Slashdot Mirror
MS Passport and... Visa
HeUnique writes "Well, people have seen it coming. According to this story Microsoft is extending the Passport authentication system to process Credit card payment (currently: Visa and MasterCard) through a deal with Arcot Systems. Of course, with the ever-changing privacy terms that some companies keep changing without notifying their user - it won't take much long until they'll take your credit cards info for 'verification' and who knows what they'll do with it.. sigh.."
In a nutshell: "Microsoft and Arcot plan to offer, later this fall, a service that will let banks require computer users to type in their Passport username and password to authenticate Visa or MasterCard credit cards." Take the word "require" in that sentence with a grain of salt, I guess. Favorite quote: "People will start trusting the system now that it's linked to credit cards."
Sure.
Isnt it about time call up tyler durden to take out the credit card buildings thus destroying creditcard debt for america.... WAIT we got microsoft the next best thing, Tyler uses explosives and MS uses security holes!!
"All I can tell the "lesser of two evils" folks is that if they keep voting for evil, they'll keep getting evil."-Lp.org
No, they do inform us of changes, as they are often required to do so by laws of various states...Trouble is, they're allowed to change them and tell us later, by 4th class snail mail, taking 2-3 weeks to get to us, by which time its too late to re-file a complaint or a protest before they've already sold our info off.
"But remember, most lynch mobs aren't this nice." (H.Simpson)
-- Joe
Of course, any real web business would have to be insane to limit its clientele to Passport account holders only. Note how Microsoft has 14 million registered users of Passport (how many just for MS Messenger?). Now note how many people on the net - approximately 400 million? So do you see Amazon saying that only 3% of the net can buy their books? Nope, didn't think so.
....If you had to use a Microsoft Passport to buy add-free pages on slashdot....
Linux Redhat: $59
AOL Account: $20 a month
Contribution to OSS fund: $1000
Charging it to Bill Gates Credit Card: Priceless
There are some rights money can't buy.
For everything else, there's Microsoft Passport.
Favorite quote: "People will start trusting the system now that it's linked to credit cards." Sure.
Before we start railing MS about bugs, let he who is without sin cast the first stone.
Anywho, its not the hacking to get the password I'm worried about. Most people don't know how to make a good password, and most are easily guessable.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
I'm really wondering when MS is going to buy a large content provider and force Passport upon us. eBay, or Amazon. They're both in the red, so should be purchaseable for a giant like MS.
I've really wondered many times why MS doesn't drop it's dollar weight on passport.. Compared to the XBox, they've invested practically nothing in passport !
When will I end this grieving ? When will my future begin ?
Many companies have their own branded credit cards. I wonder how many people here carry VISA / Mastercard / Amex?
If anyone doesnt like what these companies are doing, there is always an alternative.
People use credit cards because the massive lapses in security are never properly publicised and also, whenever someone steals from their card, they get the money refunded.
Basically, they have nothing to loose, and like I said, if they want privacy, there are many ways to achieve this, PrivateBuy being just one.
ATH0 Bitcoin: 1DnwFLXczVZV8kLJbMYoheUrpqHesjxrSi
According to research firm Gartner, the service has about 14 million registered users.
<sigh> I have to wonder if they're including the hotmail users in this number, since signing up for passport and hotmail are linked. If so, this number is hugely overinflated...the number of people actively using passport is way smaller. Too bad, companies may read this and decide it's a great way to reach a large audience.
--trb
Any bank which requires me to have a Passport account won't get my business. The one thing about capitalism is that you -can- force unwanted business to end, simply by going to their competitors.
... the other difference is that they're a monopoly.
Of course, people are going to say that we don't want the RIAA/MPAA/??AA/etc but as a matter of fact, general society does, and we -do- still support them (by seeing movies, buying cds, etc)
OTOH, no bank has a monopoly. As soon as Passport gets picked again, and credit cards numbers are out, people won't use it, and will demand a different method. (Note: viruses on desktop computers don't matter to people, because the general public doesn't store crucial data on their home computers) --
As soon as people start demanding non-Passport methods of authentication, banks -will- provide.
