Slashdot Mirror
Microsoft Launches Passport
Microsoft today "launched" Passport. Passport is an on-line wallet service, meaning that all your billing and other information is stored centrally with Microsoft, so that you don't have to retype it every time. Passport was used by a few Microsoft sites before, but with today's announcement, an additional fifty or sixty sites have adopted the technology. While my initial concerns were about privacy, they were mostly (but not completely) covered by the aforelinked press release. A news.com article cites a research analyst as saying that one day, Microsoft may wish to take a percentage of the profits, and go for a monopoly on e-wallets. Certainly is a lot to speculate on here...
I think it would be fair to say that I'd trust Microsoft to secure my data if I made a credit card purchase over the phone, where there's no implicit connection with the outside world. I might even trust them if I made a purchase via the Internet, and it was a one-time thing, because they would (at least theoretically) simply pass the number straight to their processor, without actually saving it on their servers.
But I don't trust Microsoft to take my credit card number and selectively make it available to others, in the mould of Microsoft Passport. That seems like a far riskier proposition than trusting them for a single order.
D
----
I worked in the test department next to the passport people, and for various reasons I actually got a rundown in how it worked at one point.
Basically, it's to keep your credit card number from EVER crossing the ether using a public/private key challenge system to log a transaction. The site you visit bills Passport, Passport bills your credit card, and the number never goes anywhere. Since each transaction is logged seperately using a different ID, you can review your transactions online (theoretically) and make certain that they were all transactions that you ordered.
Me? I'll avoid it like the plague. This is MS, after all.
Oh, and I only tested software there. Don't blame me - they didn't listen to me when I found the bugs, so it ain't my fault. ^_^
InThane
5) Creates another company which has detailed records of your spending profile complete with name, address, phone number, etc. Hooray for "targeted marketing".
4) Creates a massive SPOF. What happens if the passport servers are off-line? Can I still shop with my AmEx or are the stores basically out of business?
3) Okay, now instead of Visa charging 1% on all of my transactions, I'll have Visa charging the retailer 1% AND Microsoft charging the retailer 1%. Likely result? They'll pass the costs to me!
2) If a large amount of people start using this, then smaller on-line retailers will suffer. Yay, monopolistic control of another market!
1) Who will audit this? Who will ensure the security? Microsoft? This isn't a microsoft bash, I wouldn't trust ANY company to audit themselves properly.
I've seen this coming a mile away from the beginning of the browser wars and the rumbles about microsoft owned websites. The obvious hope is that by having control of the desktop operating system they have control of the browser. By having control of the browser they have control of the sites initially visited by the user (an exceedingly large percentage of people don't change their startup page). By having control of the sites initially visited, and leveraging this "e-wallet" they also make money from every purchase.
Ah well, such is life in corporate America.
Novell made an announcement about digitalme (http://www.digitalme.com) about a week before the Microsoft announcement. Digitalme seems similar, except it's not demanding your billing information, and it's designed to let you control what parts of yourself you want to share with whom. And it's using their directory services to do it. I have no idea what Microsoft's backend is. Overall, Novell's concept seems less creepy.
Novell's also talking about freely releasing some of the digitalme tools--of course, you'll need Novell stuff to do it, but it's a start...
-- Of course I'm paranoid. I'm a sysadmin.
Ok, so I forgot to read one line of the previous post. :) Here's some info on Amex's "Wallet"
But remember, it isn't a matter of "trusting them with a single order". If you make a single order, they have your credit card information. This is no different from if you signed up for "Microsoft Passport". They could just as easily make your card number available to others in either case.
...and it was a one-time thing, because they would (at least theoretically) simply pass the number straight to their processor, without actually saving it on their servers.
...where there's no implicit connection with the outside world.
Perhaps the misunderstanding comes here:
In actuality, the card authorizers, accounting departments, etc. all require audit trails for everything, including card numbers. The last retailer I worked for kept this information for at least a month in the "live" system and essentially forever in their backups. They weren't unusual.
They have to save this data for the simple reason that if you contest the purchase, they have to be able to show what actually occurred. Not to mention the plethora of systems problems that might require the retailer to go to original data simply to get paid.
