Passport's Pocket Picked 327
emmons writes: "It looks like there's another hole in MS Passport according to Wired. This one allowing a user to steal another user's Passport Wallet, credit cards and all, by getting them to open a hotmail message. Nice." What happens when someone steals the basket with all your eggs?
Just when I was about to give in... (Score:1, Funny)
Re:Just when I was about to give in... (Score:1)
Re:Just when I was about to give in... (Score:2, Insightful)
Installing XP: Do you want to sign up for a passport account?
booting up for the first time: Cmon, sign up for a passport account.
starting up internet explorer: Sign up for a passport account. I'll be your freind!
entering hotmail: Oh yeah? well I'm not going to let you go here unless you sign up for passport!
this is a dramatization. I haven't used XP, and I don't want to(I have enough waiting in my life, thank you very much
And think... (Score:1)
Do'nt put all your eggs in one basket (Score:4, Interesting)
"More than 70 sites are in the process of deploying Passport's authentication technology, according to Microsoft. Among them is Prudential Banking's Egg.com online bank, which is switching to Passport..."
Egg.com sounds kind of ironic. Must be quite a marketing effort on Microsoft's behalf getting banks to deploy not tested technology on a mass scale.
Re:Do'nt put all your eggs in one basket (Score:1)
More than 70 sites are in the process of deploying Passport's authentication technology...
Prudential Banking's Egg.com online bank
Give a whole new meaning to "cracking an egg".
Re:And think... (Score:2, Insightful)
If you are stupid enought to trust ANYTHING vital to Microsoft in the first place then you deserve to have it stolen.
I want to see the press release they put out on this, i can see it now
"Here at Microsoft we are devoted to security, those evil hackers have again stolen your information, we must pass more laws punishing the offenders and in the future we will assure that nothing like this will happen again"
What he is saying is (we want to throw the smart people in jail so only idiots are left to use our software)
Re:And think... (Score:2)
The Right to Read [gnu.org]
How long until it becomes true, instead of being a whacked-out conspiracy theory fantasy?
--jeffRe:And think... (Score:2, Interesting)
> How long until it becomes true, instead of being a
> whacked-out conspiracy theory fantasy?
Oh, I don't know. I think certain companies and groups in certain industries (Microsoft, RIAA, MPAA) are nearly there now. I'm half expecting someone to get arrested soon for possessing a pencil or a scanner (both highly illegal in a warped view of the already warped DMCA).
It seems that every few years/decades, some greedy moron(s) get some brilliant idea that will allow them to turn all their customers into cash cows, round them up, and milk them dry. Sooner or later, the usually placid customers start to resent such treatment and move on to the next, much greener, pasture (if the moron was lucky enough to have found some cows willing to be rounded up in the first place). This of course puts the idiots out of business. I'm sure the nice folks at Digital Convergence can explain that process to you in detail (assuming they have any staff left).
What we are seeing now is the usual greedy idiocy stuff, plus companies and whole industries that are feeling really threatened. Microsoft has pretty much reached the end of its Windows/Office gravy train and is thrashing around trying to figure out how to keep the cash coming in. The recording industry is facing the double threat of file sharing and basement recording studios. Hollywood is also troubled by Internet copying of movies, and has some reason to worry about digital video and the success of a film like Blair Witch (not to mention competition from the Internet itself as a form of entertainment).
Add to all that the uncertainty of the times, and you've got a bunch of scared, greedy folks who are grasping at anything to defend and expand their precious bottom line. Right now, they are all jumping on the intellectual property bandwagon. Sooner or later, John and Jane Q. Public are going to get fed up with their antics (probably when they try to tape the Super Bowl and find HDTV won't let them), and it will all stop.
