Slashdot Mirror
MS Passport and... Visa
HeUnique writes "Well, people have seen it coming. According to this story Microsoft is extending the Passport authentication system to process Credit card payment (currently: Visa and MasterCard) through a deal with Arcot Systems. Of course, with the ever-changing privacy terms that some companies keep changing without notifying their user - it won't take much long until they'll take your credit cards info for 'verification' and who knows what they'll do with it.. sigh.."
In a nutshell: "Microsoft and Arcot plan to offer, later this fall, a service that will let banks require computer users to type in their Passport username and password to authenticate Visa or MasterCard credit cards." Take the word "require" in that sentence with a grain of salt, I guess. Favorite quote: "People will start trusting the system now that it's linked to credit cards."
Sure.
No, they do inform us of changes, as they are often required to do so by laws of various states...Trouble is, they're allowed to change them and tell us later, by 4th class snail mail, taking 2-3 weeks to get to us, by which time its too late to re-file a complaint or a protest before they've already sold our info off.
"But remember, most lynch mobs aren't this nice." (H.Simpson)
-- Joe
Of course, any real web business would have to be insane to limit its clientele to Passport account holders only. Note how Microsoft has 14 million registered users of Passport (how many just for MS Messenger?). Now note how many people on the net - approximately 400 million? So do you see Amazon saying that only 3% of the net can buy their books? Nope, didn't think so.
Linux Redhat: $59
AOL Account: $20 a month
Contribution to OSS fund: $1000
Charging it to Bill Gates Credit Card: Priceless
There are some rights money can't buy.
For everything else, there's Microsoft Passport.
Favorite quote: "People will start trusting the system now that it's linked to credit cards." Sure.
Before we start railing MS about bugs, let he who is without sin cast the first stone.
Anywho, its not the hacking to get the password I'm worried about. Most people don't know how to make a good password, and most are easily guessable.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
I'm really wondering when MS is going to buy a large content provider and force Passport upon us. eBay, or Amazon. They're both in the red, so should be purchaseable for a giant like MS.
I've really wondered many times why MS doesn't drop it's dollar weight on passport.. Compared to the XBox, they've invested practically nothing in passport !
When will I end this grieving ? When will my future begin ?
Many companies have their own branded credit cards. I wonder how many people here carry VISA / Mastercard / Amex?
If anyone doesnt like what these companies are doing, there is always an alternative.
People use credit cards because the massive lapses in security are never properly publicised and also, whenever someone steals from their card, they get the money refunded.
Basically, they have nothing to loose, and like I said, if they want privacy, there are many ways to achieve this, PrivateBuy being just one.
ATH0 Bitcoin: 1DnwFLXczVZV8kLJbMYoheUrpqHesjxrSi
According to research firm Gartner, the service has about 14 million registered users.
<sigh> I have to wonder if they're including the hotmail users in this number, since signing up for passport and hotmail are linked. If so, this number is hugely overinflated...the number of people actively using passport is way smaller. Too bad, companies may read this and decide it's a great way to reach a large audience.
--trb
Any bank which requires me to have a Passport account won't get my business. The one thing about capitalism is that you -can- force unwanted business to end, simply by going to their competitors.
... the other difference is that they're a monopoly.
Of course, people are going to say that we don't want the RIAA/MPAA/??AA/etc but as a matter of fact, general society does, and we -do- still support them (by seeing movies, buying cds, etc)
OTOH, no bank has a monopoly. As soon as Passport gets picked again, and credit cards numbers are out, people won't use it, and will demand a different method. (Note: viruses on desktop computers don't matter to people, because the general public doesn't store crucial data on their home computers) --
As soon as people start demanding non-Passport methods of authentication, banks -will- provide.
This Windows XP (tm) installation does not match the hardware profile recorded at activation. Press "OK" to charge credit card on file with Passport $199.99 for new Windows XP (tm) lisence. Press "Cancel" to remove the unauthorised copy of Windows XP (tm) from your system.
