Passport's Pocket Picked 327
emmons writes: "It looks like there's another hole in MS Passport according to Wired. This one allowing a user to steal another user's Passport Wallet, credit cards and all, by getting them to open a hotmail message. Nice." What happens when someone steals the basket with all your eggs?
Killing the messenger? (Score:4, Interesting)
"Well, it wouldn't have been too much of a problem until those meddling kids at Apache showed up..."
Do'nt put all your eggs in one basket (Score:4, Interesting)
"More than 70 sites are in the process of deploying Passport's authentication technology, according to Microsoft. Among them is Prudential Banking's Egg.com online bank, which is switching to Passport..."
Egg.com sounds kind of ironic. Must be quite a marketing effort on Microsoft's behalf getting banks to deploy not tested technology on a mass scale.
File suit with the FTC (Score:5, Interesting)
You can't market a product as having qualities it doesn't have without getting into trouble with the FTC. Granted, MS will try to spin this as "Those bad Linux hackers will steal your data!" The fact remains that they've lied to the American consumer. I think they need to be forced to amend their advertising.
And this will be reported by who? (Score:5, Interesting)
In the end I guess I best move to the bahamas and start ordering lots of neat things with all these new credit card numbers that magically appeared in my hotmail account.
Re:What about PayPal etc.? (Score:4, Interesting)
it isn't just about hotmail and passport wallet (Score:5, Interesting)
The real risk here isn't to hotmail or passport wallet (passport wallet isn't really an integral part of passport, just another service using it for authentication). It is to all things using passport. That isn't so much right now. But if Microsoft has their way, it will be. The sample exploit used Hotmail and Passport Wallet simply because they are commonly used services.
I would also like to note that Microsoft has been quite forthcoming with details and admitting the problems and fixing them. They are very good at being reactive. We will have to see how well this works going forward.
Offline Forever (Score:3, Interesting)
the wallet service will remain offline until the company can add additional security features "to ensure that similar exploits cannot be used to compromise our user's credit card information."
What's the standard for this? Based on Microsoft's track record, a new exploit will come up regardless of how many patches are issued. No way I'm going to let them keep my personal data. Too bad the average consumer may not realize this.
Anyone ready for that negligence suit? (Score:3, Interesting)
Wow (Score:5, Interesting)
What folks need to do is hold off on publishing these exploits (as Microsoft requests) until they've got a lot more riding on it. When a couple of banks lose a couple of million bucks on this, not to mention the confidence of their customers, well, then you might get some real coverage.
Remember, Microsoft wants to build houses of straw, and likes to call anyone who points out they are made of straw terrorists. Of course, as soon as I see that attitude from someone I'm supposed to trust I run as far and as fast as I can just as I'd run from a used car salesmen who wouldn't let my mechanic check out the car.
Re:Killing the messenger? (Score:5, Interesting)
Imagine this scenario...
1) You discover a flaw that allows you to get a hold of everyones on the Internet credit card
2) You tell the vendor and wait.
3) The vendor acknoledges the flaw and posts a patch
4) In between 2 & 3 "nasty evil little hacker" discovers the same flaw and exploits it to his economic advantage (but not enough to get himself caught)
5) Vendor discovers that "your" hack has been used againt them for a period of time...
Who would you send the cops after ???
How would you go about proving your innocense, Don't get me started on Innocent until proven guilty -- I don't buy it for a second...
6) spend 20-life in jail ???
Who pays for the stolen money? Can MS be sued? (Score:1, Interesting)
Hey if someone's credit cards get stolen due to a security hole in passport and a whole bunch of money gets stolen... can Microsoft be sued by the person whose cards were stolen or by their bank or somebody?
What if MS knows about a security hole but they leave it running while the patch is being worked out, and my money gets stolen.. then are they liable?
It seems like Passport might open up MS to lots of litigation if some major heist happens..
Economic Issues (Score:3, Interesting)
I have been ranting to all of my clients and friends about this sort of problem ever since MS came up with the idea of passport.
Scenario:
2 years from now 150 million people actually have their personal details and credit card numbers stored with MS (this isn't so now, people have passport accounts by default due to hotmails reliance)
Another hack comes out and it is proven that the vast majority of credit card numbers for people were compromised.
