Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Passport and... Visa

Posted by ryuzaki0 on from the brobdignagian dept.

HeUnique writes "Well, people have seen it coming. According to this story Microsoft is extending the Passport authentication system to process Credit card payment (currently: Visa and MasterCard) through a deal with Arcot Systems. Of course, with the ever-changing privacy terms that some companies keep changing without notifying their user - it won't take much long until they'll take your credit cards info for 'verification' and who knows what they'll do with it.. sigh.." In a nutshell: "Microsoft and Arcot plan to offer, later this fall, a service that will let banks require computer users to type in their Passport username and password to authenticate Visa or MasterCard credit cards." Take the word "require" in that sentence with a grain of salt, I guess. Favorite quote: "People will start trusting the system now that it's linked to credit cards." Sure.

14 of 431 comments (clear)

  1. Its HOW they tell us... by acroyear · · Score: 5, Informative
    Of course, with the ever-changing privacy terms that some companies keep changing without notifying their user - it won't take much long until they'll take your credit cards info for 'verification' and who knows what they'll do with it.

    No, they do inform us of changes, as they are often required to do so by laws of various states...Trouble is, they're allowed to change them and tell us later, by 4th class snail mail, taking 2-3 weeks to get to us, by which time its too late to re-file a complaint or a protest before they've already sold our info off.

    --
    "But remember, most lynch mobs aren't this nice." (H.Simpson)
    -- Joe
  2. Time for a new CC vendor? by Beautyon · · Score: 5, Informative

    Many companies have their own branded credit cards. I wonder how many people here carry VISA / Mastercard / Amex?

    If anyone doesnt like what these companies are doing, there is always an alternative.

    People use credit cards because the massive lapses in security are never properly publicised and also, whenever someone steals from their card, they get the money refunded.

    Basically, they have nothing to loose, and like I said, if they want privacy, there are many ways to achieve this, PrivateBuy being just one.

    --
    ATH0 Bitcoin: 1DnwFLXczVZV8kLJbMYoheUrpqHesjxrSi
  3. Re:What's next ? eBay ? by chicagothad · · Score: 5, Informative

    Ummmm.... Ebay is making money:

    Yahoo! Financials on Ebay

  4. Not a big risk to your credit card.. by RailGunner · · Score: 4, Informative
    This is really not a big threat to your credit cards. If anything, the more people that are duped in to using this service will actually help you out by lowering the mathematical odds that it's your card number that's stolen.

    Seriously, you have a bigger risk of getting your credit card number stolen when you pay for your dinner at a restaurant with it then by submitting it to a website using SSL. Not only does the waiter/waitress handle your card, but in a lot of places they'll swipe it in a magnetic card reader that sends it unencrytped over a phone line, or worse, they'll use a POS system that stores the entire swipe data in an unencrypted text file on their local server's hard drive... which will later send it out over a phone line unencrypted.

    Microsoft is evil, but they aren't stupid. If they screw this up the class action lawsuit that will result would likely put them out of business. Wait, maybe we should all sign up, and get Johnnie Cochran on retainer, before Microsoft hires him and we lose to the Chewbacca defense ;)

  5. Re:Hmmm, Passport and credit card? by Jobe_br · · Score: 4, Informative

    The book recently review on Slashdot, Translucent Databases does a good job of explaining how databases can be designed to provide these types of services (credit card authorization, central storage of information, etc.) in such a way that compromising the database does not provide the cracker with any information. Furthermore, an administrator or executive can glean no more information from the database than can a cracker, yet the database serves its purpose, while protecting the information it contains.

    I went an ordered the book after reading the review here on slashdot and I must say that the methods discussed are quite interesting and I'm very likely to start incorporating them into my database designs as I go forward. In some respects, the book isn't laid out/designed very well for "flow", but it does contain very good information and it challenges the reader to think about the material in new ways.

    If you're worried about securing data against everyone except for the people/applications that need to access it, check out this book.

    Cheers.

  6. Re:Let he who is without sin by silicon_synapse · · Score: 2, Informative

    That bug only affected users of the cvs version of slashcode, not the official release. The bug was also promptly fixed in cvs. People use the cvs version at their own risk.

  7. Learn how it works first, bitch later. by friday2k · · Score: 5, Informative

    This is known as 3D Secure or verified by Visa. Just because MS is offering the client piece (and this is what they do) they do not have access to all your personal information. Here is how it works: When you choose to pay through 3D Secure you enter your credit card # at the merchant, the merchant talks to his acquirer, the acquirer figures out whether the Issuer who gave you your credit card is enrolled in 3D Secure (by talking to the so-called Visa directory) and then they redirect you to the Issuer of your credit card. Now the Issuer (and last time I checked MS is NOT an Issuer) will have to identify you. This is where Passport comes into play. Passport does the auth piece for you (Kerberos in Passport's case if I am not mistaken) and sends the ticket to the Issuer. The Issuer compares whether the auth piece and the CC number match and generates a response token for the merchant. This response token gets transmitted back to the merchant (by the means of standard passport auth I suppose), the merchant takes this response token and sends it to his merchant acquirer. The merchant acquirer now sends it through the Visa Directory back to the Issuer and the Issuer compares whether this is a replay or whether this is a valid token. If it was a valid token the transaction is authorized. So, bottom line is, Passport is the authentication piece. Whether you trust MS Passport or not is one thing, but they do not get access to your CC data. And by hijacking a passport you still cannot go shopping on behalf of the account owner. Check your facts guys.

