Slashdot Mirror
Microsoft Launches Passport
Microsoft today "launched" Passport. Passport is an on-line wallet service, meaning that all your billing and other information is stored centrally with Microsoft, so that you don't have to retype it every time. Passport was used by a few Microsoft sites before, but with today's announcement, an additional fifty or sixty sites have adopted the technology. While my initial concerns were about privacy, they were mostly (but not completely) covered by the aforelinked press release. A news.com article cites a research analyst as saying that one day, Microsoft may wish to take a percentage of the profits, and go for a monopoly on e-wallets. Certainly is a lot to speculate on here...
I worked in the test department next to the passport people, and for various reasons I actually got a rundown in how it worked at one point.
Basically, it's to keep your credit card number from EVER crossing the ether using a public/private key challenge system to log a transaction. The site you visit bills Passport, Passport bills your credit card, and the number never goes anywhere. Since each transaction is logged seperately using a different ID, you can review your transactions online (theoretically) and make certain that they were all transactions that you ordered.
Me? I'll avoid it like the plague. This is MS, after all.
Oh, and I only tested software there. Don't blame me - they didn't listen to me when I found the bugs, so it ain't my fault. ^_^
InThane
5) Creates another company which has detailed records of your spending profile complete with name, address, phone number, etc. Hooray for "targeted marketing".
4) Creates a massive SPOF. What happens if the passport servers are off-line? Can I still shop with my AmEx or are the stores basically out of business?
3) Okay, now instead of Visa charging 1% on all of my transactions, I'll have Visa charging the retailer 1% AND Microsoft charging the retailer 1%. Likely result? They'll pass the costs to me!
2) If a large amount of people start using this, then smaller on-line retailers will suffer. Yay, monopolistic control of another market!
1) Who will audit this? Who will ensure the security? Microsoft? This isn't a microsoft bash, I wouldn't trust ANY company to audit themselves properly.
I've seen this coming a mile away from the beginning of the browser wars and the rumbles about microsoft owned websites. The obvious hope is that by having control of the desktop operating system they have control of the browser. By having control of the browser they have control of the sites initially visited by the user (an exceedingly large percentage of people don't change their startup page). By having control of the sites initially visited, and leveraging this "e-wallet" they also make money from every purchase.
Ah well, such is life in corporate America.
Now an e-mail attachment can spend all your money. I truly feel sorry for the people who are going to get burned, burned, burned by this.
But hey, I'm sure Truste will assure us that everything is A-OK. And if we do get robbed, they'll be quick to assure is that it won't happen again.
p.s. -- I wouldn't even sign up for this if someone other than Micorsoft were doing it. So you can imagine how I feel about having someone so security unconscious as them managing it.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
Hey you!
Yeah, you there, the guy using the mouse as a foot
pedal!
Do you hate having to type in a shipping address
every time you order on the Internet? Or worse,
are you having trouble remembering your own
address?
NO PROBLEM! Microsoft is here to help! We'll take
care of all those pesky details for you. Our new
Passport software is your ticket to a stress-free
junk-filled life. The next version will even wax
and declaw your cat for you!
How much would you pay for this amazing piece
of ultra-modern technology? $50? $100? $1000?
Well, hold on to your hat! Microsoft are giving
away Passport for absolutely nothing!
That's right! In exchange for a complete personal
profile, including address information, and credit
history, which as we all know is worth absolutely
nothing to anybody, Microsoft will give you
Passport, a passport, if you will, to a future
of black velvet elvis paintings at knockdown
prices.
Worried about security? Don't be. Your most
private personal details will be stored in
the most secure form known to science, a
"hard disk". This revolutionary device encodes
information using the science of magneticism
in a form far too small for the human eye to
read. If a hacker were to gain access to this
"hard disk", he or she would never be able
to read the information it contained, even with
a high-powered magnifying glass!
Just remember, Big Brother is watching you, and
he cares!
[Insert standard EULA and disclaimers here, in
really small writing so the suckers won't bother
reading it, haha! - BG3]
K.
-
-- Proud descendant of semi-nomadic cattle-herders.