For now, we need to work to keep said groups and companies from introducing idiotic laws. It also helps speed things along if you stop doing business with the idiots in question, and keep your family, friends, neighbors, and coworkers informed of what is going on. Aunt Judy may not be a loyal Slashdot reader, but she would really care about being hauled off to jail for possessing a VCR. Better get her to write her congresspeople before that happens. Just be sure to tell her not to send snail mail (Anthrax scare), email (not taken seriously), call by phone (busy signals last I heard), or send a fax (probably out of paper due to it being stored in infected office buildings). Hm, maybe our (USA) lawmakers employ a psychic?
Microsoft, in particular, needs to just throw in the towel. They don't have the security to begin to attempt something like Passport. You can't just slap a EULA on someone's wallet, and say "Sorry, we aren't responsible". No amount of silencing security researchers or screaming "industrial terrorism" is going to cut it. Heck, Gates was on CNN this evening (talking about the stupid consent decree). He couldn't even face the camera and talk out of the front of his mouth like a real, honest, person! Sheesh!
Happy Birthday, Godzilla! (The movie "Gojira" first aired in Japan on November 3rd, 1954.)
spin control (Score:1)
You through a smoke screen around the area until you can fabricate some new ones. Not to be a troll or anything, but this was only a matter of time.
Maskirovka
Re:spin control (Score:2)
And what a little amount of time it was!!
What happens ... (Score:1, Funny)
You have nothing left for trick-or-treating with.
Re:What happens ... (Score:1)
See, Microsoft did you a favor after all!
pre-paid Spam (Score:5, Funny)
"You've already paid the fee to get in on our bogus pyramid scheme, so now it's YOUR turn to go steal from someone else!"
Re:pre-paid Spam (Score:2, Funny)
"Here is a list of credit card numbers. Add yours and send this mail to everyone you know. Don't break the chain!" Except you have already added your CC number and mailed it to everyone you know, thanks to Passport and a virus.
In 6 months .... (Score:4, Funny)
will be
> In addition, the company has modified a software timer so that Passport users must re-enter all the information associated with their passport account (including their Wallet account) anytime they attempt to access the wallet service.
Which might be shortly followed by the first time MS has ever been able to claim their technologies are relatively secure. (Yes, I'll avoid being a jerk and suggesting anyone can ever be 100% secure.
Burning Reichstag (Score:3, Troll)
Is it concievable that M$FT is deliberately designing holes, staging exploits and publicizing them in order to get popular support for federally controlled security systems and universal elimination of anonymity?
The anthrax could be the same thing.. government allowing it to spread, or spreading it themselves, to pressure Congress to pass the USA PATRIOT act, which they did, and to pressure us to accept strictures on our behavior?
In both cases, ask: Quo bono? In the current climate, who benefits from these activities?
Terrorists don't benefit from the anthrax, and OSS doesn't benefit from these Passport exploits. In both cases, the government benefits.
Re:Burning Reichstag (Score:5, Insightful)
What they always have done. Rush a half-finished product out the door, and use whatever leverage they have to force it on whoever they can, while keeping the engineers busy in the back room with the bubblegum and duct-tape. Eventually, they'll get around to releasing a decent product.
Course, I won't be buying it then either. 8*)
Re:Burning Reichstag (Score:2)
And I'm sure there's a legal arm of its marketing department. The whole company reeks of marketing. There are way too many security fiascos from this company as they agressively push their touted inexpensive technologies onto the masses.
Wrong .. (Score:2)
You were going well up until this point:
Eventually, they'll get around to releasing a decent product
but that part didn't make sense to me, after all, this is MS we're talking about.
I can remember since the days of Windows 3 (about eight or nine years ago) that people have been hoping for Microsoft to eventually "release a decent product". We're still waiting for it. With every new release, people seem to forgive MS immediately and brush it off with "oh well, maybe the next version will be good, we'll endure the suffering in the meantime". (Perhaps XP is "it", but then is it really acceptable to wait close to *ten years*, and pay several times over during the wait, to get a half-decent product which is anyway several years behind what OSs should be by now, technologically? I can't think of a feature in any Microsoft Windows version that hadn't already been around for several years in some other system, and that includes XP)
Re:Burning Reichstag (Score:2, Funny)
2. Saying OSS doesn't benefit from passport exploits implies that the Open Source Software movement is responsible for the exploits. They're not. Microsoft is. And through some twisted, delusional logic you assert that Microsoft benefits from building in exploits.