  8. passwords nolonger CaSeSeNsItIve by emptybody · · Score: 5, Informative

    I discovered recently that hotmail and, in fact, all passport sites are nolonger case sensitive when it comes to passwords.

    This rather bothers me.
    It used to be that I had to use the proper case to login. Somewhere along the way, microsoft did something to change my password (which I had assumed was stored encrypted) to make case insensitive.

    --
    comment directly in my journal
    1. Re:passwords nolonger CaSeSeNsItIve by jakob_grimm · · Score: 2, Informative

      I think this story has something to do with this.

      --

      "No prints can come from fingers / If machines become our hands." -- Jack Johnson

  9. Re:hmm by fermion · · Score: 2, Informative
    I am not sure how anyone, with a straight face, can say that real web business would have to be insane to limit its clientele to Passport account holders only. Web bussineses have and will continue to limited their customers to those MS find acceptable. For instance such bussineses require IE by using random IE standards. They were able to justify such laziness by saying the user can always go and download IE for free, although, as has been mentioned, downloading IE is only free if your time, bandwidth, and computer, are wothless. The same brainlessness will hold for passport.

    There are currently few passport accounts because no one really needs them. The passports accounts that do exist were likely ones forced onto users. This is how it has been, and this is how it will be. The day will come when using windows will require a passport account, getting support will require a passport account, and dowloading p0rn will require a passport account. MS will bundle passport connectivity into front page, and developers will use the connectivity as mindlessly as they use other MS profit centers. It will appear free to the all areas of end users, and therefore it will be used. We will again be in the same situation as we are with IE, where getting the 3% of customer who refuse to conform requires more effort than it is worth.

    Furthermore, one would think that users would not like credit card information linked directly to a password, and have that password be the only thing needed to use the credit card. However, there are examples to the contrary of vendors doing exactly this.

    --
    "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  10. Re:Who needs credit cards anyway? by Anonymous Coward · · Score: 1, Informative

    > I have never in my life been in a situation, where I needed a credit card.

    Let us be clear that the issue here is about the card, not the line of credit at the end. My check card (which draws right from my checking account) would be just as insecure in a Microsoft Wallet as your credit card with a line of credit at the end.

    > Credit cards are, IMHO, incredibly stupid beyond the first month (since you have to pay the bill anyway, you might as well pay right away with cash).

    That is an arguable point, but the advantages to credit aren't in the ability to use it, they're in the ability to get more credit for important things. if you use a credit card first and use it responsibly, then you can qualify later for a home loan with a lower interest rate.

  11. Re:What's next ? eBay ? by Patrick+Lewis · · Score: 2, Informative
    You are confusing owner's equity with market capitalization. In order to buy Ebay, at the current market price, Microsoft would need to pay $16 billion, not $1.5 billion.

    Ballpark definitions:
    Owner's Equity: Money contribubuted by the owners + the sum of all historical net profit - the sum of all historical dividends.
    Market Capitalization: Market price * shares outstanding.

    Still within MSFTs purchasing power (what isn't), but at least they couldn't just pay for it out of cash.

    --
    "If I am such a genius, how come that I am drunk and lost in the desert with a bullet in my ass?" --Otto (Malcom ITM)
  12. Re:Not so simple by Rude+Turnip · · Score: 3, Informative

    "That saves you from YOUR bank stiffing you, but doesn't save you from the assholes who own the ATM machine stiffing you."

    Yes, it does! My bank charges no ATM fees of their own and they reimburse up to $8 per month in other banks' ATM fees. I only use an ATM a couple times a month and never run up more than $3 in fees, but it's nice to know that I have lots of breathing room.

    --
    Bill Clinton: Pimp we can believe in. - The Shirt!!!
  13. Careful, my friend by Catbeller · · Score: 3, Informative

    A guy named Keith Henson responded to a thread joking about about firing Tom Cruise missles at a Scientology compound in California.

    He was convicted of making terror threats and had to flee the country before he was sent to prison!

    Hell, in CANADA the psychos sicced anti-terrorist police on him. And he is still trying to claim political refugee status so the Canadians don't deport him back to the U.S. to serve his sentence for adding to a joke.

    So, careful: perhaps not in this instance, but in future ones, we are not allowed to speak, or joke, if the target is big enough and rich enough and fanatical enough.