This Windows XP (tm) installation does not match the hardware profile recorded at activation. Press "OK" to charge credit card on file with Passport $199.99 for new Windows XP (tm) lisence. Press "Cancel" to remove the unauthorised copy of Windows XP (tm) from your system.
Ñ'
The fact of the matter is that merchants aren't going to want to put any hurdles between the customer and buying something. They won't require passport because it's just one more thing that MIGHT cause a consumer to go elsewhere. Many may offer passport, and there may be some sort of incentives attached to this, but they won't require it.
If most sites started requiring passport for some reason (credit card processor mandate?), I'd find myself showing up at physical stores once again.
This sig has been temporarily disconnected or is no longer in service
Why in God's name would I trust a company that changed its privacy policy overnight, much to the chagrin of millions of people worldwide (Hotmail.com)? Why would I trust a company that surreptitiously modified the EULA of their _media player_ to include consent to modify the DRM / OS it runs on?
I trust my VISA (and credit card companies in general), because they tend to work in my interest and take care of me when I have bonafide problems with unauthorized usage and such. I have zero trust in Microsoft, a company that has systematically undermined my digital rights on a regular basis without apparent consideration of what I want. It may be "good for business", but it's not good for me.
That being said, I plan on reformatting my Win2k boxes at home this weekend and uninstalling the Media Player. I'll also be removing the "Automatic Updates" feature they added to their "Windows Update" site recently -- I don't trust them not to modify my preferences there, either.
11 Then I saw another beast which rose out of the earth; it had two horns like a lamb and it spoke like a dragon.
12 It exercises all the authority of the first beast in its presence, and makes the earth and its inhabitants worship the first beast, whose mortal wound was healed.
13 It works great signs, even making fire come down from heaven to earth in the sight of men;
14 and by the signs which it is allowed to work in the presence of the beast, it deceives those who dwell on earth, bidding them make an image for the beast which was wounded by the sword and yet lived;
15 and it was allowed to give breath to the image of the beast so that the image of the beast should even speak, and to cause those who would not worship the image of the beast to be slain.
16 Also it causes all, both small and great, both rich and poor, both free and slave, to be marked on the right hand or the forehead,
17 so that no one can buy or sell unless he has the mark, that is, the name of the beast or the number of its name.
18 This calls for wisdom: let him who has understanding reckon the number of the beast, for it is a human number, its number is six hundred and sixty-six.
Sounds like a marriage between Microsoft and Visa to me. In order to order, you have to bear the mark of the beast.
Strange women lying in ponds distributing swords is no basis for a system of government.
In Denmark some of the major telecompanies have just released a method where you can pay with your mobile number. In this case you register your credit card to your mobile phone. When you want to do a purchase, you type in the mobile number (more easy to remember), and the system verifies it by sending a SMS to you phone that you'll need to verify by typing in a pin-code.
Now this is a very secure way of doing business. Of cause no system is 100% secure. But in the same manner as the passport solution, you still need to register your credit card to a database, connected online, that can be contacted by the merchants. Sound similar to me.
Of cause you still have the additional security of the SMS and the pin code and Microsoft don't have the best reputation when it comes to securing their systems. But it still gives time for thought.
-:) Oh no - not again.
www.rednebula.com
I would take this larger, and not want to put all of my info into a single cookie jar regardless of platform/os/political affiliation/whatever. It just gives too much power to the people running the jar.
The fallout of a major security breach is too nasty to think about.
DOS is dead, and no one cares...