Ñ'
Why in God's name would I trust a company that changed its privacy policy overnight, much to the chagrin of millions of people worldwide (Hotmail.com)? Why would I trust a company that surreptitiously modified the EULA of their _media player_ to include consent to modify the DRM / OS it runs on?
I trust my VISA (and credit card companies in general), because they tend to work in my interest and take care of me when I have bonafide problems with unauthorized usage and such. I have zero trust in Microsoft, a company that has systematically undermined my digital rights on a regular basis without apparent consideration of what I want. It may be "good for business", but it's not good for me.
That being said, I plan on reformatting my Win2k boxes at home this weekend and uninstalling the Media Player. I'll also be removing the "Automatic Updates" feature they added to their "Windows Update" site recently -- I don't trust them not to modify my preferences there, either.
In Denmark some of the major telecompanies have just released a method where you can pay with your mobile number. In this case you register your credit card to your mobile phone. When you want to do a purchase, you type in the mobile number (more easy to remember), and the system verifies it by sending a SMS to you phone that you'll need to verify by typing in a pin-code.
Now this is a very secure way of doing business. Of cause no system is 100% secure. But in the same manner as the passport solution, you still need to register your credit card to a database, connected online, that can be contacted by the merchants. Sound similar to me.
Of cause you still have the additional security of the SMS and the pin code and Microsoft don't have the best reputation when it comes to securing their systems. But it still gives time for thought.
-:) Oh no - not again.
www.rednebula.com
You can do NOTHING on Yahoo's auction site unless you give Yahoo a credit card to "verify your identity". One of the many reasons eBay has complete domination of Yahoo Auctions in America is this fact. Privacy isn't even the biggest issue.... It's the fact that few will stake their credit card on a company who has proven that they will change EULAs in midstream. Remember when Yahoo bought GeoCities, then claimed various ownership rights to all of the content?
What REALLY pisses me off about this? International commerce. It is impossible for me to directly by goods from auctions.yahoo.co.jp (Jahoo Auctions Japan). Yahoo's Wallets are localized, and if I don't have a credit card or account to a Japanese bank, I can't use that yahoo auctions website. I can't even ask a question to the seller! To that website, no member can live outside of Japan....
What happens to your "choice" when all the bank use Passport? There aren't as many banks as there used to be and an oligopoly is nearly as effective as a monopoly. The RIAA wouldn't be an issue if there were viable music labels that didn't participate in it. An oligopoly can be ad hoc as well without any organizational structure -- I dare say we all object to crazy ATM fees (weren't ATMs supposed to save the bank money?) but we all end up paying them.
I am not a number! I am a man! And don't you
Seriously, you have a bigger risk of getting your credit card number stolen when you pay for your dinner at a restaurant with it then by submitting it to a website using SSL. Not only does the waiter/waitress handle your card, but in a lot of places they'll swipe it in a magnetic card reader that sends it unencrytped over a phone line, or worse, they'll use a POS system that stores the entire swipe data in an unencrypted text file on their local server's hard drive... which will later send it out over a phone line unencrypted.
Microsoft is evil, but they aren't stupid. If they screw this up the class action lawsuit that will result would likely put them out of business. Wait, maybe we should all sign up, and get Johnnie Cochran on retainer, before Microsoft hires him and we lose to the Chewbacca defense ;)
Online shops cannot afford to require anything from their customers. The point in running a shop is selling; selling means to make buying as easy as possible. This is especially true on the Net where the customer can even remain sitting in her chair while leaving the shop and entering the competitor's. So how is this going to work? Successful online shops already know the rules and won't even try to require anything from the customers. Those who try will notice soon.
After all, digital signatures (as a legal concept) and all those esoteric digital payment schemes didn't take off; online shops just don't need them. They are even willing to take some risk if this helps them to gain new customers.
Waiting for their next smart idea ...
http://erichsieht.wordpress.com/category/english/
The book recently review on Slashdot, Translucent Databases does a good job of explaining how databases can be designed to provide these types of services (credit card authorization, central storage of information, etc.) in such a way that compromising the database does not provide the cracker with any information. Furthermore, an administrator or executive can glean no more information from the database than can a cracker, yet the database serves its purpose, while protecting the information it contains.
