Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passport's Pocket Picked

Posted by michael on from the department-of-insecurity dept.

emmons writes: "It looks like there's another hole in MS Passport according to Wired. This one allowing a user to steal another user's Passport Wallet, credit cards and all, by getting them to open a hotmail message. Nice." What happens when someone steals the basket with all your eggs?

13 of 327 comments (clear)

  1. Did anyone not see this coming? by chronos2266 · · Score: 4, Insightful

    I remember a year or two ago a person could send you an email and obtain your hotmail account. Hotmail is a gaping hole in the passport service.

    With passport, microsoft wishes to be the customs agent of the internet. However, with flaws like this they really are not going to turn many people over to their side.

    I'm sure more exploits will pop up in the future. Most of them will likely use hotmail in someway or another to enter.

    1. Re:Did anyone not see this coming? by Jason+Earl · · Score: 5, Insightful

      Hotmail is also the source of all of the passport accounts. Microsoft knows that Windows XP is not going to generate enough Passport accounts to entice web sites to start including Passport hooks. Hotmail, on the other hand, is very popular, and already has millions of users. Besides, if Microsoft can't design a secure Passport site, what is the chance that the bozos at your bank are going to be able to design a secure Passport site?

      In other words Hotmail is both the primary draw for Passport, and an important proof of concept. Unfortunately for Microsoft it is also a huge gaping pile of security holes.

  2. single point of failure by Pope · · Score: 4, Insightful

    MS seems to have Single Point of Failure problems in a lot of things: the Registry, any one?

    --
    It doesn't mean much now, it's built for the future.
  3. Re:What happens when someone steals the basket wit by MaxwellStreet · · Score: 5, Insightful

    Interestingly, this is exactly what will happen.

    Only the discoverer of the hole will be forced to announce it anonymously, and publish it only in dark little places where the lawyerly eyes of Microsoft won't find it. And unscrupulous eyes will.

    I can see it happening already. And Microsoft would not even hear of the hole until it's far, far too late. It will be a very, very dark day if information is compromised on this scale.

    The DMCA in this case would directly contribute to the destruction of the integrity of the Passport system.

    Simply put - if only outlaws find security holes, then only (genuine) outlaws will have access to them.

  4. What about PayPal etc.? by byronne · · Score: 4, Insightful

    Maybe I'm being stupid here, but what's the diff between Passport and PayPal, and why hasn't PayPal been a crack target?

    Also, I had no idea 165 MILLION people were already using Passport - I suppose my OS hasn't asked me enough times to sign up for it until I break under the strain...

    --
    "Look, Smithers! I'm Davy Crockett!"
  5. Passport liability by stox · · Score: 4, Insightful

    I haven't read the pasport user's agreement, but would I be incorrect in guessing that Microsoft takes no responsibility for the safety of one's personal data? We're sorry we ruined your life, but if you read the fine print you will see that we are not responsible for anything. When will Microsoft be held responsible for it's actions?

    --
    "To those who are overly cautious, everything is impossible. "
  6. Re:Burning Reichstag by Shotgun · · Score: 5, Insightful

    Good conspiracy theory, but I would have to say look at history in this case. MS is threatened. Sales revenue is in the toilet and the outlook for future sales is even bleaker. They have to come up with a strategy and implement it fast. What do they do?

    What they always have done. Rush a half-finished product out the door, and use whatever leverage they have to force it on whoever they can, while keeping the engineers busy in the back room with the bubblegum and duct-tape. Eventually, they'll get around to releasing a decent product.

    Course, I won't be buying it then either. 8*)

    --
    Aah, change is good. -- Rafiki
    Yeah, but it ain't easy. -- Simba
  7. Another lesson to be learned from this by Paul+Boven · · Score: 4, Insightful

    This shows that your private information may not be in the best hands when entrusted to a company
    like Microsoft. But there are other 'takers'. Some even with the best of intentions.