It's a well-known fact that CmdrTaco is trying to make it as easy as possible for trolls to post to slashdot, because he could use them as an excuse to further crack down on Joe Poster.
Also, hospitals won't treat you if they find you have an organ donor card -- they'll let you die because other people need your organs.
Furthermore, the entire world is an intricate conspiracy designed to repress you.
LOOK OUT! THEY'RE COMING NOW!
Re:Burning Reichstag (Score:1, Funny)
He was the whiny-voiced guy in the mohair vest that sang with that tall gangly chick before she had a minimum 35% post-consumer recycled body.
Became a congressman and newest poster child for the Agony of Defeat(TM).
Re:Burning Reichstag (Score:3, Insightful)
Re: (Score:2)
Re:Burning Reichstag (Score:2)
Did anyone not see this coming? (Score:4, Insightful)
With passport, microsoft wishes to be the customs agent of the internet. However, with flaws like this they really are not going to turn many people over to their side.
I'm sure more exploits will pop up in the future. Most of them will likely use hotmail in someway or another to enter.
Re:Did anyone not see this coming? (Score:5, Insightful)
Hotmail is also the source of all of the passport accounts. Microsoft knows that Windows XP is not going to generate enough Passport accounts to entice web sites to start including Passport hooks. Hotmail, on the other hand, is very popular, and already has millions of users. Besides, if Microsoft can't design a secure Passport site, what is the chance that the bozos at your bank are going to be able to design a secure Passport site?
In other words Hotmail is both the primary draw for Passport, and an important proof of concept. Unfortunately for Microsoft it is also a huge gaping pile of security holes.
I confess .... (Score:2)
I too have an Hotmail account!!!
Come to think of it, i have at least 5 of them, all with funny names.
Judging from the options Hotmail returns to me when i try to register a funny name and it's already take (it sugests things like funnyname54@hotmail.com), i would say i'm note the only one...
Re:Did anyone not see this coming? (Score:2)
Yes, I realize that, but Hotmail is the primary draw for Passport. How many Passport users would there be without Hotmail? Probably not very many. Instead of millions of users Microsoft would be lucky to have tens of thousands of users.
Getting Ebay, Prudential, and 68 other companies to modify their websites to cater to such a small group of people would never fly. Microsoft needs to be able to wave the carrot of millions of potential customers, or it isn't worth the time.
Besides, even with millions of customers why should Ebay trust what Microsoft to store their important customer database if Microsoft can't even secure their own Passport enabled site. Ebay already has millions of their own customers. Not only that, but they know that AOL, the single largest ISP in the world, is working on an opposing standard. Microsoft has a Passport database filled with the information of millions of people who signed up for a free service, some of which no longer use the service. AOL, on the other hand, has a customer database that is just as big (if not bigger) of people who get a bill from AOL every month.
Microsoft knows that if their service is seen as insecure, then their customers will go elsewhere. Heck, unless Windows XP really takes off and grows the number of Passport users dramatically Microsoft's customers will probably go elsewhere anyhow (unless AOL really blows it).
Who would have thought I would be rooting for AOL.
No one knows, or cares (Score:5, Insightful)
They are happily using their Hotmail accounts and have NO clue that these things exist. Sure, they might have it in PC World, or maybe the Technology section of the Times, but my MOTHER does not read these things. Only us geeks in the industry know ( we are a small percentage of the population).
Microsoft will fix this to appease the security experts, but that's about it.