I went an ordered the book after reading the review here on slashdot and I must say that the methods discussed are quite interesting and I'm very likely to start incorporating them into my database designs as I go forward. In some respects, the book isn't laid out/designed very well for "flow", but it does contain very good information and it challenges the reader to think about the material in new ways.
If you're worried about securing data against everyone except for the people/applications that need to access it, check out this book.
Cheers.
Ease up. We should actuall chear and appload. This move immediately makes it a valid target for EU data protection law and similar legislations everywhere. Before it was questionanle. Now it is fair game because it is a financial service and subject to a serious regulatory regime in most countries. By the time it gets to market its venomous teeth will be extracted and replaced with harmless prostetics ;-)
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
This is known as 3D Secure or verified by Visa. Just because MS is offering the client piece (and this is what they do) they do not have access to all your personal information. Here is how it works: When you choose to pay through 3D Secure you enter your credit card # at the merchant, the merchant talks to his acquirer, the acquirer figures out whether the Issuer who gave you your credit card is enrolled in 3D Secure (by talking to the so-called Visa directory) and then they redirect you to the Issuer of your credit card. Now the Issuer (and last time I checked MS is NOT an Issuer) will have to identify you. This is where Passport comes into play. Passport does the auth piece for you (Kerberos in Passport's case if I am not mistaken) and sends the ticket to the Issuer. The Issuer compares whether the auth piece and the CC number match and generates a response token for the merchant. This response token gets transmitted back to the merchant (by the means of standard passport auth I suppose), the merchant takes this response token and sends it to his merchant acquirer. The merchant acquirer now sends it through the Visa Directory back to the Issuer and the Issuer compares whether this is a replay or whether this is a valid token. If it was a valid token the transaction is authorized. So, bottom line is, Passport is the authentication piece. Whether you trust MS Passport or not is one thing, but they do not get access to your CC data. And by hijacking a passport you still cannot go shopping on behalf of the account owner. Check your facts guys.
The scary part isn't here yet, at least not all the way.
Passport is the string that ties it all together. You will need passport to conduct business, either as a buyer or seller. I'm sure there will be "merchant" (lack of a better word) accounts which costs a bundle for the seller and they must have them to collect.
But currently many people are safe. You are nagged to death to get a passport or associate your passport with Windows but you can have a passport without Windows. The day will come however where you it is a must!
It truly scares me. I can see how three business steps, maybe two, could control the whole industry. And I'm not just talking about the "Desktop" market or even the computer market, I'm saying they could literally grab chunks of the Internet and put it in their own pockets.
Congress and the Justice Department need to jump on this and look into their plans before it's too late.
That is if anyone is serious about our or privacy or freedom.
Get your Unix fortune now!
I discovered recently that hotmail and, in fact, all passport sites are nolonger case sensitive when it comes to passwords.
This rather bothers me.
It used to be that I had to use the proper case to login. Somewhere along the way, microsoft did something to change my password (which I had assumed was stored encrypted) to make case insensitive.
comment directly in my journal
Here is my simple solution to MS' latest Passport move:
- Find what I want online, and then pick up the telephone and dial the toll-free number to order.
Problem solved. Passport dies a slow and embarassing death.I'm a 2000 man.
If you're set to 'always sign me into any passport site' then when you go to a passport site after having earlier checked your hotmail account, you find yourself automatically logged in, whether you actively wanted to use passport there or not. For a long time I visited no passport sites other than hotmail, and it never affected me. Now there are a couple I go to, and at first finding myself automatically logged in as whatever identity's email I happened to check last was really disconcerting. I have several hotmail accounts, but the whole passport thing is based on the assumption of one computer, one person, one identity. I feel like I should be able to be logged in at msdn.microsoft.com using my work/business hotmail account, while still reading email from one of my personal hotmail accounts. Can't do it. Even though they're separate sites, they completely identify you by your passport cookie, so you can only be one 'identity' to all of them. If passport verification starts popping up all over the place, other people will run into this issue too.