November 29th, 2001, 06:14 PM
MS Passport & Wallet
MS has released a new concept called Passport and Wallet, a protocol for easier shopping on the internet. Works like this: You log onto an MS server and provide all your personal details, name, address, credit-card number, how you like items to be sent to you, shoe-size(!) etc. You recieve a login-name (which is your mail-address) and a password. Now you can go shopping. On commercial sites using Passport, you only need to provide your username and password, click ok, and that's all. Quite simpler than other shopping on the net.
But is this secure? Two engineers at AT&T did some research on Passport 1 year, ago and conlcuded it wasnt't at all safe. The use of SSL "assume
too much about user awareness", they say, and they also found several other flaws. MS claims to have fixed those in the latest release.
Undoubtly, MS has a user friendly product, and a the concept is something I think really is a solution for the future. (But is the technology ready?). Shopping on the net is too compilcated, and has to become as easy as shopping in a real store.
Not many users trust MS and the Passport/Wallet system. Even though the concept is closely linked with hotmail, less than 1% of hotmail users want to use Passport/Wallet. This might be a result of MS' bad reputation when it comes to security issues. Or it may be because people don't trust the internet to take care of theire private information.
What's in it for hackers that can steal all this information? They get a lot of personal details, not too interresting. And they get a lot of credit cards, now that's something!! I think if a Pssport/Wallet system provided all nessecary information, except for the credit card number, more users would like to join such a service. But I haven't done any research one it.
What do you guys think?
November 29th, 2001, 06:27 PM
With the release of XP Microsoft has started a new service, called .NET
It is a combination of passport and wallet and even more crap..
Microsoft hasn't learned from earlier mistakes on this front. But how manny people use .NET?
Everyone who installes XP or downloads the new messenger or has a hotmail account....
So that's about a bilion people... as soon as one A$$H0LE finds a security hole, it will be world news...
Luckaly most people don't provide MS with all their real data ..
In Holland (where I live) most banks provide a cardreader for online payment.. I Don't know if that is safe too. So I will just pay at the door when the mailman coms to bring the stuff I order..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio
the best station for C64 Remixes !
November 30th, 2001, 06:31 PM
Actually, if I remember correctly, there was a cross-site scripting vulnerability with passport recently that lead to being able to grab a person's passport info... It's supposedly been fixed, but still, for a supposedly gold product (in the sense of having been released for signup and use), vulnerabilities like this aren't a good sign.
Personally, I doubt I would ever fork over my info to any 'centralized' system whether it's MS run or not. It's far too inviting a target.
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
November 30th, 2001, 06:52 PM
Re: MS Passport & Wallet
I wouldnt trust microsoft even with my shoe size!
Originally posted by proactive
MS has released a new concept called Passport and Wallet, a protocol for easier shopping on the internet. Works like this: You log onto an MS server and provide all your personal details, name, address, credit-card number, how you like items to be sent to you, shoe-size(!) etc.
November 30th, 2001, 06:56 PM
Yes, and it is possible for a hacker to use a proxy to generate web-pages that look totally like whatever page. At least in a local network with shared internet connection. After collecting the users data they can either generate a screen saying 'the service is down', or just post the data to the real web-shop. The only trouble is the SSL validation in the browser will come up with a warning screen to the user, but most users click 'ok' anyway.
And I suppose that if a cracker could get access to somones internet log (index.dat?) for recently visited web-pages, the cracher could change the corresponding IP to his own web-page.
I suppose the possibilites are far too many, and creating a fool-proof solution is still some years away.
December 1st, 2001, 01:36 AM
Microsoft? Fool-proof solution? Can those two phrases exist in the same sentence... its a contradition of terms isn't it??
December 1st, 2001, 10:12 AM
Credit card info
One other thing that is relevant is that most banks (i.e. credit card issuers) here in the UK will not take responsibility for online credit card fraud. Whereas they will take responsibility for other types of fraud (you are normally only liable for something like the first £50, although in practice they won't ask you to pay that). And, to quote the UK government - "Online shopping is safe"
December 1st, 2001, 02:04 PM
Re: Credit card info
That's interesting.... You mean that if someone sniffed your credit-card number on it's way from your pc to Amazon and abused it, the CC companies would'nt cover for it. Am I right, or did I misunderstand?
Originally posted by darkes
One other thing that is relevant is that most banks (i.e. credit card issuers) here in the UK will not take responsibility for online credit card fraud.
December 1st, 2001, 07:26 PM
Yes, that is correct - you'll have to read the small print of the agreement that you have with a particular bank/credit card company to see exactly what the situation regarding fraud is. It usually comes under the section headed "Liability for loss ....".
Followed by things like "You must tell us immediately ..... if your card is being used by another person without your permission", usually followed by the clause "You are responsible for for all charges ...... up to the time you told us about the loss".
It is almost impossible to prove what has happened in an online situation, and the onus is on you, the cardholder, to prove that you were not at fault. It rather depends on what 'loss' means in an online environment.
In the past, I only managed to convince a CC company that a large transaction passed through my CC was a fraud by proving that I wasn't even in the country at the time when the transaction took place Up to that point they had been pestering me to make a full or partial payment.
Bit difficult to produce that sort of evidence in an online environment. From a practical point of view, the best solution (if you are buying things like books), is to get a CC with a very low credit rating, so that even if the worst happens, you are not talking about a lot of $$