MSN: Bug or Dump

After I recovered my account from being stolen (full story here if you missed it), I changed password and security questions of all my accounts (Yahoo!, MSN, Gmail).

I changed all of them in no time except for MSN account. At first, I changed my password with no problems at all. When I tried to change security questions, problems started to appear revealing a behavior that I didn't expect.

After I entered the new questions and before saving, session timed out and I was asked to sign in again. I forget my new password, so I tried to reset it again. I didn't want to reset it by using alternative email as it is my stolen account and I wasn't sure if it safe yet to use it in this (I didn't want to risk revealing another password).

I chose to use the traditional way, security questions and location information. I needed to enter them few times as I forgot them. After few trials, I was blocked from trying anymore. Till now, everything just seemed natural. 

I was upset and really in need for to access this account, so I tried IE (I was on Firefox before). The surprise was that I wasn't blocked from trying to answer the questions, and I was able to remember the right answers and successfully changed my password.

All this made me think: How was I able to enter the answers on IE while I was blocked on Firefox? I tried Firefox after using IE and I was still blocked on it !!
The only explanation, I could figure out, was MSN depends on History and Cookies saved in the browser to check whether I am blocked or not. 

I was confused and didn't want to make false conclusions, so I deleted History and cookies in Firefox and gave it another try. Well .. Guess what, I am not blocked anymore !!

I thought it may be normal .. and it is only me who don't know that, so I tried to do the same on Yahoo! account. For my surprise, I was blocked for about 24 hours from trying on all browsers I tried and even after I deleted History and Cookies on them. The same message always appeared:

Clearly now that it is a design issue in MSN, I don't have a lot of experience in security field and I having these questions that I can't find an answer to or my answers seem illogical:

• Is it acceptable to make something important; like verifying identity of account's owner on things that anyone can change in with simple programming code lines ?
  

• Is it an issue that was missed along the road, or is it supposed to be like this ? 
• If it is supposed to be like this, Why don't other accounts' providers do the same, especially it would be easier and would reduce the load on the server ?
• If it is supposed to be like this, How can MSN prevent thieves from trying thousands of time till they got the right answers and eventually stealing the account ?
  

• If it is a major issue (or bug), I don't think I am the first to discover it. Why isn't it solved till now, especially that MSN is one of the oldest accounts' provider ?
  

If you can help and answer any of the above questions or give any clarification on this point, feel free to comment below.

10 Simple Ways to Protect Your Account

An hour, my account was stolen. Someone got my password and added his email to my account information as owner. Thanks to Allah, I noticed it once it happened and changed my password and security questions on all my accounts.


May be you are wondering how it happened. Well, one of my contacts (I know her in person) started a chat with me. Talk was very usual (Hi , how r u?, fine, ..etc), I knew later that it was the person who tried to steal my account. Then, he asked me to check some link for him. I was busy talking to other and doing different things, I didn't pay attention to the URL. I only noticed yahoo.com in it, so I though it was a harmless link. It opened a Sign-in page similar to Yahoo! Sign-in page, but of course with different URL that I didn't notice. 

Bottom line, I handed him my email with its password just because I didn't pay enough attention.



As it is the first time to go through this, it made realise few things that most of us simply miss. So, here are few teps:

Before your password is stolen:

• Always change your password from time to time. Don't keep them for more than two months at most.
  
• Always check any URL you click on, especially if you got it in an email or something similar. No matter how busy you are, always check URLs.
  
• Create a home email for your account. A home email (or alternative email) is an email you set so you can receive through it updates about your account. Set it to an email that is different from the main email.
  
•  Make sure you set security questions, it can be helpful in retrieving your password.
• Don't keep sensitive information about you on your email; e.g. credit card numbers, paid accounts, social security numbers... etc.
  

 After your password is stolen:
Well, it depends on how fast will you react on this. These are simple ways to do only if you reacted faster that the thief.

• Change your password as soon as you can.
• Remove thief's account from your account information.
• Change your security questions. Try to make the answers different from the old ones.
  
• Change password of all other accounts that you keep their passwords on the stolen account.
• Change password of other accounts that have same password as stolen account (if there are).

 If you know other ways that help in protecting our accounts, please feel free to share them with us and post them in comments below.