MS Passport and... Visa 438
HeUnique writes "Well, people have seen it coming. According to this story Microsoft is extending the Passport authentication system to process Credit card payment (currently: Visa and MasterCard) through a deal with Arcot Systems. Of course, with the ever-changing privacy terms that some companies keep changing without notifying their user - it won't take much long until they'll take your credit cards info for 'verification' and who knows what they'll do with it.. sigh.."
In a nutshell: "Microsoft and Arcot plan to offer, later this fall, a service that will let banks require computer users to type in their Passport username and password to authenticate Visa or MasterCard credit cards." Take the word "require" in that sentence with a grain of salt, I guess. Favorite quote: "People will start trusting the system now that it's linked to credit cards."
Sure.
Fight Club (Score:3, Funny)
Careful, my friend (Score:3, Informative)
He was convicted of making terror threats and had to flee the country before he was sent to prison!
Hell, in CANADA the psychos sicced anti-terrorist police on him. And he is still trying to claim political refugee status so the Canadians don't deport him back to the U.S. to serve his sentence for adding to a joke.
So, careful: perhaps not in this instance, but in future ones, we are not allowed to speak, or joke, if the target is big enough and rich enough and fanatical enough.
Are we just crazy now? (Score:2, Funny)
Ignorant?
I will never associate my creditcards with anything microsoft.
I dont even care if they start making wallets!
Re:Are we just crazy now? (Score:2, Funny)
Re:Are we just crazy now? (Score:4, Interesting)
Re:Are we just crazy now? (Score:2)
They already have. It's an optionally installed component of Windows 98, under internet tools, IIRC.
Re:Who needs credit cards anyway? (Score:3, Funny)
Or someone who lives in a small shack in the mountains and writes manifestos and sends explosive packages through the mail.
Re:Who needs credit cards anyway? (Score:2, Interesting)
With a credit card, I can pay for an item or service and if I am dis satisfied with the repairs to my car or the item I bought will not work correctly, I can refuse to pay until satisfied. With cash you are screwed.
When I rent a car I get the insurance covered by the credit card saving about $14 a day.
When I purchace an item the warantee gets doubled up to 1 year extra. This has actually helped me get a tape deck repaired which failed 2 months out of warantee.
Lets say I have to pay for an item costing $5000, I have the cash, but why use it? It can earn another month or two interest while the charge floats on the credit card.
This credit card has no yearly fees.
As for paying cash for a hotel room, you will also have to front 1 nights stay ( in cash ) in addition to your total cost of the room, unless you don't mine the phone turned off for long distance calls, any mini bar locked, movies turned off, etc...
But then again the same people who pay cash for rooms most likely get the "day or hourly rate" and like to have cinder block walls, vibrating beds and mirrored ceilings.
Its HOW they tell us... (Score:5, Informative)
No, they do inform us of changes, as they are often required to do so by laws of various states...Trouble is, they're allowed to change them and tell us later, by 4th class snail mail, taking 2-3 weeks to get to us, by which time its too late to re-file a complaint or a protest before they've already sold our info off.
Re:Hmmm, Passport and credit card? (Score:3, Insightful)
The fallout of a major security breach is too nasty to think about.
Re:Hmmm, Passport and credit card? (Score:4, Informative)
The book recently review on Slashdot, Translucent Databases [slashdot.org] does a good job of explaining how databases can be designed to provide these types of services (credit card authorization, central storage of information, etc.) in such a way that compromising the database does not provide the cracker with any information. Furthermore, an administrator or executive can glean no more information from the database than can a cracker, yet the database serves its purpose, while protecting the information it contains.
I went an ordered the book after reading the review here on slashdot and I must say that the methods discussed are quite interesting and I'm very likely to start incorporating them into my database designs as I go forward. In some respects, the book isn't laid out/designed very well for "flow", but it does contain very good information and it challenges the reader to think about the material in new ways.
If you're worried about securing data against everyone except for the people/applications that need to access it, check out this book.
Cheers.
