I changed all of them in no time except for MSN account. At first, I changed my password with no problems at all. When I tried to change security questions, problems started to appear revealing a behavior that I didn't expect.
After I entered the new questions and before saving, session timed out and I was asked to sign in again. I forget my new password, so I tried to reset it again. I didn't want to reset it by using alternative email as it is my stolen account and I wasn't sure if it safe yet to use it in this (I didn't want to risk revealing another password).
I chose to use the traditional way, security questions and location information. I needed to enter them few times as I forgot them. After few trials, I was blocked from trying anymore. Till now, everything just seemed natural.
I was upset and really in need for to access this account, so I tried IE (I was on Firefox before). The surprise was that I wasn't blocked from trying to answer the questions, and I was able to remember the right answers and successfully changed my password.
All this made me think: How was I able to enter the answers on IE while I was blocked on Firefox? I tried Firefox after using IE and I was still blocked on it !!
The only explanation, I could figure out, was MSN depends on History and Cookies saved in the browser to check whether I am blocked or not.
I was confused and didn't want to make false conclusions, so I deleted History and cookies in Firefox and gave it another try. Well .. Guess what, I am not blocked anymore !!
I thought it may be normal .. and it is only me who don't know that, so I tried to do the same on Yahoo! account. For my surprise, I was blocked for about 24 hours from trying on all browsers I tried and even after I deleted History and Cookies on them. The same message always appeared:
Clearly now that it is a design issue in MSN, I don't have a lot of experience in security field and I having these questions that I can't find an answer to or my answers seem illogical:
- Is it acceptable to make something important; like verifying identity of account's owner on things that anyone can change in with simple programming code lines ?
- Is it an issue that was missed along the road, or is it supposed to be like this ?
- If it is supposed to be like this, Why don't other accounts' providers do the same, especially it would be easier and would reduce the load on the server ?
- If it is supposed to be like this, How can MSN prevent thieves from trying thousands of time till they got the right answers and eventually stealing the account ?
- If it is a major issue (or bug), I don't think I am the first to discover it. Why isn't it solved till now, especially that MSN is one of the oldest accounts' provider ?
If you can help and answer any of the above questions or give any clarification on this point, feel free to comment below.
Posts
All i can say , Microsoft sucks in Security .. That's another clue added to the long list of MS sins :D
ReplyDeletelast summer my sister's hotmail account and her friend's one were stolen , i tried to help them but it was too late
Answers:
1- no it's not acceptable
2- i donnow but it's been so for long time
3- others are more secure :D
4- it doesn't , and the stolen accounts of my sister and her friend is the clue
5- that's a mystery, but maybe the msn hotmail design is complicated to edit and fix it.
I totally agree with you. Others are more secure. I only use it to follow college emails and regular stuff.
ReplyDeleteI don't think the design is that much complicated. There must be solutions that can be done without the need to rebuild their database from scratch.
Well... No doubt, I hate MS... and that's nonnegotiable... But out of justice, I have to tell you that...
ReplyDeleteI was discussing this with Mahmoud Said from eSpace, and he raised a point...
If your account is blocked after trials, I could block your account or any other account by trying many different times...
However, for a suggestion to handle this, you could block it and send an activation link to the owner, or depend on the IP or something...
Good point Amr :)
ReplyDeleteThis would be a better solution.