Sophos Cloud Optix
Hotmail lets down its over 350 million users when it comes to security, by not giving them an easy way to tell if their account has been accessed by unauthorised third parties.
With hacks of web mail accounts being worryingly common, you would imagine that any popular online email service would give its users a way to check if their account has recently been accessed from somewhere unusual, or at a time when you weren’t surfing, or from a device that you don’t own.
Google and Yahoo, both arch-rivals of Hotmail, have just such a system.
But where it it on Microsoft’s Hotmail service? Sadly, it doesn’t appear to exist.
Oh dear.
If you’re a Yahoo user, here’s how you can check when your account was last accessed – and from what IP address.
Click through to account settings, and choose “View your recent sign-in activity”:
You will be presented with a list of recent login times. If you wish to see the IP addresses, they are also available via a drop-down option:
With Google Gmail it’s even simpler. At the bottom of your inbox you’ll find a link telling you when your account was last accessed.
Google shouldn’t feel too smug though. Although the company has provided many features designed to stop your Gmail account from being hacked, I notice that at least 18 months ago it was being rather more vocal about telling users the last IP address that accessed their accounts.
Today, Google tells you on the main Gmail page what time your account was last accessed, but you have to click deeper to view the history of which IP address your account was accessed from.
I wonder what drove Google to give less prominence to the “last account activity” information? Could it be that they felt it raised too many questions from non-technical concerned users (“What’s an IP address?”). To their credit, they do have a detailed help page explaining the feature.
Quibbles aside, well done to Yahoo and Gmail for at least making the option available for those web email users who wish to keep an eye on who is accessing their account.
Sadly, if you’re a Hotmail user you aren’t even given the option to check for yourself.
That’s a poor show by Microsoft, the makers of Hotmail.
Contacts in law enforcement tell me that Hotmail *does* store the activity information, and it can be extracted from them (with proper legal paperwork) if a criminal investigation is taking place.. but that’s not much consolation for a battered wife who’s petrified that her partner is secretly reading her email. Or someone who is worried that they might have been hacked.
Microsoft seems to have put lots of effort into rebranding Hotmail as “Outlook” recently – it’s a shame it didn’t also take the opportunity to introduce this fairly simple-to-implement security feature at the same time.
I refuse to use or check my Hotmail/ MSN accounts I hate any account that decides to monitor my typing and "suggest" shit wile I am typing as links. If you are reading my e-mails or set up a "helper" like that then I have no privacy and you are worse than the government on "spying". How then would I trust you not to sell or leak my information to the highest bidder….
Hotmail is really lacking this feature and needs to step up and do something about it. This one day I thought I was hacked because some of my messages were missing. It could of been me removed those, but I wasn’t 100% sure.
As this article points out there’s no way of checking your login activity details such as the login times, device or location.. on the web interface.
I called Microsoft, used their forum etc etc but they noone was eligible to provide me that form of “personal information” ….
This is one of the reasons why I replaced Hotmail with Gmail.
I'm a Yahoo user, but I think a point against them is their lack of support for SSL. I'd love to see this fixed.
A stranger who lives in another state, and who has been harassing and stalking me online, recently used brute force to crack my Hotmail password. He deleted everything in my account. I realized what he did less than a week after the fact. I phoned Microsoft to find out how I could retrieve the emails, but the Microsoft rep told me that I am out of luck. (Years ago he had also secretly installed keylogger spyware on my computer via infected emails. Now I understand the value of updating my antivirus program every day and scanning all email attachments and links before clicking on them!) I wish I could get the FBI on this SOB.
Going forward, I never use Hotmail for emails that I think will be of importance or personal interest. I am appalled that Microsoft is so lax regarding Hotmail’s security. Likewise, I am appalled that state and federal laws are so lax regarding internet crimes. Very poor show by Microsoft (and the feds), indeed!
Graham, what you wrote in your post is indeed correct. However, it's a bit unfair toward Microsoft and seems to incorrectly imply that Yahoo! Mail is more secure. It's not, at least with regard to one very important factor.
With Hotmail, Microsoft gives you full HTTPS access to your e-mail. That's a major security advantage over Yahoo! Mail.
With Yahoo! Mail, you cannot access your mail through HTTPS in a browser. All of your e-mails, no matter how private or sensitive, are sent in the clear—in plain, unencrypted text—through the Internet to your browser.
Anyone who values privacy and security knows that having all your e-mail sent without HTTPS is a really bad thing—especially if you check your mail from public Wi-Fi hotspots, or if you live in a country where you have no expectation of privacy and must assume that any unencrypted communications may be intercepted.
AOL is another example of a major webmail service where your e-mail isn't sent over HTTPS. (However, a very well-placed source tells me that AOL Alto will finally support "full SSL." I'm still waiting on my invite so I haven't personally verified this yet.)
Email has never been regarded as a secure communications channel. If you have information that is sensitive enough that you feel you need HTTPS, you should reexamine the contents of your email.
You are kidding with your answer right?
There are multiple levels that a person can employ to secure the contents of their email.
People in general get complacent and comfortable and keep using the same password year after year after year. People also beckme ignorant by not enabling security controls that protect them. People in general are ignorant and dont get educated to learn how to protect themselves.
