Slashdot Log In
Microsoft Launches Passport
Posted by
justin++
on Tue Oct 12, 1999 09:04 AM
from the privacy? dept.
from the privacy? dept.
Microsoft today "launched" Passport. Passport is an on-line wallet service, meaning that all your billing and other information is stored centrally with Microsoft, so that you don't have to retype it every time. Passport was used by a few Microsoft sites before, but with today's announcement, an additional fifty or sixty sites have adopted the technology. While my initial concerns were about privacy, they were mostly (but not completely) covered by the aforelinked press release. A news.com article cites a research analyst as saying that one day, Microsoft may wish to take a percentage of the profits, and go for a monopoly on e-wallets. Certainly is a lot to speculate on here...
This discussion has been archived.
No new comments can be posted.
Microsoft Launches Passport
|
Log In/Create an Account
| Top
| 194 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
|
2
(1)
|
2
How it works. (Score:3)
Basically, it's to keep your credit card number from EVER crossing the ether using a public/private key challenge system to log a transaction. The site you visit bills Passport, Passport bills your credit card, and the number never goes anywhere. Since each transaction is logged seperately using a different ID, you can review your transactions online (theoretically) and make certain that they were all transactions that you ordered.
Me? I'll avoid it like the plague. This is MS, after all.
Oh, and I only tested software there. Don't blame me - they didn't listen to me when I found the bugs, so it ain't my fault. ^_^
The Top 5 Reasons this is a Horrible Idea (Score:5)
4) Creates a massive SPOF. What happens if the passport servers are off-line? Can I still shop with my AmEx or are the stores basically out of business?
3) Okay, now instead of Visa charging 1% on all of my transactions, I'll have Visa charging the retailer 1% AND Microsoft charging the retailer 1%. Likely result? They'll pass the costs to me!
2) If a large amount of people start using this, then smaller on-line retailers will suffer. Yay, monopolistic control of another market!
1) Who will audit this? Who will ensure the security? Microsoft? This isn't a microsoft bash, I wouldn't trust ANY company to audit themselves properly.
I've seen this coming a mile away from the beginning of the browser wars and the rumbles about microsoft owned websites. The obvious hope is that by having control of the desktop operating system they have control of the browser. By having control of the browser they have control of the sites initially visited by the user (an exceedingly large percentage of people don't change their startup page). By having control of the sites initially visited, and leveraging this "e-wallet" they also make money from every purchase.
Ah well, such is life in corporate America.
Oh, great. (Score:5)
But hey, I'm sure Truste will assure us that everything is A-OK. And if we do get robbed, they'll be quick to assure is that it won't happen again.
p.s. -- I wouldn't even sign up for this if someone other than Micorsoft were doing it. So you can imagine how I feel about having someone so security unconscious as them managing it.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Alternate Press Release - N in a series of M (Score:5)
Yeah, you there, the guy using the mouse as a foot
pedal!
Do you hate having to type in a shipping address
every time you order on the Internet? Or worse,
are you having trouble remembering your own
address?
NO PROBLEM! Microsoft is here to help! We'll take
care of all those pesky details for you. Our new
Passport software is your ticket to a stress-free
junk-filled life. The next version will even wax
and declaw your cat for you!
How much would you pay for this amazing piece
of ultra-modern technology? $50? $100? $1000?
Well, hold on to your hat! Microsoft are giving
away Passport for absolutely nothing!
That's right! In exchange for a complete personal
profile, including address information, and credit
history, which as we all know is worth absolutely
nothing to anybody, Microsoft will give you
Passport, a passport, if you will, to a future
of black velvet elvis paintings at knockdown
prices.
Worried about security? Don't be. Your most
private personal details will be stored in
the most secure form known to science, a
"hard disk". This revolutionary device encodes
information using the science of magneticism
in a form far too small for the human eye to
read. If a hacker were to gain access to this
"hard disk", he or she would never be able
to read the information it contained, even with
a high-powered magnifying glass!
Just remember, Big Brother is watching you, and
he cares!
[Insert standard EULA and disclaimers here, in
really small writing so the suckers won't bother
reading it, haha! - BG3]
K.
-
It's all marketing.... (Score:5)
Microsoft teams up with some of the bigger e-Commerce sites, Amazon.com, eBay, Reel.com, whomever, and says, "We'll give you a bunch of co-marketing dollars to start using Microsoft Passport." Of course, the sites go for it because they just want to make money.
"Everyone" is already using Microsoft Internet Explorer because it's part of Windows and "everyone uses Windows." Next time an MSIE user goes to one of those sites, a new AciveX component will download and they'll get a little message, "Try Microsoft Passport - we'll handle your billing for you! You'll never have to enter your billing information again!"
