Results 1 to 9 of 9

Thread: MS Passport & Wallet

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    472

    MS Passport & Wallet

    MS has released a new concept called Passport and Wallet, a protocol for easier shopping on the internet. Works like this: You log onto an MS server and provide all your personal details, name, address, credit-card number, how you like items to be sent to you, shoe-size(!) etc. You recieve a login-name (which is your mail-address) and a password. Now you can go shopping. On commercial sites using Passport, you only need to provide your username and password, click ok, and that's all. Quite simpler than other shopping on the net.

    But is this secure? Two engineers at AT&T did some research on Passport 1 year, ago and conlcuded it wasnt't at all safe. The use of SSL "assume
    too much about user awareness", they say, and they also found several other flaws. MS claims to have fixed those in the latest release.

    Undoubtly, MS has a user friendly product, and a the concept is something I think really is a solution for the future. (But is the technology ready?). Shopping on the net is too compilcated, and has to become as easy as shopping in a real store.

    Not many users trust MS and the Passport/Wallet system. Even though the concept is closely linked with hotmail, less than 1% of hotmail users want to use Passport/Wallet. This might be a result of MS' bad reputation when it comes to security issues. Or it may be because people don't trust the internet to take care of theire private information.

    What's in it for hackers that can steal all this information? They get a lot of personal details, not too interresting. And they get a lot of credit cards, now that's something!! I think if a Pssport/Wallet system provided all nessecary information, except for the credit card number, more users would like to join such a service. But I haven't done any research one it.

    What do you guys think?
    ---
    proactive

  2. #2
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534

    Thumbs down .NET

    With the release of XP Microsoft has started a new service, called .NET

    It is a combination of passport and wallet and even more crap..

    Microsoft hasn't learned from earlier mistakes on this front. But how manny people use .NET?

    Everyone who installes XP or downloads the new messenger or has a hotmail account....

    So that's about a bilion people... as soon as one A$$H0LE finds a security hole, it will be world news...
    Luckaly most people don't provide MS with all their real data ..

    In Holland (where I live) most banks provide a cardreader for online payment.. I Don't know if that is safe too. So I will just pay at the door when the mailman coms to bring the stuff I order..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Actually, if I remember correctly, there was a cross-site scripting vulnerability with passport recently that lead to being able to grab a person's passport info... It's supposedly been fixed, but still, for a supposedly gold product (in the sense of having been released for signup and use), vulnerabilities like this aren't a good sign.

    Personally, I doubt I would ever fork over my info to any 'centralized' system whether it's MS run or not. It's far too inviting a target.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  4. #4
    Banned
    Join Date
    Sep 2001
    Posts
    2,810

    Re: MS Passport & Wallet

    Originally posted by proactive
    MS has released a new concept called Passport and Wallet, a protocol for easier shopping on the internet. Works like this: You log onto an MS server and provide all your personal details, name, address, credit-card number, how you like items to be sent to you, shoe-size(!) etc.
    I wouldnt trust microsoft even with my shoe size!

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    472
    Yes, and it is possible for a hacker to use a proxy to generate web-pages that look totally like whatever page. At least in a local network with shared internet connection. After collecting the users data they can either generate a screen saying 'the service is down', or just post the data to the real web-shop. The only trouble is the SSL validation in the browser will come up with a warning screen to the user, but most users click 'ok' anyway.

    And I suppose that if a cracker could get access to somones internet log (index.dat?) for recently visited web-pages, the cracher could change the corresponding IP to his own web-page.

    I suppose the possibilites are far too many, and creating a fool-proof solution is still some years away.
    ---
    proactive

  6. #6
    Senior Member
    Join Date
    Oct 2001
    Posts
    677

    Talking

    Microsoft? Fool-proof solution? Can those two phrases exist in the same sentence... its a contradition of terms isn't it??

    One Ring to rule them all, One Ring to find them.
    One Ring to bring them all and in the darkness bind them.
    (The Lord Of The Rings)
    http://www.bytekill.net

  7. #7
    Senior Member
    Join Date
    Aug 2001
    Posts
    485

    Credit card info

    One other thing that is relevant is that most banks (i.e. credit card issuers) here in the UK will not take responsibility for online credit card fraud. Whereas they will take responsibility for other types of fraud (you are normally only liable for something like the first £50, although in practice they won't ask you to pay that). And, to quote the UK government - "Online shopping is safe"

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    472

    Re: Credit card info

    Originally posted by darkes
    One other thing that is relevant is that most banks (i.e. credit card issuers) here in the UK will not take responsibility for online credit card fraud.
    That's interesting.... You mean that if someone sniffed your credit-card number on it's way from your pc to Amazon and abused it, the CC companies would'nt cover for it. Am I right, or did I misunderstand?
    ---
    proactive

  9. #9
    Senior Member
    Join Date
    Aug 2001
    Posts
    485
    Yes, that is correct - you'll have to read the small print of the agreement that you have with a particular bank/credit card company to see exactly what the situation regarding fraud is. It usually comes under the section headed "Liability for loss ....".
    Followed by things like "You must tell us immediately ..... if your card is being used by another person without your permission", usually followed by the clause "You are responsible for for all charges ...... up to the time you told us about the loss".
    It is almost impossible to prove what has happened in an online situation, and the onus is on you, the cardholder, to prove that you were not at fault. It rather depends on what 'loss' means in an online environment.
    In the past, I only managed to convince a CC company that a large transaction passed through my CC was a fraud by proving that I wasn't even in the country at the time when the transaction took place Up to that point they had been pestering me to make a full or partial payment.
    Bit difficult to produce that sort of evidence in an online environment. From a practical point of view, the best solution (if you are buying things like books), is to get a CC with a very low credit rating, so that even if the worst happens, you are not talking about a lot of $$

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •