Slashdot Mirror
MS Passport and... Visa
HeUnique writes "Well, people have seen it coming. According to this story Microsoft is extending the Passport authentication system to process Credit card payment (currently: Visa and MasterCard) through a deal with Arcot Systems. Of course, with the ever-changing privacy terms that some companies keep changing without notifying their user - it won't take much long until they'll take your credit cards info for 'verification' and who knows what they'll do with it.. sigh.."
In a nutshell: "Microsoft and Arcot plan to offer, later this fall, a service that will let banks require computer users to type in their Passport username and password to authenticate Visa or MasterCard credit cards." Take the word "require" in that sentence with a grain of salt, I guess. Favorite quote: "People will start trusting the system now that it's linked to credit cards."
Sure.
Quote: "It's good for Microsoft because up until now, no one stood behind the authenticity of the (Passport) identities. You can register as easily as 'Donald Duck' as you can with your real name," Litan said. "Now (Passport users) are linked to credit card companies. There is going to be a bank or credit card issuer standing behind the identity."
So... how, again, does this magically insure that the credit card isn't stolen?
I'm really wondering when MS is going to buy a large content provider and force Passport upon us. eBay, or Amazon. They're both in the red, so should be purchaseable for a giant like MS.
I've really wondered many times why MS doesn't drop it's dollar weight on passport.. Compared to the XBox, they've invested practically nothing in passport !
When will I end this grieving ? When will my future begin ?
According to research firm Gartner, the service has about 14 million registered users.
<sigh> I have to wonder if they're including the hotmail users in this number, since signing up for passport and hotmail are linked. If so, this number is hugely overinflated...the number of people actively using passport is way smaller. Too bad, companies may read this and decide it's a great way to reach a large audience.
--trb
Any bank which requires me to have a Passport account won't get my business. The one thing about capitalism is that you -can- force unwanted business to end, simply by going to their competitors.
... the other difference is that they're a monopoly.
Of course, people are going to say that we don't want the RIAA/MPAA/??AA/etc but as a matter of fact, general society does, and we -do- still support them (by seeing movies, buying cds, etc)
OTOH, no bank has a monopoly. As soon as Passport gets picked again, and credit cards numbers are out, people won't use it, and will demand a different method. (Note: viruses on desktop computers don't matter to people, because the general public doesn't store crucial data on their home computers) --
As soon as people start demanding non-Passport methods of authentication, banks -will- provide.
In Denmark some of the major telecompanies have just released a method where you can pay with your mobile number. In this case you register your credit card to your mobile phone. When you want to do a purchase, you type in the mobile number (more easy to remember), and the system verifies it by sending a SMS to you phone that you'll need to verify by typing in a pin-code.
Now this is a very secure way of doing business. Of cause no system is 100% secure. But in the same manner as the passport solution, you still need to register your credit card to a database, connected online, that can be contacted by the merchants. Sound similar to me.
Of cause you still have the additional security of the SMS and the pin code and Microsoft don't have the best reputation when it comes to securing their systems. But it still gives time for thought.
-:) Oh no - not again.
www.rednebula.com
Arcot Systems and Arcot Press Release. For those interested.
(Score:5, Not Funny)
You can do NOTHING on Yahoo's auction site unless you give Yahoo a credit card to "verify your identity". One of the many reasons eBay has complete domination of Yahoo Auctions in America is this fact. Privacy isn't even the biggest issue.... It's the fact that few will stake their credit card on a company who has proven that they will change EULAs in midstream. Remember when Yahoo bought GeoCities, then claimed various ownership rights to all of the content?
What REALLY pisses me off about this? International commerce. It is impossible for me to directly by goods from auctions.yahoo.co.jp (Jahoo Auctions Japan). Yahoo's Wallets are localized, and if I don't have a credit card or account to a Japanese bank, I can't use that yahoo auctions website. I can't even ask a question to the seller! To that website, no member can live outside of Japan....
Online shops cannot afford to require anything from their customers. The point in running a shop is selling; selling means to make buying as easy as possible. This is especially true on the Net where the customer can even remain sitting in her chair while leaving the shop and entering the competitor's. So how is this going to work? Successful online shops already know the rules and won't even try to require anything from the customers. Those who try will notice soon.
After all, digital signatures (as a legal concept) and all those esoteric digital payment schemes didn't take off; online shops just don't need them. They are even willing to take some risk if this helps them to gain new customers.
Waiting for their next smart idea ...
http://erichsieht.wordpress.com/category/english/
I trust my VISA (and credit card companies in general), because they tend to work in my interest and take care of me when I have bonafide problems with unauthorized usage and such. I have zero trust in Microsoft
I used to work for the second largest Visa issuer. We tracked every thing a cardholder did. We knew your spending habits and what you liked to buy. We knew when you were on vacation and when you fooled around on your wife. We sold this information to advertisers and gave it to other ventures within our corporation. Sometimes we'd even turn it over to the Secret Service. Every cardholder had an agreement similar to a EULA. We changed it all the time, raising rates and fees to our benefit. By using the card you were bound to the agreement.
Essentially we did the same thing you say Microsoft does, and maybe even a little more, yet you trust Visa over Microsoft. Interesting.
'Same speed C but faster'
- I will not be charged for the change.
- I will see an interest rate increase of 0.59% (not an issue because I pay off in full every month).
- The Smard Card reader has a USB port, and will work with Mac OS (yeah, right. We'll see. Didn't get a chance to ask about Linux because my boss wanted me and I had to hang up)
Whatever you do, if this story bothers you (obviously, it bothered me) make sure your bank understands that you do not want to support a convicted monopolist's attempt to extend its tentacles into the financial services arena.Ease up. We should actuall chear and appload. This move immediately makes it a valid target for EU data protection law and similar legislations everywhere. Before it was questionanle. Now it is fair game because it is a financial service and subject to a serious regulatory regime in most countries. By the time it gets to market its venomous teeth will be extracted and replaced with harmless prostetics ;-)
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Even with no credit card risk, there's still plenty of wrong going on here. Microsoft has already been proven to have a monopoly in the desktop computer industry. This little scheme gives them a foot into the door of financial services. If we don't stand up and shout "NO!" now, they will become the de facto standard for on-line purchases. Do you really want to give them that much control over your life? Do you really not mind having Microsoft at the hub of everything you do?
Here's a part of what mine, Vancity, gave back to me:
If there are people like me there, they would be relieved to use a post like mine citing the previous security issues that Microsoft has had to the person who may decide that passport-only is a good idea.
Be preemptive. It's easier.
With a credit card, I can pay for an item or service and if I am dis satisfied with the repairs to my car or the item I bought will not work correctly, I can refuse to pay until satisfied. With cash you are screwed.
When I rent a car I get the insurance covered by the credit card saving about $14 a day.
When I purchace an item the warantee gets doubled up to 1 year extra. This has actually helped me get a tape deck repaired which failed 2 months out of warantee.
Lets say I have to pay for an item costing $5000, I have the cash, but why use it? It can earn another month or two interest while the charge floats on the credit card.
This credit card has no yearly fees.
As for paying cash for a hotel room, you will also have to front 1 nights stay ( in cash ) in addition to your total cost of the room, unless you don't mine the phone turned off for long distance calls, any mini bar locked, movies turned off, etc...
But then again the same people who pay cash for rooms most likely get the "day or hourly rate" and like to have cinder block walls, vibrating beds and mirrored ceilings.
If you're set to 'always sign me into any passport site' then when you go to a passport site after having earlier checked your hotmail account, you find yourself automatically logged in, whether you actively wanted to use passport there or not. For a long time I visited no passport sites other than hotmail, and it never affected me. Now there are a couple I go to, and at first finding myself automatically logged in as whatever identity's email I happened to check last was really disconcerting. I have several hotmail accounts, but the whole passport thing is based on the assumption of one computer, one person, one identity. I feel like I should be able to be logged in at msdn.microsoft.com using my work/business hotmail account, while still reading email from one of my personal hotmail accounts. Can't do it. Even though they're separate sites, they completely identify you by your passport cookie, so you can only be one 'identity' to all of them. If passport verification starts popping up all over the place, other people will run into this issue too.
Liability for CC fraud is not the responsibility of the card-holder. This is mandated by banking laws. It is the responsiblity of the card-issuer. However, the major CC companies shift the liability to the individual merchants as part of the merchant agreements that they must sign in order to accept CCs. The reason you never hear about major CC theft is individual merchants are generally too small to make a big stink. Besides, most of them either have insurance to cover this, or the big retailers all have a substantial fraud write-off built into the budget.
Another way of saying this is to say that credit cards are secure enough just as they are. Of the millions of credit card transactions processed every day, only the slightest fraction are fraudulent, and in those cases, the customer is taken care of appropriately practically every time. In other words, most of the time it's secure, and when it isn't, there's no real harm done.
One of the reasons it's secure is that there is a separate processing network with dedicated encryption hardware in place to handle all these transactions. Fraudulent transactions almost never originate from inside the network - they are entered into the system by a vendor. And since everything's encoded with the vendor ID, it can be tracked back to the originating site quickly. .5% of the transaction for off-line purchases, and 2-3% for on-line purchases). Still, there isn't an law on the books regulating every aspect of internet purchases.
Once Internet stores started accepting CC's for on-line purchases, CC fraud went through the roof because all you need is a few names and numbers. And since there's no way to "show" the store your card, with your name on it, the CC companies jacked up the merchant rates (something on the order of
But, a lot of the confidence in the current CC processing networks is in the fact that every aspect of the process is gonverned by laws, with strict penalties, and not by one company. You can argue that VISA and MC are an oligarchy, but they still have strict regulations to follow. MS has no regulations to follow here - and given their refusal to admit to any wrongdoing in the anti-trust case, even after an appeals court upheld the conviction, does not bode well for their handling this kind of sensitive data in a responsible or secure manner (Trustworthy Computing be damned).
Rule #1 in business:
Don't let ANYONE between you and your customers. If passport sucks and I am trying to buy a book from Amazon -- guess who gets blamed?
The majority of my income comes from online sales. A credit card charge is not valid without a legal signature. Nobody, as of yet, has found a way to legitimize internet trasnactions. Anybody who uses their credit card on the net can cancel their charge, after they receive their merchandise, and the merchant cannot contest this "chargeback". Because they don't have a signature. This is why 20%+ of online business is considered fraud, because valid customers who receive thier merchandise get their money back from your bank automatically.
With the government and VISA/MC dragging their feet and seemingly not even searching for a solution to this problem (well other than hassling online merchants as if it were their fault) we need some way to verify that the card goes with the user... perhaps passport is a step in the right direction.
I will get behind anything that allows me to contest, with the cardholder's bank, a fraudlant refund(chargeback) requested by somebody who received their merchandise.
This is the same company that owns Hotmail, that well known porn spamming, personal info relay service.
And you want to give them your CC number?