If there's a Bourne Shell, I'll see you there
You can do NOTHING on Yahoo's auction site unless you give Yahoo a credit card to "verify your identity". One of the many reasons eBay has complete domination of Yahoo Auctions in America is this fact. Privacy isn't even the biggest issue.... It's the fact that few will stake their credit card on a company who has proven that they will change EULAs in midstream. Remember when Yahoo bought GeoCities, then claimed various ownership rights to all of the content?
What REALLY pisses me off about this? International commerce. It is impossible for me to directly by goods from auctions.yahoo.co.jp (Jahoo Auctions Japan). Yahoo's Wallets are localized, and if I don't have a credit card or account to a Japanese bank, I can't use that yahoo auctions website. I can't even ask a question to the seller! To that website, no member can live outside of Japan....
I'll happily take my business elsewhere. Simple as that.
This needs to be modded up, seriously. Why? Because this is how the unwashed masses think, and MS knows it. But here is what you are not seeing - you may or may not see this "service" as useful, but you should have a CHOICE of whether or not to use it. MS can roll out any service they wish, as long as they don't force people to use it. Get it? They are cutting deals that FORCE you to give up your information to something that has proven to be insecure. I should have the right to decline that service. If you find it useful and more convenient, go right ahead and use it. Maybe you will be one of the lucky ones who doesn't get nailed to the wall when (not if) someone cracks in and steals passports. I can guarantee it won't happen to me, because I won't get a passport account. I'll quit shopping online and get rid of my credit cards before it comes to that.
My beliefs do not require that you agree with them.
What happens to your "choice" when all the bank use Passport? There aren't as many banks as there used to be and an oligopoly is nearly as effective as a monopoly. The RIAA wouldn't be an issue if there were viable music labels that didn't participate in it. An oligopoly can be ad hoc as well without any organizational structure -- I dare say we all object to crazy ATM fees (weren't ATMs supposed to save the bank money?) but we all end up paying them.
I am not a number! I am a man! And don't you
...that I think I've ever heard of.
I play Asheron's Call (only published by MS, not made by them, BTW.) They changed over their auth system about 8 months ago from the old kludgy Zone auth system to Passport, and it's been downhill ever since. Each game account requires a separate Passport account, and most of the people who are big into the game have at LEAST two accounts (I have 3, myself). There's some inflationary numbers on how many are using Passport for you.
Furthermore, there was a recent rash of folks getting their accounts hacked because folks don't understand password security, and had their Passport e-mail address listed in YaBB and UBB boards centered on the game, used the same password for those boards as they do for their Passport account, and an exploit was discovered allowing folks to actually retrieve that info from those BB packages. If this idea is similar to the concept of the MS Wallet - which I haven't heard anything out of in a while - it's going to be an utter and complete disaster. Credit card fraud will reach new all-time highs, banks will start to go under, cows will fall out of clear blue skies, chaos and destruction will reign, et al.
BUT.
Here's the trick. If it is NOT like Wallet, and your CC info is NOT stored within Passport, then what they're effectively doing is adding a password check to your credit card for online transactions. At least one company is already doing this (witness the "I am Emmit Smith" ads) and it's an incredibly good idea. You register your Passport account with the bank who provided your Credit Card, and in return, your card number becomes totally useless without a password for the purposes of online transactions.
I really don't think that it's such a hot idea to be using PASSPORT for this, but the concept, if the card number isn't stored online BY the password system, is a VERY good one.
Fortunately for me, my credit card is through Digital Federal Credit Union, and I don't think they're too likely to implement it without warning.
You thought that this sig was what you think that I thought you wanted me to think. I think.
Seriously, you have a bigger risk of getting your credit card number stolen when you pay for your dinner at a restaurant with it then by submitting it to a website using SSL. Not only does the waiter/waitress handle your card, but in a lot of places they'll swipe it in a magnetic card reader that sends it unencrytped over a phone line, or worse, they'll use a POS system that stores the entire swipe data in an unencrypted text file on their local server's hard drive... which will later send it out over a phone line unencrypted.