(Of course, the marketting department often gets its greedy little mitts on the data, but that is a different story.)
It is actually much easier to intercept a phone conversation then to install a packet sniffer. It takes only a few dollars worth of equipment from radio shack. (And lest you think that this is rare, the people two houses from me down got a $900 phone bill last month caused by two kids who did exactly that.) Also, in a phone conversation, you are essentially giving your card number to someone who likely makes around $6/hr.
One of the advantages of e-Commerce is that fewer people see your card number. In fact, if all goes correctly, no human being will actually see it. Contrast that to real world purchases, where we often hand our cards to low-paid teenagers without thought. (Most of whom are honest, but it only takes one with a head for numbers...)
The cake is a pie
Now an e-mail attachment can spend all your money. I truly feel sorry for the people who are going to get burned, burned, burned by this.
But hey, I'm sure Truste will assure us that everything is A-OK. And if we do get robbed, they'll be quick to assure is that it won't happen again.
p.s. -- I wouldn't even sign up for this if someone other than Micorsoft were doing it. So you can imagine how I feel about having someone so security unconscious as them managing it.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
Hey you!
Yeah, you there, the guy using the mouse as a foot
pedal!
Do you hate having to type in a shipping address
every time you order on the Internet? Or worse,
are you having trouble remembering your own
address?
NO PROBLEM! Microsoft is here to help! We'll take
care of all those pesky details for you. Our new
Passport software is your ticket to a stress-free
junk-filled life. The next version will even wax
and declaw your cat for you!
How much would you pay for this amazing piece
of ultra-modern technology? $50? $100? $1000?
Well, hold on to your hat! Microsoft are giving
away Passport for absolutely nothing!
That's right! In exchange for a complete personal
profile, including address information, and credit
history, which as we all know is worth absolutely
nothing to anybody, Microsoft will give you
Passport, a passport, if you will, to a future
of black velvet elvis paintings at knockdown
prices.
Worried about security? Don't be. Your most
private personal details will be stored in
the most secure form known to science, a
"hard disk". This revolutionary device encodes
information using the science of magneticism
in a form far too small for the human eye to
read. If a hacker were to gain access to this
"hard disk", he or she would never be able
to read the information it contained, even with
a high-powered magnifying glass!
Just remember, Big Brother is watching you, and
he cares!
[Insert standard EULA and disclaimers here, in
really small writing so the suckers won't bother
reading it, haha! - BG3]
K.
-
-- Proud descendant of semi-nomadic cattle-herders.
Of course no \. readers are gonna trust MS with this inane idea! Most everyone here rails against MS at every chance they get, and mostly with good reason.
The issue is, how to get the word out to all those happily blind folks who think the 'integration' MS offers is the best thing since cheese coming in indivually wrapped slices. Most every MS supporter out there likes the MS products cause they're easy to use and everyone else uses them- and they support such with the same vehemence the anti-MS crowd voices.
So, do we pray that an Open Source model of such a thing is quickly offered as an alternative? I doubt that would work as speed is not a common OS trait, and more people would be less likely to trust such a thing in today's mindset.
So who will be the alternative? Would a banking coalition be a better alternative? At least they've historically protected accounts, mostly.
Or perhaps the issue is to point out to people that simply putting your CC#'s in a pswd protected tect file on your HD, then open it, copy it, paste it, into an order site is just as quick as 'assport.
I mean, sheesh, I'm all for saving time, but it takes, what?, 3 minutes to fill out an order form online?
I would NEVER use such a service provided by ANY company which has shown such blatant disregard for the consumer as MS. Of course, 75% of the population is unaware of these tactics. So 'assport will be the default until someone cracks it and folks loose big money.
Perhaps they can apply for FDIC?
Kinda like Moe, but just a little more Kool
Microsoft teams up with some of the bigger e-Commerce sites, Amazon.com, eBay, Reel.com, whomever, and says, "We'll give you a bunch of co-marketing dollars to start using Microsoft Passport." Of course, the sites go for it because they just want to make money.
"Everyone" is already using Microsoft Internet Explorer because it's part of Windows and "everyone uses Windows." Next time an MSIE user goes to one of those sites, a new AciveX component will download and they'll get a little message, "Try Microsoft Passport - we'll handle your billing for you! You'll never have to enter your billing information again!"