Microsoft teams up with some of the bigger e-Commerce sites, Amazon.com, eBay, Reel.com, whomever, and says, "We'll give you a bunch of co-marketing dollars to start using Microsoft Passport." Of course, the sites go for it because they just want to make money.
"Everyone" is already using Microsoft Internet Explorer because it's part of Windows and "everyone uses Windows." Next time an MSIE user goes to one of those sites, a new AciveX component will download and they'll get a little message, "Try Microsoft Passport - we'll handle your billing for you! You'll never have to enter your billing information again!"
The average user isn't going to have any idea what's going on - they only know that they like Amazon.com's "One-Click Shopping" option and if they can get ALL websites to act like that, even better! Clickety-click and their data goes straight to Microsoft.
It's not about the security or technology -- it's all about how well you can market and making it easier for the sheep to follow the rest of the flock. Hence Microsoft's dominance.
-=-=-=-=-
-=-=-=-=-
My mom's going to kick you in the face!
If you work in the financial services industry like I do. It has been clear to me for a long time that Microsoft wants to skim the cream off of all the financial services industry. They want to cut into the business of MasterCard, Visa, etc. They want to cut into the general banking, mortgage, etc. business. In the future most financial transactions will be done at least partially online, and if we aren't careful, Microsoft will be getting a piece of every transaction.
What irks me is that management just doesn't see Microsoft as a competitor. We shouldn't be buying any of our competitor's products, because we are funding Microsoft to move into our own markets.
I'm afraid they won't see it until it is too late.
OK we seem to have a typical /. inferno going on here. Maybe a little pause for thought is called for?
...
I'm no m$ "believer", but I do use their stuff (as well as Solaris/Sybase/perl/java etc etc), and I guess I differ from some people here in that I don't automatically assume everything Bill touches is useless.
So what's with the Wallet? Well first off it clearly states that the wallet itself (and by extrapolation M$ and their retail partners) will not actually have anything to do with cash, credit or clearing. So the posts about getting Fed Res clearance are really a bit lost. All Wallet does is store your CC number(s) and delivery details in a central db. This info is supplied as required to the vendors, to enable them to perform a transaction. The transaction itself is still between the vendor and the CC company. (This is what I get from reading the press release - if anyone has any more practical info on how it works please let us know!).
Now lets evaluate
In theroy this is a great idea. The major security risks in online commerce are twofold - (a) Someone intercepts your details in transmission to the vendor, or, (b) the vendor acts dishonestly/carelessly. If the link from MS->Vendor was secured beyond the level usually used in a browser, then the risk from (a) is lowered dramatically. Also, as the novice user will be encouraged to only shop at "certified" stores, the risks from (b) will be reduced.
But of course we don't know what M$ plan implementation wise, and there are huge doubt's about their ability to secure a large system properly. To be fair, I think that in several cases (notably Hotmail) their security is no worse than anyone elses, they just get targetted more. This is not an excuse for not being proactive though! The questions I would ask are:
* How is the link from MS->Vendor secured?
And I want details!!
* Who will be liable in the event of dispute?
This is an important one, usually (here in the UK anyway) if you have a dispute with a vendor then legally the CC company is equally liable to pay you back. If they cannot prove you authorised the txn, then you cannot legally be billed for it. SO assuming the CC companies are on board with this one, they will have to sort out a good way that disputes can be settled quickly and in most cases in the favour of the client. I personally don't care that much if fraudulent txn's go against my card, provided I don't end up paying!!
* Are the CC companies 100% on board with this? Will we get them trying to wriggle out later saying they never approved this for payments and so denying liability?
* Can we have some kind of external audit of how the data is used. I'm not really worried about some kind of big brother m$ collecting info about which pr0n sites I subscribe to, rather that I would prefer they didn't send my home address to their marketing dept. In the UK there is law regarding this, which they would have to comply with, not sure about the legal situation elsewhere.
So assuming all these questions were answered to my satisfaction, I'd probably be fairly happy using the system. Implemented well it would be a positive boost to online security and convenience.
Adam.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
I can understand why someone would want to avoid having to type in their card #, address, etc over and over again, but -- call me clueless -- why would I want this info on a central server rather than my own machine?