Re:Hmmm, Passport and credit card? (Score:3, Insightful)
Its nice to see that at least a -little- high-level thinking is going on here, and not just a kneejerk reaction to the M word. In the real world, i don't see MS taking that sort of risk.. granted, they could afford to settle out of court with everyone who puts their CC information into the system if it DID get cracked and wasn't translucent.. wink wink, nudge nudge..
#include
hmm (Score:4, Insightful)
Re:hmm (Score:4, Insightful)
It's much easier for them to dictate the standards for the Web when they've got everyone registered for their services.
Re:hmm (Score:3, Insightful)
I stop doing business with company's that want information that they have no need for.
Like Yahoo has no need for any my personal information to sell... so I changed it all to junk. I want to but a plane ticket and yahoo wanted all this information before I could buy it... So I went to site the yahoo was front-endding... Got the ticket cheap and with less information requiremnets.
A website wanted an email address and you to be over 13, so they could sell your information.... So you are forced mark over 13 and the email name is under@13.com.
All the informaiton you give out makes it not FREE.
Also do you have a card to track your purshing at a groserys store? Opps - discount card? Trade them with friends and strangers messup the computers... Also locally they been wanting your SS#... So encase you lost it, they a issue you another... RIGHT.
Re:hmm (Score:2)
No, and I never will. The only discount cards I have dont have any of my information on - you get given them free, store points on, then trade them in for vouchers).
Re:hmm (Score:2)
I guess if you payed by credit card they could link the credit card and loyalty card purchases, but I usually had 2 or 3 of these cards in my wallet, and frequently swapped them with other family members.
I think they've stopped it now - but I moevd out of the area
Screw Passport. (Score:2)
I wish I could speak for everybody, but I can't, so I'll just speak for myself.
I hate websites that say you need to "establish" an account on their website. It doesn't carry the Microsoft logo now, and even if it does soon, it still won't get my business. I know that if I make an "account," my name, address, phone number, credit card information, and other private information is stored in a place that puts its privacy at risk, either by being hacked or by (more likely) it being sold to other parties. If I absolutely have to buy what I need from that website, I always call their sales line and demand that if they want my business, they won't save the information I give them. Though I cannot honestly say that they stick to their promise on the phone, I trust them if they say that they'll honor my request.
The same thing goes for PayPal. I will not touch their service, because I absolutely refuse to have my credit card number in the hands of a third-party company that, according to its contract, has the authority to manipulate it as they wish. Sorry, but I am not about to be put in a position where someone has a hold of me by the balls. If Microsoft says that they need my credit card number if I am to purchase items online, I'll tell them (as well as Amazon / eBay / NewEgg / etc) that they just lost business.
For those people who think that Microsoft is going to coerce "everyone" to using Passport, you're downright blind. Websites don't limit their customers to paying with only one company's credit card, and they certainly don't offer only one method of payment period. Even if Microsoft does take over the online payment industry, there's one payment that won't go away: Money Order and Snail Mail. And I promise you, I'd rather wait an extra 7 days for a package rather than know that my credit card information is unsafe.
Re:hmm (Score:2, Informative)
There are currently few passport accounts because no one really needs them. The passports accounts that do exist were likely ones forced onto users. This is how it has been, and this is how it will be. The day will come when using windows will require a passport account, getting support will require a passport account, and dowloading p0rn will require a passport account. MS will bundle passport connectivity into front page, and developers will use the connectivity as mindlessly as they use other MS profit centers. It will appear free to the all areas of end users, and therefore it will be used. We will again be in the same situation as we are with IE, where getting the 3% of customer who refuse to conform requires more effort than it is worth.
Furthermore, one would think that users would not like credit card information linked directly to a password, and have that password be the only thing needed to use the credit card. However, there are examples to the contrary [bookpool.com] of vendors doing exactly this.
This is much worse than "offering the service" (Score:2)
Which means that if you are one of the people whose bank decides to "pay" Microsoft for this "service", you will be "forced" to get a Passport account.
It's a great move for Microsoft - they will be getting paid by third parties for the privilege of forcing customers into the MS system. This is similar to me paying somebody to let me force visitors go to their site.
Re:If this ever happens at my bank (Score:3, Insightful)
Re:This is much worse than "offering the service" (Score:4, Insightful)
Passport is the string that ties it all together. You will need passport to conduct business, either as a buyer or seller. I'm sure there will be "merchant" (lack of a better word) accounts which costs a bundle for the seller and they must have them to collect.