The average user isn't going to have any idea what's going on - they only know that they like Amazon.com's "One-Click Shopping" option and if they can get ALL websites to act like that, even better! Clickety-click and their data goes straight to Microsoft.
It's not about the security or technology -- it's all about how well you can market and making it easier for the sheep to follow the rest of the flock. Hence Microsoft's dominance.
-=-=-=-=-
-=-=-=-=-
My mom's going to kick you in the face!
If you work in the financial services industry like I do. It has been clear to me for a long time that Microsoft wants to skim the cream off of all the financial services industry. They want to cut into the business of MasterCard, Visa, etc. They want to cut into the general banking, mortgage, etc. business. In the future most financial transactions will be done at least partially online, and if we aren't careful, Microsoft will be getting a piece of every transaction.
What irks me is that management just doesn't see Microsoft as a competitor. We shouldn't be buying any of our competitor's products, because we are funding Microsoft to move into our own markets.
I'm afraid they won't see it until it is too late.
OK we seem to have a typical /. inferno going on here. Maybe a little pause for thought is called for?
...
I'm no m$ "believer", but I do use their stuff (as well as Solaris/Sybase/perl/java etc etc), and I guess I differ from some people here in that I don't automatically assume everything Bill touches is useless.
So what's with the Wallet? Well first off it clearly states that the wallet itself (and by extrapolation M$ and their retail partners) will not actually have anything to do with cash, credit or clearing. So the posts about getting Fed Res clearance are really a bit lost. All Wallet does is store your CC number(s) and delivery details in a central db. This info is supplied as required to the vendors, to enable them to perform a transaction. The transaction itself is still between the vendor and the CC company. (This is what I get from reading the press release - if anyone has any more practical info on how it works please let us know!).
Now lets evaluate
In theroy this is a great idea. The major security risks in online commerce are twofold - (a) Someone intercepts your details in transmission to the vendor, or, (b) the vendor acts dishonestly/carelessly. If the link from MS->Vendor was secured beyond the level usually used in a browser, then the risk from (a) is lowered dramatically. Also, as the novice user will be encouraged to only shop at "certified" stores, the risks from (b) will be reduced.
But of course we don't know what M$ plan implementation wise, and there are huge doubt's about their ability to secure a large system properly. To be fair, I think that in several cases (notably Hotmail) their security is no worse than anyone elses, they just get targetted more. This is not an excuse for not being proactive though! The questions I would ask are:
* How is the link from MS->Vendor secured?
And I want details!!
* Who will be liable in the event of dispute?
This is an important one, usually (here in the UK anyway) if you have a dispute with a vendor then legally the CC company is equally liable to pay you back. If they cannot prove you authorised the txn, then you cannot legally be billed for it. SO assuming the CC companies are on board with this one, they will have to sort out a good way that disputes can be settled quickly and in most cases in the favour of the client. I personally don't care that much if fraudulent txn's go against my card, provided I don't end up paying!!
* Are the CC companies 100% on board with this? Will we get them trying to wriggle out later saying they never approved this for payments and so denying liability?
* Can we have some kind of external audit of how the data is used. I'm not really worried about some kind of big brother m$ collecting info about which pr0n sites I subscribe to, rather that I would prefer they didn't send my home address to their marketing dept. In the UK there is law regarding this, which they would have to comply with, not sure about the legal situation elsewhere.
So assuming all these questions were answered to my satisfaction, I'd probably be fairly happy using the system. Implemented well it would be a positive boost to online security and convenience.
Adam.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
Well, the way it all works is simple. Microsoft bought MSN Hotmail because simply put there were 45 million accounts already in use.
The slapped a "Passport ID" inside the "dat" (user login file) file for every user already on hotmail.
Then, they made changes to the Hotmail DB lookup system so that it could be used in other implementations.
On all of these sites, they query the hotmail db's, they check the passport ID's, and boom, you're logged in.
Basicly this was a fairly good attempt, regardless of the implementor or who's pocket it came from, to start a centralized password database.
