Keylogging taken seriously: Security upgrades in the new Hotmail

Microsoft Hotmail has a new feature: Out of Band Authentication via cell phone SMS Text. They call it ‘single-use codes’:

    • Single-use codes
    • This new security feature is designed to further protect you when you sign in from a public computer, such as those found in internet cafés, airports, and coffee shops. When you request a single-use code, the code is sent via SMS to the phone number associated with your Windows Live ID. It acts as a one-time substitute for your password. By using a single-use code, you won't have to type your password into a public computer, thereby helping to prevent it from being stolen by key loggers and the like.


I’m all in favor of this new version of authentication. The key issue to note is that while this will spoof keylogging, a successful ZeuS Trojan browser injection will trick the user into giving up the one time key. This out of band authentication compromise tactic was recently discussed by a research group working with APWG 2010 Thought Leader Dr. Laura Mather’s company Silvertail Systems

The threat is blunted with efforts like this and I applaud this type of security integration to get us past passwords. Maybe Terry Zink or some other hotshots over at MSFT will shake down with the low down on how measurably adopted and effective this is.

What’s your view? Do you think we’ll get around passwords constantly being compromised through the use of further SMS text-based authentication?

Securing Our eCity Contributing Writer

Author , ESET

  • Jonathan Leigh

    Another way of retrieving access to your account…. and they think this is more secure? Sure this will protect you from keylogging, but what about GSM man in the middle attacks? This pretty much gives you a really easy way to keep setting up for a cell phone based attack and keep clicking the single-use code to send to someones cell phone. If you can intercept that anywhere when it leaves the cell network, then you have a very easy way to retrieve a password for a users hotmail account. Not all cell phones have the best encryption standards as well. In my opinion this is a security hole if anything and a terrible idea. If you want to beat keylogging there is a very simple way to do it: use the on-screen accessibility keyboard!

    • Charles Jeter


      I’m going to challenge you to turn your objection and the problem you present with the proposed solution into finding a BETTER solution and presenting it somewhere. Criminology is fairly basic – thieves no matter the skill level will use the easiest method to get to their goal safely and get your money (and mine!). It’s sort of like how a river might wind across a meadow, choosing the easiest pathway possible.

      Here’s what I figure: MiTM attacks within a network are a concern and I’ve recently blogged about security concerns within the wireless world. The math behind your attack is that first, I would have to know that the person not only has a hotmail or dot-live account, but also second, that they had signed up for the second factor authentication. After gaining that information I would have to third, be fast enough to use that password to gain access. That’s not as easily scalable as the keylogging attacks are, therefore the solution still hardens the target and offers an increased level of protection. Therefore, I could still use Randy’s poorly protected Cypriot barside laptop to get to my email, as long as I remembered not to use any in-band authentication.

      Running that gauntlet is certainly do-able but the catch is that it would make sense only if there were a single high value target. For example, I could maybe see some spooky dotmil types doing this out of an RC-135 off some other nation’s coast to find Osama more than I would see the average profit driven malware authoring programmer or cybercrime syndicate decision maker using it to hack into every single hotmail and dot-live account. Here’s the strength of your point: The tipping point towards your scenario crests as the adoption of second factor authentication or out-of-band authentication as it’s talked about here, becomes more commonplace.

      In this example, ZeuS banking trojans, which I’m very concerned about, were discussed using the out of band compromise and widening the user perception gap with a little social engineering, still leverage the PC.

      You present some great well-thought analysis, but problems without solutions are merely objections. You’re smart enough to present another alternative for us all to use and I look forward to reading it!! :) :)


  • Randy Abrams

    Everything comes with some degree of risk. Managing that risk is what security is about.

Follow us

Copyright © 2017 ESET, All Rights Reserved.