But at the end of the day it is a free email account. I use such accoumts based on their features and then apply them as I see fit.
I am using Hotmail and I have warned 4 times that my account was compromised or someone has/is using my account. I do get this warning sometimes.
I changed my password and added some information/security to my account.
The only thing that I cannot do is to check the last time I was using or login to my account.
It would be great if this feature were added by MS.
My first inclination was to agree with you. But then I stopped to think…
…and found myself wondering, "If free mail hacks really are so common, is it an unquestionably good idea to put anyone who snarfs your webmail password just one click away from a geolocation history of your life?"
In your example (battered wife hiding from vengeful husband), this means that simply by guessing her webmail password, he can effortlessly get her webmail provider to tell him exactly where she's hanging out – or the route by which she's fleeing – even if she carefully avoids making mention of her location in the emails she sends whilst on the run.
So perhaps – I'm not sure yet, still deciding – Microsoft has it right to treat your geolocation history as something that is available, but shielded from hackers – and Yahoo/Google have it wrong. I can see why it makes spotting unauthorised logins more obvious – but do they need to be that obvious?
But then…(continuing the battered wife on-the-run scenario )… she wouldn't be able to see that her webmail had been accessed from another location (eg home) and would assume she's safe. If she could see her history, and suspects nasty-husband knows her password, she has the opportunity to change it… which she'd probably do anyway…
You can set Yahoo Email to use HTTPS, you just have to do so in the Options, scroll to bottom (Advanced Settings) little box at bottom below font settings.
Click and Save.
Cliff, that setting doesn't exist on my free Yahoo! e-mail account. For me there's nothing below the "Plain text font" selection under Advanced settings.
Perhaps that's a feature of Yahoo! Mail Plus, which costs $19.99 per year? If so, it's not mentioned on the Plus signup page for some reason.
However, paying for Yahoo! Mail Plus *does* get you POP and SMTP access over SSL.
Really though, SSL access to e-mail (whether HTTPS or POP) is so fundamentally important that it's extremely disappointing that *any* of the major e-mail services neglects to offer some form of encrypted access by default.
I work in the cybersecurity-for-activists-in-dangerous-countries field (both literally and figuratively). I have to agree with JoshMeister that the lack of full in-session SSL for connections to mail.yahoo.com is a huge, huge, huge problem–far bigger than not being able to see from where your account was last connected to (since few folks are going to pay requisite attention to latter). Cliff's-Esport-Corner–can you post a shot of where you see the "turn on HTTPS" in the Yahoo Mail settings? On my Yahoo Mail, there's nothing underneath the font setting. The only way I know of to encrypt access to a user's Yahoo e-mail account is by paying the USD2/mo for Yahoo Plus and then using POP3/SMTP via a mail client.
Hotmail seems to store passwords in plaintext -.-
My password has 20 characters. When i want to sign in, hotmail says that the maximum length is 16.
If i type in the first 16 characters of my password, i can log in.
Yes, we discussed this concern back in August:
https://nakedsecurity.sophos.com/2012/08/02/maximu…
All Microsoft systems appear to currently limit passwords to a maximum of 16 characters. Hmm..
Hotmail accounts are needed to use Microsoft Vault which some hospitals are using to allow patient access to individual medical records (the patient's own).
A little while ago, I had to notify my primary care MD that a false diagnosis had been posted along with an imaging report. She was able to notify the hospital unit of the wrong posting of a diagnosis on my hospital record visible via the hospital portal.
The separate physician info/billing portal showed no such diagnosis.
I have a yahoo.co.uk account but I don't see any of those options mentioned in this story! I also have a hotmail.co.uk account and again there are no security options available. At least, not as far as I can find even using the guide in this story nor the Yahoo Help page!
So what do I do to get these settings options and set them us for better security?
What was not mentioned in the steps for Yahoo shown in the article is that you have to be signed to My Y and not just the mail service!
COME ON HOTMAIL – KEEP US SECURE OR WE MAY DECIDE TO TERMINATE THESE ACCOUNTS
I've had Hotmail (and more recently Hotmail Plus) for many years, and rarely had a problem. Change the password often.
If you want secure email, use Hushmail.com. Your recipients also have to have it for secure communications between you and them. Free limited accounts.
Thanks for the article, Graham.
Ah sorry to people that responded to my post, didn’t look back at the comments, just stumbled on this today with Google looking for something else.
Couple things, I am using Yahoo Email direct page, not the ! stuff.
They are actually a little different at times.
I can access it from Windows 7 laptop and my iMac running Lion.
There has been at least one major update to Yahoo email since I posted first comment, so things may have changed for others since then?
It may have been a Beta option when I first set it up, honestly can’t remember.
I have been using Yahoo email for a long time, think I started back in early or mid ’90s, so I might have been grandfathered on somethings even though I am on a free account.
I don’t yet pay for any email accounts, if I do that it will be on my own server & etc, but that is probably still a few years off, unless something happens that makes it critical before then.
If anyone wants to ask me more questions or anything, they can reach me through my website.
Google will bring it up & my Twitter is there as well.
Don’t think I should post those links here without prior permission.
~Stay Safe
Cliff
http://www.microsoft.com/en-us/account/security/recentactivity.aspx