Believe it or not, the only thing that really needs to be feared from hotmail employees is when you piss them off. There are 45+ million different accounts. It's alot of effort to get into those machines to see such text. There's about 15 people who have access to it.
Microsoft may own Hotmail, but they have no direct footage to "look at the information" for their own needs.
Hell, the FBI had a hard enough time.
Anyways..
-An ex hotmail internal veteran...
http://webfunds.org/webinstalldemo/ -- using DigiGold, a currency layered on top of a
'net currency that not only works but has worked for three years+, whether or not I've
been able to get much media coverage of that fact.
http://www.systemics.com/docs/ricardo/ has information on the underlying source, etc.
http://www.cryptix.org/ has information on strong java crypto (also open-source).
http://www.digigold.net/ (under construction) has more information on the currency.
http://www.e-gold.com a 100% metal-backed (gold, silver, platinum, or palladium)
currency.
http://www.FlyingRat.org a spam blocking service using small (or not so small) e-gold
payments.
Yes, I wish this stuff would get more notice than it has gotten. Yes, I'm sure some of
you will say this is "spam." (Get over it.)
JMR
Try e-gold - (contact me). I'm NOT e-
Next week, I'm gonna let Bill Gates and Steve Balmer perform open-heart surgery on me, too.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Ok, like I trust microsoft with billing information. I know someone who has personally had their credit card number mis-handled and charged three times by them. Also, I dont trust windows NT to handle this over-securly. This "passport" technology would be a good idea if someone like mastercard, or amex implemented it. IE: you have a public key for each retailer, encrypt your "passport" and send it to the retailer and they decrypt it with their private key and contact the "passport" site for more information on private lines. That would rock.
amex seems to be doing this with the "blue" card in some ways.
Sounds cool. But i want some real company about privacy that gets nastily audited for this, not microsoft.
-- dieman - Scott Dier
I can understand why someone would want to avoid having to type in their card #, address, etc over and over again, but -- call me clueless -- why would I want this info on a central server rather than my own machine?
The "obvious" approach seems to me, to have a standard format for querying billing info, similar to how cookies work, and then have the user's machine pop up a "Supply/Deny" question. Why aren't they doing this?
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
My current credit card company has very good anti-fraud policies. What's the point of adding a second layer of cost and complexity?
--
Yes, passport is the reason for the hotmail security hole.
When passport was first announced more than a year ago looking for early implementers, the serious hackers targetted it with an intensity unseen in recent years. Imagine a service with all the quality of a M$ product, the track record of M$ for lax security, holding thousands or millions of credit card numbers.
This is an infocriminals dream, because just one copy of this database could be exploited for billions of $$$ of bogus charges. There are organized crime groups around the world already set up to rip off the credit card companies with thousands of electronic scams. All they need is a valid credit card number, expiration date, and the holders name.
So when the hotmail hack was discovered, it was by a group probing every aspect of the passport service, and all the connections MICROS~1.OFT was making into other web sites.
Now there are hundreds of sites with an end point leading into passport. What do you want to bet that one of them has some other security problems because they run IIS, and some crackers will be able to get thru the encrypted tunnel back into the passport service. Not likely they will get more than a handful of CC numbers before the hole gets closed. Crackers tend to be immature kiddies looking for some attention, so they will blab about their exploits. The serious infocriminals will milk any hole for all it is worth, and not make any announcements to HNN or attrition.
Microsloth's only publicly acknowledged security aspect of passport is they are going to seed the database with 'tripwire' records, which will trigger anti-fraud measures when someone tries to use them with the CC companies (oh, and they use encryption).
There are rumours it will be built into the desktop of millenium, so it will always be a click away, with annoying warnings to those lusers who are not using it. I doubt this service will become widespread, since it is bound to get abused at some point. Public confidence will go down when the press has a field day when the system is cracked once, even if it doesn't lead to the loss of any CC records.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
This is not a new idea, and this is not a particularly dangerous idea, either. If you've bought more than once from Amazon, you've used a similar system.
Basically, Amazon saves your card number the first time you buy, so that when you come back, they can say "Charge card XXXX XXXX XXXX 1234?". The fact that you don't have to key the number is only a trivial advantage. The real advantage is that you don't have to send the number over the wire. Amazon knows what it is already, so they can simply charge the number they have, avoiding the need for sending the number where it could potentially be seen by evil criminal types.
