Security

Microsoft's Passport e-wallet invites pickpockets

Reasons why Microsofts Passport and e-wallet service could get you in trouble


A newly discovered flaw in Microsoft’s Passport put another layer of tarnish on the company’s already heavily corroded security image. Microsoft was forced to temporarily shut down its Passport e-wallet service after being warned that hackers could pickpocket individual e-wallets.

Passport and e-wallet
Microsoft’s Passport service provides a centralized database to store and distribute confidential data and a way for users to be identified on the Web. Passport can make Web sites easier to use because you don’t have to keep identifying yourself to gain access to various services.

Of course, this convenience comes at the not-so-minor cost of giving Microsoft control over your personal data, which, because of the company's spotty security record, is not something I would recommend.

The online shopping feature of Passport, known as e-wallet, is supposed to eliminate all that tedious data input when you place an order online. Microsoft’s promise is essentially this: “Give us your name, address, and credit card number, and we will send that information to merchants on request.” So far, more than 70 online merchants have signed up for Microsoft’s Express Purchase service.

Handing over your virtual wallet
Does it really take a highly paranoid security specialist like me to see that this might be a bad idea? Apparently, several million people out of the much larger Passport community have already signed up for this e-wallet service. According to Microsoft, those subscribers may have placed their personal data at risk due to a flaw that could allow a hacker to obtain the contents of their virtual wallet just by clicking on a link contained in a Hotmail e-mail account message.

Microsoft said that it immediately shut down the e-wallet service after learning of the problem and that Passport security has been enhanced. But that leaves open the question of whether any hacker took advantage of this flaw before a white-hat hacker discovered it and informed Microsoft.

Microsoft was quick to point out that this was an “isolated” problem (almost every individual security problem is) and that it patched the flaw immediately. The company also said that no e-wallet user’s credit card information was actually compromised. That may be true, but the cracker would probably leave no trace using this method, so I’m not certain just how Microsoft can know that no personal data was stolen.

Is even one of you surprised by this latest security breach at Microsoft? Did anyone not see this coming? The answer to both questions is probably a resounding “No.” For some time now, many IT professionals have been very cautious about Passport and downright obstinate about e-wallet.

The bottom line
Convincing people to trust Passport is vital to a number of upcoming Microsoft services in the .NET initiative. So if this recent Passport security flaw becomes widely known, it could be a much bigger PR problem for Microsoft than it appears to be on the surface. Indeed, Passport, which has recently been renamed .NET Passport, may be the crown jewel in the .NET crown.

Unfortunately, most average users will know little about this problem, and even fewer will realize that this is only one in a long string of Microsoft security problems. Anyone with any concerns about personal or business privacy and identity theft must place a great deal of trust in a company’s security policies before they give any confidential information to an online service that offers to serve as a gatekeeper for sensitive personal and financial information.

Microsoft must be hoping that average users won’t notice that there were about 100 Microsoft security bulletins in 2000 and that we are well on track to see another 60 or 70 by the end of this year. In addition to credit card information, Microsoft wants people to eventually store other confidential data, such as medical records, in Passport accounts.

Some people will even be foolish enough to provide debit card numbers, which, unlike credit cards, offer little or no fraud protection. While having your credit card stolen is annoying, it isn’t a big problem because credit card issuers limit the amount you can be forced to pay for fraudulent charges. But since debit cards offer direct access to your bank account, having that number stolen can be just like losing a checkbook full of signed, blank checks.

There is also some question as to whether can you continue to use Microsoft software and still avoid Passport. That’s going to become a major problem in the near future. If you haven’t yet installed a copy of XP, you may not realize that anyone running the new Microsoft operating system will be virtually forced to sign up for Passport.

Microsoft is making a big push to get everyone to use Passport as part of the impending .NET initiative, and in the years ahead, it will probably become increasingly difficult to use Microsoft programs if you don’t provide at least a minimum of information to Passport.

Is Microsoft being punished for its security record?
It appears that a lot of administrators have noticed that Microsoft programs may not be the most secure. In the wake of Code Red and other recent attacks, Netcraft's September survey of 33 million Web servers showed that 300,000 IIS servers have disappeared from the Web and that about half of them seem to have been replaced by Apache. Could this be the first small sign that admins are starting to punish the Redmond, WA giant for its tradition of ignoring security? Is Microsoft’s security record with Passport, IIS, IE, and other programs pushing you away from using Microsoft software? We look forward to getting your input and hearing about your experiences regarding this topic. Post a comment or a question about this article.

 

Editor's Picks