Microsoft is evil, but they aren't stupid. If they screw this up the class action lawsuit that will result would likely put them out of business. Wait, maybe we should all sign up, and get Johnnie Cochran on retainer, before Microsoft hires him and we lose to the Chewbacca defense ;)
Online shops cannot afford to require anything from their customers. The point in running a shop is selling; selling means to make buying as easy as possible. This is especially true on the Net where the customer can even remain sitting in her chair while leaving the shop and entering the competitor's. So how is this going to work? Successful online shops already know the rules and won't even try to require anything from the customers. Those who try will notice soon.
After all, digital signatures (as a legal concept) and all those esoteric digital payment schemes didn't take off; online shops just don't need them. They are even willing to take some risk if this helps them to gain new customers.
Waiting for their next smart idea ...
http://erichsieht.wordpress.com/category/english/
The book recently review on Slashdot, Translucent Databases does a good job of explaining how databases can be designed to provide these types of services (credit card authorization, central storage of information, etc.) in such a way that compromising the database does not provide the cracker with any information. Furthermore, an administrator or executive can glean no more information from the database than can a cracker, yet the database serves its purpose, while protecting the information it contains.
I went an ordered the book after reading the review here on slashdot and I must say that the methods discussed are quite interesting and I'm very likely to start incorporating them into my database designs as I go forward. In some respects, the book isn't laid out/designed very well for "flow", but it does contain very good information and it challenges the reader to think about the material in new ways.
If you're worried about securing data against everyone except for the people/applications that need to access it, check out this book.
Cheers.
Spoken like someone who's employer doesn't require them to pay all travel expenses out of their own pocket and then wait for reimbursement.
Or someone who lives in a small shack in the mountains and writes manifestos and sends explosive packages through the mail.
A computer once beat me at chess, but it was no match for me at kick boxing -- Emo Phillips
- I will not be charged for the change.
- I will see an interest rate increase of 0.59% (not an issue because I pay off in full every month).
- The Smard Card reader has a USB port, and will work with Mac OS (yeah, right. We'll see. Didn't get a chance to ask about Linux because my boss wanted me and I had to hang up)
Whatever you do, if this story bothers you (obviously, it bothered me) make sure your bank understands that you do not want to support a convicted monopolist's attempt to extend its tentacles into the financial services arena.Ease up. We should actuall chear and appload. This move immediately makes it a valid target for EU data protection law and similar legislations everywhere. Before it was questionanle. Now it is fair game because it is a financial service and subject to a serious regulatory regime in most countries. By the time it gets to market its venomous teeth will be extracted and replaced with harmless prostetics ;-)
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
This is known as 3D Secure or verified by Visa. Just because MS is offering the client piece (and this is what they do) they do not have access to all your personal information. Here is how it works: When you choose to pay through 3D Secure you enter your credit card # at the merchant, the merchant talks to his acquirer, the acquirer figures out whether the Issuer who gave you your credit card is enrolled in 3D Secure (by talking to the so-called Visa directory) and then they redirect you to the Issuer of your credit card. Now the Issuer (and last time I checked MS is NOT an Issuer) will have to identify you. This is where Passport comes into play. Passport does the auth piece for you (Kerberos in Passport's case if I am not mistaken) and sends the ticket to the Issuer. The Issuer compares whether the auth piece and the CC number match and generates a response token for the merchant. This response token gets transmitted back to the merchant (by the means of standard passport auth I suppose), the merchant takes this response token and sends it to his merchant acquirer. The merchant acquirer now sends it through the Visa Directory back to the Issuer and the Issuer compares whether this is a replay or whether this is a valid token. If it was a valid token the transaction is authorized. So, bottom line is, Passport is the authentication piece. Whether you trust MS Passport or not is one thing, but they do not get access to your CC data. And by hijacking a passport you still cannot go shopping on behalf of the account owner. Check your facts guys.