The average user isn't going to have any idea what's going on - they only know that they like Amazon.com's "One-Click Shopping" option and if they can get ALL websites to act like that, even better! Clickety-click and their data goes straight to Microsoft.
It's not about the security or technology -- it's all about how well you can market and making it easier for the sheep to follow the rest of the flock. Hence Microsoft's dominance.
-=-=-=-=-
This is scary stuff (Score:3)
What irks me is that management just doesn't see Microsoft as a competitor. We shouldn't be buying any of our competitor's products, because we are funding Microsoft to move into our own markets.
I'm afraid they won't see it until it is too late.
A little reality check... (Score:5)
I'm no m$ "believer", but I do use their stuff (as well as Solaris/Sybase/perl/java etc etc), and I guess I differ from some people here in that I don't automatically assume everything Bill touches is useless.
So what's with the Wallet? Well first off it clearly states that the wallet itself (and by extrapolation M$ and their retail partners) will not actually have anything to do with cash, credit or clearing. So the posts about getting Fed Res clearance are really a bit lost. All Wallet does is store your CC number(s) and delivery details in a central db. This info is supplied as required to the vendors, to enable them to perform a transaction. The transaction itself is still between the vendor and the CC company. (This is what I get from reading the press release - if anyone has any more practical info on how it works please let us know!).
Now lets evaluate
In theroy this is a great idea. The major security risks in online commerce are twofold - (a) Someone intercepts your details in transmission to the vendor, or, (b) the vendor acts dishonestly/carelessly. If the link from MS->Vendor was secured beyond the level usually used in a browser, then the risk from (a) is lowered dramatically. Also, as the novice user will be encouraged to only shop at "certified" stores, the risks from (b) will be reduced.
But of course we don't know what M$ plan implementation wise, and there are huge doubt's about their ability to secure a large system properly. To be fair, I think that in several cases (notably Hotmail) their security is no worse than anyone elses, they just get targetted more. This is not an excuse for not being proactive though! The questions I would ask are:
* How is the link from MS->Vendor secured?
And I want details!!
* Who will be liable in the event of dispute?
This is an important one, usually (here in the UK anyway) if you have a dispute with a vendor then legally the CC company is equally liable to pay you back. If they cannot prove you authorised the txn, then you cannot legally be billed for it. SO assuming the CC companies are on board with this one, they will have to sort out a good way that disputes can be settled quickly and in most cases in the favour of the client. I personally don't care that much if fraudulent txn's go against my card, provided I don't end up paying!!
* Are the CC companies 100% on board with this? Will we get them trying to wriggle out later saying they never approved this for payments and so denying liability?
* Can we have some kind of external audit of how the data is used. I'm not really worried about some kind of big brother m$ collecting info about which pr0n sites I subscribe to, rather that I would prefer they didn't send my home address to their marketing dept. In the UK there is law regarding this, which they would have to comply with, not sure about the legal situation elsewhere.
So assuming all these questions were answered to my satisfaction, I'd probably be fairly happy using the system. Implemented well it would be a positive boost to online security and convenience.
Adam.
Re:The Top 5 Reasons this is a Horrible Idea (Score:4)
Too late for that. If you buy from catalogs, or buy on the internet, or shop at the grocery store with those "club" cards, the battle is lost. The data is being collected, and most likely exchanged.
The only real way to prevent that is to only use cash.
4) Creates a massive SPOF. What happens if the passport servers are off-line? Can I still shop with my AmEx or are the stores basically out of business?
It would obviously be in the store's best interest to keep a backup system that works buy taking your number directly. Stores would have to have this anyway for customers who aren't in this program. No retailer is going to turn you away because you don't use this system.
3) Okay, now instead of Visa charging 1% on all of my transactions, I'll have Visa charging the retailer 1% AND Microsoft charging the retailer 1%. Likely result? They'll pass the costs to me!
Perhaps not. This will likely lower their liability as the chance of some two-bit small retailer absconding with the card will go down. Remember that if someone charges $5000 on your card, it costs you $50 max and the retailer's involved $4950.
2) If a large amount of people start using this, then smaller on-line retailers will suffer. Yay, monopolistic control of another market!
It should have the opposite effect. It should make people less fearful of spending at a site they know little about. They are more likely to push "submit" at "Paul's Pleasure Palace" if they know that they aren't actually sending their card number to Paul.
1) Who will audit this? Who will ensure the security? Microsoft? This isn't a microsoft bash, I wouldn't trust ANY company to audit themselves properly.
Then you better not be spending online. If you've bought anything for Microsoft online, then you've already given them exactly the same info that they'd have here. Same goes for any other company you've got from.