As long as Joe Sixpack can stay happily ignorant, MS is happy. For example, one of my friends, a very intelligent Nuclear Physicist, just got suckered in to a CompUSA MegaPC w/ 1.2 GHZ, 1 GB RAM , DVD RAM and Windows XP for anout 5 Grand. He browses the web PERFECTLY fine on his 988 MHZ PC. He said the "pretty colors" of XP sold him. I told him of the security flaws and reasons for not going with XP (never mind the absolute non-necessity of the PC), and his response was "How come I haven't heard about these things you talk about?" I had no answer. That's how Microsoft stays in power. If we step outside the industry for a minute, we can see that Linux means nothing to most people, AOL IS the internet, and Windows IS a computer. How do we fix this? I don't know, but someone must.
Re:No one knows, or cares (Score:2)
Which security flaws in XP are those?
Re:Did anyone not see this coming? (Score:2)
The problem is that they haven't had any success protecting it anyway. To be completely fair, neither has anyone else. The other difficulty is that although I would trust MS rather than JRV to protect my data, the necessity of distribution and interaction opens up a whole new class of security holes that no one has even thought of before.
The unfortunate truth is that right now the only way to protect your privacy online is not to give out any information, and that Passport will do exactly nothing to remedy this situation.
But why is Hotmail special? (Score:2)
But why is Hotmail special? (OK, aside from the fact that most of the 200m Passport users MS claims probably got hooked in via that route.)
Passport is supposed to be an independent data store, right? A Passport-enabled client needs to know something about you and you've signed in, so they can go ask MS for that specific information. They aren't supposed to get anything else back. So, given that Hotmail is just another client (it is just another client, right?) then surely if you can break it using Hotmail, someone else could expose the same vulnerabilities via any other Passport-enabled client using similar Passport features.
So, what am I missing? What's so special about Hotmail? Why is Hotmail the gaping security hole?
more info (Score:5, Informative)
Marc's Passport Advisory [znep.com]
i want to go home and play civ3 (Score:4, Troll)
Send special forces to kill the bunny. And cluster bombs, lots of fucking cluster bombs
What happens when someone steals the basket with a (Score:2)
A testimony to the proposition that security CAN be legislated.
(Yeah, right.)
Re:What happens when someone steals the basket wit (Score:5, Insightful)
Only the discoverer of the hole will be forced to announce it anonymously, and publish it only in dark little places where the lawyerly eyes of Microsoft won't find it. And unscrupulous eyes will.
I can see it happening already. And Microsoft would not even hear of the hole until it's far, far too late. It will be a very, very dark day if information is compromised on this scale.
The DMCA in this case would directly contribute to the destruction of the integrity of the Passport system.
Simply put - if only outlaws find security holes, then only (genuine) outlaws will have access to them.
Re:What happens when someone steals the basket wit (Score:2)
Or you could just post it in any country in the free world that doesn't have the absurdities DMCA and such. You might try pretty much anywhere in Europe, for a start. :-)
Killing the messenger? (Score:4, Interesting)
"Well, it wouldn't have been too much of a problem until those meddling kids at Apache showed up..."
Re:Killing the messenger? (Score:1)
Re:Killing the messenger? (Score:5, Interesting)
Imagine this scenario...
1) You discover a flaw that allows you to get a hold of everyones on the Internet credit card
2) You tell the vendor and wait.
3) The vendor acknoledges the flaw and posts a patch
4) In between 2 & 3 "nasty evil little hacker" discovers the same flaw and exploits it to his economic advantage (but not enough to get himself caught)
5) Vendor discovers that "your" hack has been used againt them for a period of time...
Who would you send the cops after ???
How would you go about proving your innocense, Don't get me started on Innocent until proven guilty -- I don't buy it for a second...
6) spend 20-life in jail ???
Microsoft leaked it anyway (Score:5, Funny)
A number of Microsoft employees also leaked it to their friends after I reported it to Microsoft, and it started spreading from there.
And even Microsoft's lawyers were in on the gig of making sure everyone knew about it.
But seriously... Microsoft has been, and almost always is, very good about timely responses to security reports. Their problem is in dealing with them without having to be told by some Joe User that they have problems.