Great point. Though i haven't had time to read a book recently, let alone tack one to the end of my ever-growing to-read list (this is the time of year when i go through my technical manuals again).
Its nice to see that at least a -little- high-level thinking is going on here, and not just a kneejerk reaction to the M word. In the real world, i don't see MS taking that sort of risk.. granted, they could afford to settle out of court with everyone who puts their CC information into the system if it DID get cracked and wasn't translucent.. wink wink, nudge nudge..
#include
The scary part isn't here yet, at least not all the way.
Passport is the string that ties it all together. You will need passport to conduct business, either as a buyer or seller. I'm sure there will be "merchant" (lack of a better word) accounts which costs a bundle for the seller and they must have them to collect.
But currently many people are safe. You are nagged to death to get a passport or associate your passport with Windows but you can have a passport without Windows. The day will come however where you it is a must!
It truly scares me. I can see how three business steps, maybe two, could control the whole industry. And I'm not just talking about the "Desktop" market or even the computer market, I'm saying they could literally grab chunks of the Internet and put it in their own pockets.
Congress and the Justice Department need to jump on this and look into their plans before it's too late.
That is if anyone is serious about our or privacy or freedom.
Get your Unix fortune now!
I discovered recently that hotmail and, in fact, all passport sites are nolonger case sensitive when it comes to passwords.
This rather bothers me.
It used to be that I had to use the proper case to login. Somewhere along the way, microsoft did something to change my password (which I had assumed was stored encrypted) to make case insensitive.
comment directly in my journal
Here's a part of what mine, Vancity, gave back to me:
If there are people like me there, they would be relieved to use a post like mine citing the previous security issues that Microsoft has had to the person who may decide that passport-only is a good idea.
Be preemptive. It's easier.
Here is my simple solution to MS' latest Passport move:
- Find what I want online, and then pick up the telephone and dial the toll-free number to order.
Problem solved. Passport dies a slow and embarassing death.I'm a 2000 man.
If you're set to 'always sign me into any passport site' then when you go to a passport site after having earlier checked your hotmail account, you find yourself automatically logged in, whether you actively wanted to use passport there or not. For a long time I visited no passport sites other than hotmail, and it never affected me. Now there are a couple I go to, and at first finding myself automatically logged in as whatever identity's email I happened to check last was really disconcerting. I have several hotmail accounts, but the whole passport thing is based on the assumption of one computer, one person, one identity. I feel like I should be able to be logged in at msdn.microsoft.com using my work/business hotmail account, while still reading email from one of my personal hotmail accounts. Can't do it. Even though they're separate sites, they completely identify you by your passport cookie, so you can only be one 'identity' to all of them. If passport verification starts popping up all over the place, other people will run into this issue too.
Any business that requires a passport login can be sure that it won't get any business from me...
But it will come to pass. M$ minions will tout their service as the best, most secure thing in the world since nobody can buy a friggin' thing because the server in Redmond has crashed after being cracked by the 11,111,111,111,111 script kiddie trying a new exploit.
It took me a moment to figure out that when you said, "11,111,111,111,111," you meant the number of script kiddies trying a new exploit. 111-1111111 used to work for Office 97 and NT4.0 OEM codes, so I wouldn't be surprised if it were some MSN administrator's password.
!#@%*)anks for hanging up the phone, dear.
This is the same company that owns Hotmail, that well known porn spamming, personal info relay service.
And you want to give them your CC number?
A guy named Keith Henson responded to a thread joking about about firing Tom Cruise missles at a Scientology compound in California.
He was convicted of making terror threats and had to flee the country before he was sent to prison!
Hell, in CANADA the psychos sicced anti-terrorist police on him. And he is still trying to claim political refugee status so the Canadians don't deport him back to the U.S. to serve his sentence for adding to a joke.
So, careful: perhaps not in this instance, but in future ones, we are not allowed to speak, or joke, if the target is big enough and rich enough and fanatical enough.