro senior threat researcher goes on to say that he views as very positive that online mail providers are going down this path, and he expects others to follow.

"Most modern info-stealing malware will intercept all web passwords and send them back to the attacker, so unfortunately it does not make much difference if your password is `123456' or if it looks like a cat ran across your keyboard", he says.

McArdle adds that this also allows users to use a `single use code' to login when they are accessing the service from an untrusted machine.

"Earlier this year, I created a blog advising users to lie when filling out their password recovery questions. Password recovery questions can still be one of the weakest links in the security of webmail", he says,

"What will be interesting to see is how attackers respond to this move, especially if other providers copy Hotmail. It will force attackers to use a different approach to whom they spam from a compromised account", he adds.

Obviously, he notes, this is a game of cat-and-mouse, with the security industry gaining an upper hand for some time, before the balance flips back and forth between the two.

"But any technology that makes the life of cybercriminals more difficult, and directly cuts into their bottom line, is definitely a welcome one in my book", he concludes.

What’s Hot on Infosecurity Magazine?