But currently many people are safe. You are nagged to death to get a passport or associate your passport with Windows but you can have a passport without Windows. The day will come however where you it is a must!
It truly scares me. I can see how three business steps, maybe two, could control the whole industry. And I'm not just talking about the "Desktop" market or even the computer market, I'm saying they could literally grab chunks of the Internet and put it in their own pockets.
Congress and the Justice Department need to jump on this and look into their plans before it's too late.
That is if anyone is serious about our or privacy or freedom.
Re:This is much worse than "offering the service" (Score:2)
To correct myself (very tye red)....
That should read: "The day will come however where it is a must! You will need Windows to use your passport"
Wouldn't it be ironic.... (Score:3, Funny)
Yeah, Right... (Score:2, Interesting)
So... how, again, does this magically insure that the credit card isn't stolen?
New Passport Slogan (Score:5, Funny)
AOL Account: $20 a month
Contribution to OSS fund: $1000
Charging it to Bill Gates Credit Card: Priceless
There are some rights money can't buy.
For everything else, there's Microsoft Passport.
Re:New Passport Slogan (Score:2)
Makes you wonder if Mr Gates uses Passport himself. Can you imagine what it would be like to be a cracker and stumble across that info? It would be like finding the fountain of youth in the town square of Atlantis and drinking from it with the Holy Grail.
Uhhhh no. (Score:2)
Rule of Aquisition M$101 (Score:2)
M$102
If you got their passport, you don't need their credit card number.
Let he who is without sin (Score:4, Insightful)
Before we start railing MS about bugs, let he who is without sin [slashdot.org] cast the first stone.
Anywho, its not the hacking to get the password I'm worried about. Most people don't know how to make a good password, and most are easily guessable.
Re:Let he who is without sin (Score:2)
A large corporation in possesions of millions of people's credit card information is a whole different deal.
Re:Let he who is without sin (Score:2)
Re:Let he who is without sin (Score:2, Informative)
Need it be said? (Score:2)
---
I'm tired of waltzing for pancakes. -- Gwen Mezzrow
Re:Need it be said? (Score:2)
Pick any one.
Security? (Score:5, Interesting)
Proof nobody trusts Passport... (Score:2, Informative)
What's next ? eBay ? (Score:5, Interesting)
I've really wondered many times why MS doesn't drop it's dollar weight on passport.. Compared to the XBox, they've invested practically nothing in passport !
Re:What's next ? eBay ? (Score:5, Informative)
Yahoo! Financials on Ebay [yahoo.com]
Time for a new CC vendor? (Score:5, Informative)
If anyone doesnt like what these companies are doing, there is always an alternative [216.239.51.100].
People use credit cards because the massive lapses in security are never properly publicised and also, whenever someone steals from their card, they get the money refunded.
Basically, they have nothing to loose, and like I said, if they want privacy, there are many ways to achieve this, PrivateBuy being just one.
Re:Time for a new CC vendor? (Score:2)
Another way of saying this is to say that credit cards are secure enough just as they are. Of the millions of credit card transactions processed every day, only the slightest fraction are fraudulent, and in those cases, the customer is taken care of appropriately practically every time. In other words, most of the time it's secure, and when it isn't, there's no real harm done.
Don't get me wrong; I'm all for ultra-secure military grade encryption on everything. But is it really necessary?
You missed something (Score:2)
Re:Time for a new CC vendor? (Score:3, Interesting)
Liability for CC fraud is not the responsibility of the card-holder. This is mandated by banking laws. It is the responsiblity of the card-issuer. However, the major CC companies shift the liability to the individual merchants as part of the merchant agreements that they must sign in order to accept CCs. The reason you never hear about major CC theft is individual merchants are generally too small to make a big stink. Besides, most of them either have insurance to cover this, or the big retailers all have a substantial fraud write-off built into the budget.
Another way of saying this is to say that credit cards are secure enough just as they are. Of the millions of credit card transactions processed every day, only the slightest fraction are fraudulent, and in those cases, the customer is taken care of appropriately practically every time. In other words, most of the time it's secure, and when it isn't, there's no real harm done.