Re:Microsoft leaked it anyway (Score:2, Insightful)
If you were a serious thief, you'd be no more apt to reveal the exploit than a magician to reveal the trick.
Visa... MasterCard... the banks... they all lose piles of money annually, yet say nothing, due to the negative marketing impact.
The DOJ's "Stop, or I'll say 'Stop' again" deal with Mr. Softy amounts to a fart in a thunderstorm. The only real judge, jury, and executioner is the market. When people tell Billy G. to talk to the hand, we're not swallowing your latest lock-in scheme, regardless of the good aspects of the engineering and convenience offered, then we can see about real competition.
Only the market, by refusing to buy flawed products, can improve the QA of anyone.
Re:Who pays for the stolen money? Can MS be sued? (Score:2)
And how much are you willing to bet that the credit card companies are going to consider registering your CC number in Passport being irresponsible behaviour and insufficient care taken in safeguarding it?
In which case you are the one taking the hit.
I hope you dont have a high limit on any card you use on the net. Preferably you should be using one time CC's valid only for the amount you owe.
Well so much for single sign-on (Score:5, Informative)
In addition, the company has modified a software timer so that Passport users must re-enter their password anytime they attempt to access the wallet service.
While Slemko's exploit, which relied on stealing browser cookies used by Passport, has been rendered inoperable by Microsoft's fixes, the programmer said "deeper issues" remain with the service.
"Passport's greatest marketing strength -- the single sign-on -- is also its chief technical weakness. It will be fairly trivial for attackers to dream up new ways of exploiting this," he said.
XP Integration is evil (Score:5, Informative)
Re:XP Integration is evil (Score:5, Informative)
You can, however, uninstall it!
Have a look at the file c:\windows\inf\sysoc.inf
Then change the line that reads:
msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7
to
msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,,7
Then go to the Control Panel, choose Add/Remove Programs, then select the "Windows components" tag. You'll note that "Windows Messenger" now appears at the bottom of the list; just remove it, and Windows/MSN Messenger will bother you no more.
Re:XP Integration is evil (Score:2)
Change one config file in Linux/Unix and the job's done.
What was that about Linux being hard to use again?
Hmm... change one config file in Linux to uninstall something.... change one config file in Windows to uninstall something....
Yeah, you're right. Linux is a whole lot easier than Windows.
Re:XP Integration is evil (Score:2)
Linux is a whole lot easier to use than Windows. At least in this case.
At least yer not grovelling through the registry trying to figure out how to disable something. With Linux, it's all there and documented in the config files.
Suppose I install some fancy-dancy new linux distro that starts up some stuff I don't like/want/need. 99% of the time, the config file will be in /etc, and I know it's going to get started through some init script. A recursive grep, a look at the man page, and it's taken care of.
The disabling procedure that Phil Wherry posted seems to be a lot less straight-forward than that. The documentation that M$ provides isn't nearly as helpful in your task, either.
Public knowledge (Score:1, Insightful)
New Passport Slogan... (Score:5, Funny)
-Zane
Re:New Passport Slogan... (Score:5, Funny)
AOL Account: $20 a month
Contribution to OSS fund: $1000
Charging it to Bill Gates Credit Card: Priceless
There are some rights money can't buy.
For everything else, there's Microsoft Passport.
Re:New Passport Slogan... (Score:3, Funny)
-Capitol One Credit Card
Who's in *your* wallet?
-Billy Gates
Sir, you have a phone call. . . (Score:1)
ha! (Score:1)
File suit with the FTC (Score:5, Interesting)
You can't market a product as having qualities it doesn't have without getting into trouble with the FTC. Granted, MS will try to spin this as "Those bad Linux hackers will steal your data!" The fact remains that they've lied to the American consumer. I think they need to be forced to amend their advertising.
Re:File suit with the FTC (Score:5, Funny)
A few weeks ago, I happened to see their advertisement promising "99.999% uptime". The subsequent expulsion of my carbonated beverage through my nose injured my delicate nasal passages and frightened my cat.