    If any of them ever gets to be the one and only 'central repository', they will be subject to just this kind of attack as well. If you can't compromise the service, then hack into the user's desktop. As soon as enough people use it, it becomes a very attractive target. In a similar vein, there have been viruses that target the client end of home-banking software.

    Security is enhanced by redundancy, by having several distinct systems in place, preferably as dissimilar as possible. Monoculture and monopolies always form a fertile environment for viruses and other pests.

    I feel this makes the whole idea of a centralized service like Passport or any of it's competitors an extremely dangerous development.

  8. What about the other ways your CC # can be stolen? by nvrrobx · · Score: 3, Insightful

    People seem to be blowing this out of proportion, IMHO.

    How often do you hand your credit card to a server at a restauraunt? A store? Over the phone to pay for something? Are you forgetting that your credit card number can easily be stolen that way? Most receipts from purchases have your credit card number on them. Do you shred / burn them to stop someone from getting your CC #?

  9. Re:it isn't just about hotmail and passport wallet by FrankHaynes · · Score: 3, Insightful
    I would also like to note that Microsoft has been quite forthcoming with details and admitting the problems and fixing them. They are very good at being reactive. We will have to see how well this works going forward.


    As good as MS has been at reacting to problems, I think the fear here is that MS has not shown much interest in being PROactive in preventing such problems, particularly problems with such potential for ruining people's credit histories or bank accounts. If that is a legitimate fear, then it's a whopper!

    As you imply, this is the tip of the iceberg, if Passport is intended to be the be-all, end-all for .Net access to those services offered by MS and its agents.

    ---

    --
    slashdot: A failed experiment.
  10. Re:Burning Reichstag by GunFodder · · Score: 3, Insightful

    Never attribute to malice what could be explained by ignorance or stupidity. And Microsoft and the government have plenty of that to go around.

  11. No one knows, or cares by xtremex · · Score: 5, Insightful

    The typical user does NOT get this information.
    They are happily using their Hotmail accounts and have NO clue that these things exist. Sure, they might have it in PC World, or maybe the Technology section of the Times, but my MOTHER does not read these things. Only us geeks in the industry know ( we are a small percentage of the population).
    Microsoft will fix this to appease the security experts, but that's about it.
    As long as Joe Sixpack can stay happily ignorant, MS is happy. For example, one of my friends, a very intelligent Nuclear Physicist, just got suckered in to a CompUSA MegaPC w/ 1.2 GHZ, 1 GB RAM , DVD RAM and Windows XP for anout 5 Grand. He browses the web PERFECTLY fine on his 988 MHZ PC. He said the "pretty colors" of XP sold him. I told him of the security flaws and reasons for not going with XP (never mind the absolute non-necessity of the PC), and his response was "How come I haven't heard about these things you talk about?" I had no answer. That's how Microsoft stays in power. If we step outside the industry for a minute, we can see that Linux means nothing to most people, AOL IS the internet, and Windows IS a computer. How do we fix this? I don't know, but someone must.

    --
    If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
  12. Re:What about the other ways your CC # can be stol by Znork · · Score: 3, Insightful

    Yes, at the very least I tear out the code, rip it in half and throw away the pieces separately. Nor do I ever let my credit card out of my sight at a resturant. If I make purchases online or over the phone I have a separate minimum-limit ($500 limit) card that I charge to. And if Im really suspicious I create a one-time cc number with not more than the amount due available on it.

    You do realize that you can be held liable for whatever charges your card incurs if you do not follow this kind of practice, dont you? And you do realize what happens if you are held liable for a $10K shopping spree that someone went on with your credit card? You pay it, you pay it at once, or your credit rating is slashed, you default on your house mortgage as your bank suddenly wants their money back and their money back _now_, you wont be able to get a new loan and you'll have to sell pretty much everything you own.

    Im not kidding, I've seen that happen. I have a coworker who makes as much as I do, who can barely afford to eat lunch in the company resturant. Your life suddenly becomes a helluvalot more expensive once you're put on rapid payback on all your loans and the interest rates you're paying are doubled.