One of the reasons it's secure is that there is a separate processing network with dedicated encryption hardware in place to handle all these transactions. Fraudulent transactions almost never originate from inside the network - they are entered into the system by a vendor. And since everything's encoded with the vendor ID, it can be tracked back to the originating site quickly. .5% of the transaction for off-line purchases, and 2-3% for on-line purchases). Still, there isn't an law on the books regulating every aspect of internet purchases.
Once Internet stores started accepting CC's for on-line purchases, CC fraud went through the roof because all you need is a few names and numbers. And since there's no way to "show" the store your card, with your name on it, the CC companies jacked up the merchant rates (something on the order of
But, a lot of the confidence in the current CC processing networks is in the fact that every aspect of the process is gonverned by laws, with strict penalties, and not by one company. You can argue that VISA and MC are an oligarchy, but they still have strict regulations to follow. MS has no regulations to follow here - and given their refusal to admit to any wrongdoing in the anti-trust case, even after an appeals court upheld the conviction, does not bode well for their handling this kind of sensitive data in a responsible or secure manner (Trustworthy Computing be damned).
Over inflated numbers (Score:5, Interesting)
<sigh> I have to wonder if they're including the hotmail users in this number, since signing up for passport and hotmail are linked. If so, this number is hugely overinflated...the number of people actively using passport is way smaller. Too bad, companies may read this and decide it's a great way to reach a large audience.
--trb
Re:Over inflated numbers (Score:2)
I disagree (Score:5, Interesting)
Simple (Score:5, Interesting)
Of course, people are going to say that we don't want the RIAA/MPAA/??AA/etc but as a matter of fact, general society does, and we -do- still support them (by seeing movies, buying cds, etc)
OTOH, no bank has a monopoly. As soon as Passport gets picked again, and credit cards numbers are out, people won't use it, and will demand a different method. (Note: viruses on desktop computers don't matter to people, because the general public doesn't store crucial data on their home computers) --
As soon as people start demanding non-Passport methods of authentication, banks -will- provide.
Not so simple (Score:4, Insightful)
Re:Not so simple (Score:2)
If it came down to it, I'd start one. Coming up with funding is almost never a problem because just about the only thing that can prevent a fractional-reserve bank from making a profit is criminal mismanagement. Basically, it's just one hell of a business model.
Re:Not so simple (Score:3, Informative)
Yes, it does! My bank charges no ATM fees of their own and they reimburse up to $8 per month in other banks' ATM fees. I only use an ATM a couple times a month and never run up more than $3 in fees, but it's nice to know that I have lots of breathing room.
Check you pension (Score:2)
If you bank has shares in any of the passport banks then you are 'supporting' the passport banks.
If buy anything from any company or anyone that in any way supports those banks then you too are supporting them, that the way that capatilism works, one big giant circle
Re:Simple (Score:4, Interesting)
Huh? This is precisely the problem. Users do store crucial data on their home computers, they just don't know they do.
Passport stores encrypted credential data on client computers in the form of persistent cookies. Grab the cookies, 0wn the d00d's wallet. (source: Avi Rubin's paper [avirubin.com])
All we need is a Klez variant that propagates by spreading these cookies to other users in the address books (or, more evil still, by posting them on USENET either directly or via mail-to-news gateways in after converting them to text a'la SpamMimic), and any black hat in the world can count on a continual supply of Passport cookies from a large pool of unsecured and compromised machines.
> Any bank which requires me to have a Passport account won't get my business. The one thing about capitalism is that you -can- force unwanted business to end, simply by going to their competitor
What you said. I don't trust Passport as a security mechanism. I won't do business with an organization that demands I link it with my credit card. If that means I switch banks, the branch manager and head office will get copies of a letter explaining precisely why I switched.
I prefer to bank at large national or regional banks, but even if they "all" go Passport, I'll happily switch to small regionals, of which America has hundreds, if not thousands, to choose from.
give me a fucking break (Score:2)
So yeah, as soon as you and all the other smart mouths on here go out and demand no riaa, no mpaa, no passport etc - the rest of the world will still fucking ignore you.