When I become Emperor of the Universe, Microsoft's advertisements will have to bear a Surgeon General's Warning.
k.
Re:File suit with the FTC (Score:2, Funny)
Re:File suit with the FTC (Score:2)
Believe it. If you have the bucks, you can even make Windows reliable, if not terribly flexible. They got clustering pretty good (I didn't say spectacular) in Win2k datacenter, and they get real experts running it. That you have to buy this kind of SLA to get a web server that doesn't, say, fall over upon receiving 256 concurrent hits, is rather sad.
Re:File suit with the FTC (Score:2)
Excelent point.
Not that we'd be able read or hear such amendments, but it still might affect the consumer. Having Microsoft ads sound like a drug ad or "used car sale mega blowout" ad with those rumbling fast-mouths at the end might persuade the consumer to think twice before swollowing the MS pill.
And this will be reported by who? (Score:5, Interesting)
In the end I guess I best move to the bahamas and start ordering lots of neat things with all these new credit card numbers that magically appeared in my hotmail account.
Flash! Terrorists steal US identities (Score:1, Funny)
Bill Gates identified as culprit: "We of the Taliban shall never be defeated!" shouts the software terrorist as he is hauled off to a comfy cell.
More news as this story breaks
What about PayPal etc.? (Score:4, Insightful)
Also, I had no idea 165 MILLION people were already using Passport - I suppose my OS hasn't asked me enough times to sign up for it until I break under the strain...
Re:What about PayPal etc.? (Score:4, Interesting)
Re:What about PayPal etc.? (Score:2, Informative)
99% of statistics are wrong or misleading
Just like all those people who have installed windows media player, it is added to an IE upgrade by default.....
Yawn
RickB
Re:What about PayPal etc.? (Score:2, Funny)
don't you just love paradoxes?
}
Re:What about PayPal etc.? (Score:2, Insightful)
Hotmail accounts are Passport accounts. This probably accounts for the bulk of them. A non-zero number of Hotmail accounts are inactive, or are just used as throwaway accounts. Interesting to see figures on this.
Microsoft just changed their Hotmail policy to require a login every 30 days or they'd disable your Hotmail. If you pay them money, you can get an upgraded account that includes never being disabled (while yu pay) and more storage. Still has a paltry attachment limit though.
Passport liability (Score:4, Insightful)
Re:Passport liability (Score:2, Insightful)
Another lesson to be learned from this (Score:4, Insightful)
like Microsoft. But there are other 'takers'. Some even with the best of intentions.
If any of them ever gets to be the one and only 'central repository', they will be subject to just this kind of attack as well. If you can't compromise the service, then hack into the user's desktop. As soon as enough people use it, it becomes a very attractive target. In a similar vein, there have been viruses that target the client end of home-banking software.
Security is enhanced by redundancy, by having several distinct systems in place, preferably as dissimilar as possible. Monoculture and monopolies always form a fertile environment for viruses and other pests.
I feel this makes the whole idea of a centralized service like Passport or any of it's competitors an extremely dangerous development.
This is why... (Score:4, Informative)
it isn't just about hotmail and passport wallet (Score:5, Interesting)
The real risk here isn't to hotmail or passport wallet (passport wallet isn't really an integral part of passport, just another service using it for authentication). It is to all things using passport. That isn't so much right now. But if Microsoft has their way, it will be. The sample exploit used Hotmail and Passport Wallet simply because they are commonly used services.
I would also like to note that Microsoft has been quite forthcoming with details and admitting the problems and fixing them. They are very good at being reactive. We will have to see how well this works going forward.
Re:it isn't just about hotmail and passport wallet (Score:3, Insightful)
As good as MS has been at reacting to problems, I think the fear here is that MS has not shown much interest in being PROactive in preventing such problems, particularly problems with such potential for ruining people's credit histories or bank accounts. If that is a legitimate fear, then it's a whopper!