The "obvious" approach seems to me, to have a standard format for querying billing info, similar to how cookies work, and then have the user's machine pop up a "Supply/Deny" question. Why aren't they doing this?
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Yes, passport is the reason for the hotmail security hole.
When passport was first announced more than a year ago looking for early implementers, the serious hackers targetted it with an intensity unseen in recent years. Imagine a service with all the quality of a M$ product, the track record of M$ for lax security, holding thousands or millions of credit card numbers.
This is an infocriminals dream, because just one copy of this database could be exploited for billions of $$$ of bogus charges. There are organized crime groups around the world already set up to rip off the credit card companies with thousands of electronic scams. All they need is a valid credit card number, expiration date, and the holders name.
So when the hotmail hack was discovered, it was by a group probing every aspect of the passport service, and all the connections MICROS~1.OFT was making into other web sites.
Now there are hundreds of sites with an end point leading into passport. What do you want to bet that one of them has some other security problems because they run IIS, and some crackers will be able to get thru the encrypted tunnel back into the passport service. Not likely they will get more than a handful of CC numbers before the hole gets closed. Crackers tend to be immature kiddies looking for some attention, so they will blab about their exploits. The serious infocriminals will milk any hole for all it is worth, and not make any announcements to HNN or attrition.
Microsloth's only publicly acknowledged security aspect of passport is they are going to seed the database with 'tripwire' records, which will trigger anti-fraud measures when someone tries to use them with the CC companies (oh, and they use encryption).
There are rumours it will be built into the desktop of millenium, so it will always be a click away, with annoying warnings to those lusers who are not using it. I doubt this service will become widespread, since it is bound to get abused at some point. Public confidence will go down when the press has a field day when the system is cracked once, even if it doesn't lead to the loss of any CC records.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
This is not a new idea, and this is not a particularly dangerous idea, either. If you've bought more than once from Amazon, you've used a similar system.
Basically, Amazon saves your card number the first time you buy, so that when you come back, they can say "Charge card XXXX XXXX XXXX 1234?". The fact that you don't have to key the number is only a trivial advantage. The real advantage is that you don't have to send the number over the wire. Amazon knows what it is already, so they can simply charge the number they have, avoiding the need for sending the number where it could potentially be seen by evil criminal types.
(An overblown danger, but that's another story...)
This is all a good thing. It is not even a matter of "trusting" Amazon more than you otherwise would, because simply to buy things, you've got to trust them with your number. They will have it, and they will be saving it for financial purposes for at least a month, regardless. If you don't trust them with this, you shouldn't buy from them. (Note that the same goes for any retailer, internet or physical!)
Now most people probably trust a company like Amazon at least in terms of finances. Amazon is not likely to go charging your card up randomally. Most people assume they will be fairly careful with your number. (They probably won't be as careful as you think, but that's another story.) They are a big, known company. Where the trouble comes in is with tiny little companies that no one has ever heard of. Do you trust them with your number? That officially looking site could just be one guy in a basement. Give him your number, and you give him the ability to charge thousands of dollars in your name.
So what to do? An obvious solution is to do what is being done above. You give your charge number to some large company that you know will not abscond with it, charging it to the limit. Then you tell the little podunk companies to charge the big company. Your liability goes down. Your charge number doesn't fly across the wire every time you make a purchase from a new company. These are good things. This is more secure then sending your card number directly to everyone you buy from.
The only question is whether or not you trust Microsoft to secure your data. This is the same question you should be asking were you to make a purchase from Microsoft over the wire (or over the phone), as the data is the same.
The cake is a pie
CrACkRZ WheEL oF fORtUne! v0.99.14.151
[Win2000 4.00.004 SP7]
[Click here to start]
Checking e-wallet status... Done.
Checking bank account status... Done.
Checking permissions...
One moment please...
How much money would you like to add to your e-wallet? NOTE: if sum > US$ 1,000,000 you could be in TROUBLE!
Enter sum and press [Enter]:99999
US$ 99,999 added to e-wallet account!
Thank you for using CrACkRZ WheEL oF fORtUne!
Bill "Hotmail God" Gates: would you like this man to take care of your money? Thanks, but no thanks.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)