The concerns about "corporations having my information" are very valid, but unfortunately, this battle is pretty much over. The battle was basically lost before there even was "e-Commerce".
Working at the headquarters of a major retailler, I used to see huge, hundred page printouts of charge numbers just laying on a table outside of an unsecured room. Those charge numbers were given to the company by customers at their brick and morter stores. Those numbers were also used for "marketting purposes".
I don't get it. (Score:4)
I can understand why someone would want to avoid having to type in their card #, address, etc over and over again, but -- call me clueless -- why would I want this info on a central server rather than my own machine?
The "obvious" approach seems to me, to have a standard format for querying billing info, similar to how cookies work, and then have the user's machine pop up a "Supply/Deny" question. Why aren't they doing this?
---
Re:Passport security hole (Score:4)
When passport was first announced more than a year ago looking for early implementers, the serious hackers targetted it with an intensity unseen in recent years. Imagine a service with all the quality of a M$ product, the track record of M$ for lax security, holding thousands or millions of credit card numbers.
This is an infocriminals dream, because just one copy of this database could be exploited for billions of $$$ of bogus charges. There are organized crime groups around the world already set up to rip off the credit card companies with thousands of electronic scams. All they need is a valid credit card number, expiration date, and the holders name.
So when the hotmail hack was discovered, it was by a group probing every aspect of the passport service, and all the connections MICROS~1.OFT was making into other web sites.
Now there are hundreds of sites with an end point leading into passport. What do you want to bet that one of them has some other security problems because they run IIS, and some crackers will be able to get thru the encrypted tunnel back into the passport service. Not likely they will get more than a handful of CC numbers before the hole gets closed. Crackers tend to be immature kiddies looking for some attention, so they will blab about their exploits. The serious infocriminals will milk any hole for all it is worth, and not make any announcements to HNN [hackernews.com] or attrition [attrition.org].
Microsloth's only publicly acknowledged security aspect of passport is they are going to seed the database with 'tripwire' records, which will trigger anti-fraud measures when someone tries to use them with the CC companies (oh, and they use encryption [slashdot.org]).
There are rumours it will be built into the desktop of millenium, so it will always be a click away, with annoying warnings to those lusers who are not using it. I doubt this service will become widespread, since it is bound to get abused at some point. Public confidence will go down when the press has a field day when the system is cracked once, even if it doesn't lead to the loss of any CC records.
the AC
Not particularly new. Not particularly exciting. (Score:4)
Basically, Amazon saves your card number the first time you buy, so that when you come back, they can say "Charge card XXXX XXXX XXXX 1234?". The fact that you don't have to key the number is only a trivial advantage. The real advantage is that you don't have to send the number over the wire. Amazon knows what it is already, so they can simply charge the number they have, avoiding the need for sending the number where it could potentially be seen by evil criminal types.
(An overblown danger, but that's another story...)
This is all a good thing. It is not even a matter of "trusting" Amazon more than you otherwise would, because simply to buy things, you've got to trust them with your number. They will have it, and they will be saving it for financial purposes for at least a month, regardless. If you don't trust them with this, you shouldn't buy from them. (Note that the same goes for any retailer, internet or physical!)
Now most people probably trust a company like Amazon at least in terms of finances. Amazon is not likely to go charging your card up randomally. Most people assume they will be fairly careful with your number. (They probably won't be as careful as you think, but that's another story.) They are a big, known company. Where the trouble comes in is with tiny little companies that no one has ever heard of. Do you trust them with your number? That officially looking site could just be one guy in a basement. Give him your number, and you give him the ability to charge thousands of dollars in your name.
So what to do? An obvious solution is to do what is being done above. You give your charge number to some large company that you know will not abscond with it, charging it to the limit. Then you tell the little podunk companies to charge the big company. Your liability goes down. Your charge number doesn't fly across the wire every time you make a purchase from a new company. These are good things. This is more secure then sending your card number directly to everyone you buy from.
The only question is whether or not you trust Microsoft to secure your data. This is the same question you should be asking were you to make a purchase from Microsoft over the wire (or over the phone), as the data is the same.
I have seen the future... (Score:4)
CrACkRZ WheEL oF fORtUne! v0.99.14.151
[Win2000 4.00.004 SP7]
[Click here to start]
Checking e-wallet status... Done.
Checking bank account status... Done.
Checking permissions...
One moment please...
How much money would you like to add to your e-wallet? NOTE: if sum > US$ 1,000,000 you could be in TROUBLE!
Enter sum and press [Enter]:99999
US$ 99,999 added to e-wallet account!
Thank you for using CrACkRZ WheEL oF fORtUne!
Bill "Hotmail God" Gates: would you like this man to take care of your money? Thanks, but no thanks.