(An overblown danger, but that's another story...)
This is all a good thing. It is not even a matter of "trusting" Amazon more than you otherwise would, because simply to buy things, you've got to trust them with your number. They will have it, and they will be saving it for financial purposes for at least a month, regardless. If you don't trust them with this, you shouldn't buy from them. (Note that the same goes for any retailer, internet or physical!)
Now most people probably trust a company like Amazon at least in terms of finances. Amazon is not likely to go charging your card up randomally. Most people assume they will be fairly careful with your number. (They probably won't be as careful as you think, but that's another story.) They are a big, known company. Where the trouble comes in is with tiny little companies that no one has ever heard of. Do you trust them with your number? That officially looking site could just be one guy in a basement. Give him your number, and you give him the ability to charge thousands of dollars in your name.
So what to do? An obvious solution is to do what is being done above. You give your charge number to some large company that you know will not abscond with it, charging it to the limit. Then you tell the little podunk companies to charge the big company. Your liability goes down. Your charge number doesn't fly across the wire every time you make a purchase from a new company. These are good things. This is more secure then sending your card number directly to everyone you buy from.
The only question is whether or not you trust Microsoft to secure your data. This is the same question you should be asking were you to make a purchase from Microsoft over the wire (or over the phone), as the data is the same.
The cake is a pie
I have been wishing for something like this for at least the past two years. I am tired of having to remember usernames/passwords for every site I use. And having to supply billing/shipping address and CC information every time I make a purchase is a pain.
BUT, I am MORE than a little leary of Microsoft being in the position of providing a solution to this problem. I simply do not trust them with this type of information, and I don't trust them to provide a fail-safe mission critical service that MUST be up 24/7.
I think most of us would agree that in principle this is a good idea, just that this particular implementation might give the clueful user pause.
But, how hard is this to do? Could the OSS community develop a distributed, secure, web-based single-logon facility?
The components of such a system could be as follows.
1. A standard for user information. Another post already mention just such an open standard.
2. A 'logon server' which provides user information to client web sites at a user's request.
3. A standard, open, secure protocol with which a client web site interacts with a logon-server.
4. A user who registers with a 'logon server' and specifies the information they are willing to provide other client web-sites. The user also specifies a backup logon server which will mirror their information.
5. Client web sites which modify their logon procedure to gather user information from a user specified 'logon server'. No registration would be required on the part of the client web site.
Each 'logon server' could actually be many servers. It would be relatively easy to distribute the load as most of the activity would be of a read-only nature, making the replication of user data across servers fairly simple. User updates to their data are another issue, but they would be relatively infrequent.
How would anyone make money? Banner adds on the logon server's logon page perhaps. Re-selling consumer buying patterns would most likely be the biggest source of revenue. There is nothing wrong with this as long as nothing which could indentify you uniquely is revealed. I don't care if someone wants to know what the buying patterns of a 28yo white male in such and such an income bracket are.
It is important to note that the user would chose their single logon service, and could change/cancel at any time.
It would be an open standard, with all the code required to start a logon server available freely on the web. This would hopefully prohibit any one service from gaining a monopoly stranglehold on the market.
CrACkRZ WheEL oF fORtUne! v0.99.14.151
[Win2000 4.00.004 SP7]
[Click here to start]
Checking e-wallet status... Done.
Checking bank account status... Done.
Checking permissions...
One moment please...
How much money would you like to add to your e-wallet? NOTE: if sum > US$ 1,000,000 you could be in TROUBLE!
Enter sum and press [Enter]:99999
US$ 99,999 added to e-wallet account!
Thank you for using CrACkRZ WheEL oF fORtUne!
Bill "Hotmail God" Gates: would you like this man to take care of your money? Thanks, but no thanks.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Anyone from the Lopht, or Counterpane care to comment?
I found no matches searching in SecurityPortal
or SecurityFocus, so far. Nor in Google.
nor Altavista.
Is this the sort of thing I have to forbid
my mother from trying?
"This is where you will go today."
--
Is this sort of like what American Express has done with "Blue?"