Shriek! Oh I'm so scared! (Score:2, Troll)
Dood, fucking grow up.
Error message (Score:4, Funny)
Re:Or something just as probable... (Score:2)
Our records indicate that your use of the song, "I wanna kick some MS ass" is in violation of your current license. Press "OK" to charge the credit card on file with Passport $19.99 to acquire the correct license, or "Cancel" to remove the song from your hard drive. If you choose to remove the song, you will be charged a $10.00 fine for violating the terms of the license. Have a nice day, and thank you for using Microsoft!
Or more likely... (Score:2)
Same old story (Score:2)
Why do I get the feeling that Microsoft will probably not be more honest than AOL when it comes to making sure that your credit card is only used to buy things when you actually want to buy them:
"I've noticed that you're not running Windows XP! Don't click on 'cancel' to decline acceptance of the purchace of a new copy of Windows XP, which will be automatically installed when you accept this offer."
Re:Same old story (Score:2)
'Your annual fee for using Windows XP has expired. Click OK to send us another $200 to renew your licence. If you click cancel, Office will shut down, and you will have to activate XP again.'
This ain't gonna happen... (Score:3, Insightful)
If most sites started requiring passport for some reason (credit card processor mandate?), I'd find myself showing up at physical stores once again.
Re:This ain't gonna happen... (Score:2)
Re:This ain't gonna happen... (Score:2)
You actually buy your groceries online?
In the UK this is actually now fairly common, you see lots of Tesco Online [tesco.com] vans running around if you're out and about during their "peak" delivery hours (just after people get home from work).
Al.Re:This ain't gonna happen... (Score:2)
Try buying something online from Starbucks. Passport required. (unless it's changed recently).
Very annoying. So, I signed up for passport, gave them only the barest minimum of information (and NOT my CC number -- I gave that only for the one transaction. Granted, I'm trusting they don't store it w/out my consent, but what can I do?).
At this point, I think I've done this two or three different times. Each time, a few months later, my passport's expired, or I forgot the password, so I just create a new one.
By and large, though, I'd like to agree with you, but the point is, it's already happening....
Re:This ain't gonna happen... (Score:2)
my apologies.
Trust? (Score:4, Insightful)
I trust my VISA (and credit card companies in general), because they tend to work in my interest and take care of me when I have bonafide problems with unauthorized usage and such. I have zero trust in Microsoft, a company that has systematically undermined my digital rights on a regular basis without apparent consideration of what I want. It may be "good for business", but it's not good for me.
That being said, I plan on reformatting my Win2k boxes at home this weekend and uninstalling the Media Player. I'll also be removing the "Automatic Updates" feature they added to their "Windows Update" site recently -- I don't trust them not to modify my preferences there, either.
Re:Trust? (Score:5, Interesting)
I used to work for the second largest Visa issuer. We tracked every thing a cardholder did. We knew your spending habits and what you liked to buy. We knew when you were on vacation and when you fooled around on your wife. We sold this information to advertisers and gave it to other ventures within our corporation. Sometimes we'd even turn it over to the Secret Service. Every cardholder had an agreement similar to a EULA. We changed it all the time, raising rates and fees to our benefit. By using the card you were bound to the agreement.
Essentially we did the same thing you say Microsoft does, and maybe even a little more, yet you trust Visa over Microsoft. Interesting.
Re:Trust? (Score:4, Insightful)
yet you trust Visa over Microsoft.
Good point which many probably aren't aware of in this forum.
I dislike VISA [pbs.org] for what it does to maintain and to milk its monopoly as much as I dislike Microsoft for the same. VISA does arm twisting and revenue extraction not just from consumers, but also from participating retailers that get charged fees that, well, are as economically inelastic as what Microsoft charges for licensing fees.
As a computer geek, I'm just more cognizant of MS actions than I am of VISA. The other thing about MS is that it's monopoly stands to grow substantially more invasive, instrusive and unavoidable as Web services increase. VISA is relatively static by comparison, though people are buying groceries and fast food on the things where they didn't 10 years ago.
Now if VISA were able to subsume the role the central government and be the de facto electronic cash, then there'd be more reason for concern.