As you imply, this is the tip of the iceberg, if Passport is intended to be the be-all, end-all for
---
Re:it isn't just about hotmail and passport wallet (Score:2)
They decided to stop focusing on PPTP and integrate other forms of VPN into the OS.
Wouldn't it have been nice for you to realize this instead of going off and looking like a fool?
Re:it isn't just about hotmail and passport wallet (Score:2)
Actually Microsoft did fix all of these problems. They decided to stop focusing on PPTP and integrate other forms of VPN into the OS.
I must have missed the announcement that they were removing PPTP from their operating systems, or at least discouraging people from using it.
Last I heard, it's still there, and still broken, and MS still doesn't admit it.
Wouldn't it have been nice for you to realize this instead of going off and looking like a fool?
Ahh, I see you're a fan of my sig.
A flawed MS product (OMFG) (Score:2)
I'm gonna go for all of the above
XP == (Score:4, Funny)
Offline Forever (Score:3, Interesting)
the wallet service will remain offline until the company can add additional security features "to ensure that similar exploits cannot be used to compromise our user's credit card information."
What's the standard for this? Based on Microsoft's track record, a new exploit will come up regardless of how many patches are issued. No way I'm going to let them keep my personal data. Too bad the average consumer may not realize this.
Anyone ready for that negligence suit? (Score:3, Interesting)
Re:Anyone ready for that negligence suit? (Score:2, Insightful)
-z
What about the other ways your CC # can be stolen? (Score:3, Insightful)
How often do you hand your credit card to a server at a restauraunt? A store? Over the phone to pay for something? Are you forgetting that your credit card number can easily be stolen that way? Most receipts from purchases have your credit card number on them. Do you shred / burn them to stop someone from getting your CC #?
Re:What about the other ways your CC # can be stol (Score:2, Informative)
Actually, many people do just that.
That's not the major point, though. This "crack" will allow someone to, perhaps, manipulate your financial portfolio if it's set up through Passport. "What do you mean, I just bought 10,000 shares in Hot Girl Condos on margin?" Millions and billions of dollars there, at risk, if MS gets their way and that sort of thing is hooked through your Passport account.
Re:What about the other ways your CC # can be stol (Score:3, Insightful)
You do realize that you can be held liable for whatever charges your card incurs if you do not follow this kind of practice, dont you? And you do realize what happens if you are held liable for a $10K shopping spree that someone went on with your credit card? You pay it, you pay it at once, or your credit rating is slashed, you default on your house mortgage as your bank suddenly wants their money back and their money back _now_, you wont be able to get a new loan and you'll have to sell pretty much everything you own.
Im not kidding, I've seen that happen. I have a coworker who makes as much as I do, who can barely afford to eat lunch in the company resturant. Your life suddenly becomes a helluvalot more expensive once you're put on rapid payback on all your loans and the interest rates you're paying are doubled.
Wow (Score:5, Interesting)
What folks need to do is hold off on publishing these exploits (as Microsoft requests) until they've got a lot more riding on it. When a couple of banks lose a couple of million bucks on this, not to mention the confidence of their customers, well, then you might get some real coverage.
Remember, Microsoft wants to build houses of straw, and likes to call anyone who points out they are made of straw terrorists. Of course, as soon as I see that attitude from someone I'm supposed to trust I run as far and as fast as I can just as I'd run from a used car salesmen who wouldn't let my mechanic check out the car.
Re:Wow (Score:2)
In theory, banks could cut back on robberies by having airport-like security at the door. The reason they don't is that their customers simply wouldn't stand for it.
Absence of online access is similarly unacceptable to a growing percentage of the customer base. Thus, banks would be forced to try something else once Microsoft failed them (and, if M$ hid behind its no-liability clause in the wake of a big exploit, they wouldn't have to be forced very hard).
Where do you want to go with my money today? (Score:4, Funny)
WWMRTD? (what would mr t do?) (Score:4, Funny)
Eggs? What you talkin' all about eggs for? Don't give me none of that Gibber-Jabber, or you best be tossed!