Visa, Amex, Mastercard et al are forced to re-issue credit cards to all people using passport
The global economy is severely disrupted due to the downturn in online spending, the overall costs incurred by the replacement and the lack of consumer confidence in online shopping, banking etc
Microsoft point to the famous "we're not liable for jack shit" clause in the agreement
So what happens? Does MS still get sued? Do the credit card companies just sit back, hemorrhage and go "Oh well, shit happens."?
Most importantly, do consumers finally realise that they have been taken for a ride for the last 7 years and boycott?
This really scares me. Giving personal details to any company is bad. Giving them to a company with a severely impaired security record is just plain stupid.
estimates of the number of Passport users? (Score:3, Interesting)
"Up to" is vague- It is true that "up to 7 billion people have as much money as Bill Gates", but it might be good to have a better estimate...
If you are counting hotmail accounts, many people have multiple accounts, which could get things up towards 200 million just in the US, so I am curious how many distinct users there really are. In particular, how many people have more than the default setup from having a hotmail account and actually have info in a Passport wallet? For people with multiple hotmail accounts (for different purposes, expired purposes or just forgot about it) presumably they would have one or only a few accounts with the credit card info and so on.
Re:And think... (Score:2, Interesting)
> How long until it becomes true, instead of being a
> whacked-out conspiracy theory fantasy?
Oh, I don't know. I think certain companies and groups in certain industries (Microsoft, RIAA, MPAA) are nearly there now. I'm half expecting someone to get arrested soon for possessing a pencil or a scanner (both highly illegal in a warped view of the already warped DMCA).
It seems that every few years/decades, some greedy moron(s) get some brilliant idea that will allow them to turn all their customers into cash cows, round them up, and milk them dry. Sooner or later, the usually placid customers start to resent such treatment and move on to the next, much greener, pasture (if the moron was lucky enough to have found some cows willing to be rounded up in the first place). This of course puts the idiots out of business. I'm sure the nice folks at Digital Convergence can explain that process to you in detail (assuming they have any staff left).
What we are seeing now is the usual greedy idiocy stuff, plus companies and whole industries that are feeling really threatened. Microsoft has pretty much reached the end of its Windows/Office gravy train and is thrashing around trying to figure out how to keep the cash coming in. The recording industry is facing the double threat of file sharing and basement recording studios. Hollywood is also troubled by Internet copying of movies, and has some reason to worry about digital video and the success of a film like Blair Witch (not to mention competition from the Internet itself as a form of entertainment).
Add to all that the uncertainty of the times, and you've got a bunch of scared, greedy folks who are grasping at anything to defend and expand their precious bottom line. Right now, they are all jumping on the intellectual property bandwagon. Sooner or later, John and Jane Q. Public are going to get fed up with their antics (probably when they try to tape the Super Bowl and find HDTV won't let them), and it will all stop.
For now, we need to work to keep said groups and companies from introducing idiotic laws. It also helps speed things along if you stop doing business with the idiots in question, and keep your family, friends, neighbors, and coworkers informed of what is going on. Aunt Judy may not be a loyal Slashdot reader, but she would really care about being hauled off to jail for possessing a VCR. Better get her to write her congresspeople before that happens. Just be sure to tell her not to send snail mail (Anthrax scare), email (not taken seriously), call by phone (busy signals last I heard), or send a fax (probably out of paper due to it being stored in infected office buildings). Hm, maybe our (USA) lawmakers employ a psychic?
Microsoft, in particular, needs to just throw in the towel. They don't have the security to begin to attempt something like Passport. You can't just slap a EULA on someone's wallet, and say "Sorry, we aren't responsible". No amount of silencing security researchers or screaming "industrial terrorism" is going to cut it. Heck, Gates was on CNN this evening (talking about the stupid consent decree). He couldn't even face the camera and talk out of the front of his mouth like a real, honest, person! Sheesh!
Happy Birthday, Godzilla! (The movie "Gojira" first aired in Japan on November 3rd, 1954.)
Re:Passport liability (Score:1, Interesting)
Browser Not Supported
Unfortunately, Microsoft®
If you use Netscape Navigator 6.1: due to possible data security issues, you cannot currently access
What is this supposed to mean? (I'm using Mozilla 0.9.3) What feature does my browser lack?