You took a wallet? I don't see no crazy wallet! You're talking like Face, crazy fool!
Besides, you don't need no wallet! Just dial
1-800-COLLECT and save a buck or two.
XP? That better mean Xtra Punishment, cause that's what I'm gonna do to that Gates fool! He can't escape me, cause my van's hella fast!
Don't do drugs! Drink milk!
Come here, sucka. I'll toss you!
What I want ... (Score:2)
- Nothing but a 32 bit operating system, running on a 16 bit core, based on an older 8 bit operating system, run by a 4 bit company that can't stand 2 bits of competition
Priceless (Score:3, Funny)
Microsoft Windows XP: $219
Compaq IPaq with Windows CE: $499
Subscription to
Microsoft Passport: Free*
Having your MasterCard(TM) info on the net for anyone to see:
Priceless.
(*note: This is a parody of the successful "Priceless" MasterCard(TM) advertising venture. As a parody it is protected under the 1st amendment established by MasterCard(TM) v. Nader)
FYI (Score:2, Informative)
The odd thing, however, is that these cookies that are set as a result of Passport authentication are, at times, unique to the browser window they were set in. If I open a new browser window, the cookies are not sent and I am not authenticated.
Think DRM tokens, e.g. pay per viewing instance.Economic Issues (Score:3, Interesting)
I have been ranting to all of my clients and friends about this sort of problem ever since MS came up with the idea of passport.
Scenario:
2 years from now 150 million people actually have their personal details and credit card numbers stored with MS (this isn't so now, people have passport accounts by default due to hotmails reliance)
Another hack comes out and it is proven that the vast majority of credit card numbers for people were compromised.
Visa, Amex, Mastercard et al are forced to re-issue credit cards to all people using passport
The global economy is severely disrupted due to the downturn in online spending, the overall costs incurred by the replacement and the lack of consumer confidence in online shopping, banking etc
Microsoft point to the famous "we're not liable for jack shit" clause in the agreement
So what happens? Does MS still get sued? Do the credit card companies just sit back, hemorrhage and go "Oh well, shit happens."?
Most importantly, do consumers finally realise that they have been taken for a ride for the last 7 years and boycott?
This really scares me. Giving personal details to any company is bad. Giving them to a company with a severely impaired security record is just plain stupid.
Re:Economic Issues (Score:2)
Businesses depend on having a good record with CC companies, who hold them accountable for misuse. If something happens, it's easy for you to complain, and easy for the CC company to trace bills. So "Walmart" and "gas stations" discipline themselves. Whoever cracks into a database has no incentive to be careful.
Re:Economic Issues (Score:2)
A brick-and-mortar company has a relatively small pool of suspects to investigate when it finds out that somebody stole a customer's credit card number. A hack into any Passport-like database could have come from any of millions of people anywhere in the world.
estimates of the number of Passport users? (Score:3, Interesting)
"Up to" is vague- It is true that "up to 7 billion people have as much money as Bill Gates", but it might be good to have a better estimate...
If you are counting hotmail accounts, many people have multiple accounts, which could get things up towards 200 million just in the US, so I am curious how many distinct users there really are. In particular, how many people have more than the default setup from having a hotmail account and actually have info in a Passport wallet? For people with multiple hotmail accounts (for different purposes, expired purposes or just forgot about it) presumably they would have one or only a few accounts with the credit card info and so on.
single point of failure (Score:4, Insightful)
Re:single point of failure (Score:2)
Re:Karma Suicide (Score:1, Offtopic)
Re:Open a message in HOTMAIL? (Score:2)
Yet every time I peek in there, even with the Junk Mail filters on, there's tons of spam in my In Box.
~Philly
Re:Who should really be concerned about this? (Score:2, Informative)
Re:Who should really be concerned about this? (Score:2)
If they put their CC numbers on a note on the noticeboard in a public place they arent going to get a cent from either the CC company or anyone else. Pay up or play the debt collection and credit slashing game.
Storing your CC number in Passport is pretty close to that.