I can just see it advertised how recording every dime spent and tracing every transaction eliminates terrorism, pedophiles, drug dealing and prostitution. Every cash related movement of every individual such as Mohammed Atta would be recorded and analyzed for "suspicious activity". And the sheep I call my fellow citizens might just buy into it given enough FUD at the right time. The Islamic extremists will win as our governments become as restrictive as their own.
Weird, I read about this someplace before... (Score:3, Funny)
11 Then I saw another beast which rose out of the earth; it had two horns like a lamb and it spoke like a dragon.
12 It exercises all the authority of the first beast in its presence, and makes the earth and its inhabitants worship the first beast, whose mortal wound was healed.
13 It works great signs, even making fire come down from heaven to earth in the sight of men;
14 and by the signs which it is allowed to work in the presence of the beast, it deceives those who dwell on earth, bidding them make an image for the beast which was wounded by the sword and yet lived;
15 and it was allowed to give breath to the image of the beast so that the image of the beast should even speak, and to cause those who would not worship the image of the beast to be slain.
16 Also it causes all, both small and great, both rich and poor, both free and slave, to be marked on the right hand or the forehead,
17 so that no one can buy or sell unless he has the mark, that is, the name of the beast or the number of its name.
18 This calls for wisdom: let him who has understanding reckon the number of the beast, for it is a human number, its number is six hundred and sixty-six.
Sounds like a marriage between Microsoft and Visa to me. In order to order, you have to bear the mark of the beast [ihatebillgates.com].
Mobile payment does it already. (Score:5, Interesting)
Now this is a very secure way of doing business. Of cause no system is 100% secure. But in the same manner as the passport solution, you still need to register your credit card to a database, connected online, that can be contacted by the merchants. Sound similar to me.
Of cause you still have the additional security of the SMS and the pin code and Microsoft don't have the best reputation when it comes to securing their systems. But it still gives time for thought.
Re:Mobile payment does it already. (Score:2)
Now this is a very secure way of doing business. Of cause no system is 100% secure. But in the same manner as the passport solution, you still need to register your credit card to a database, connected online, that can be contacted by the merchants. Sound similar to me.
Note some of the words in bold above. See, what you have described is a service where people have a choice. You can pay like this if you want to. It doesn't sound like this is forced upon users. THAT is why it is different than the MS vision.
Relevant extra links: Arcot Systems (Score:2, Interesting)
Yahoo is already there. (Score:4, Interesting)
What REALLY pisses me off about this? International commerce. It is impossible for me to directly by goods from auctions.yahoo.co.jp (Jahoo Auctions Japan). Yahoo's Wallets are localized, and if I don't have a credit card or account to a Japanese bank, I can't use that yahoo auctions website. I can't even ask a question to the seller! To that website, no member can live outside of Japan....
A bank or credit card issuer, standing behind IDs? (Score:2)
I'll be worried when they ask my cat, Griffin, to sign up for a credit card. I used her name to sign up for my wife's AOL, so it's only a matter of time.....
Order by phone (Score:2)
Boycott (Score:2)
This is the most insanely stupid concept... (Score:3, Insightful)
I play Asheron's Call (only published by MS, not made by them, BTW.) They changed over their auth system about 8 months ago from the old kludgy Zone auth system to Passport, and it's been downhill ever since. Each game account requires a separate Passport account, and most of the people who are big into the game have at LEAST two accounts (I have 3, myself). There's some inflationary numbers on how many are using Passport for you.
Furthermore, there was a recent rash of folks getting their accounts hacked because folks don't understand password security, and had their Passport e-mail address listed in YaBB and UBB boards centered on the game, used the same password for those boards as they do for their Passport account, and an exploit was discovered allowing folks to actually retrieve that info from those BB packages. If this idea is similar to the concept of the MS Wallet - which I haven't heard anything out of in a while - it's going to be an utter and complete disaster. Credit card fraud will reach new all-time highs, banks will start to go under, cows will fall out of clear blue skies, chaos and destruction will reign, et al.
BUT.
Here's the trick. If it is NOT like Wallet, and your CC info is NOT stored within Passport, then what they're effectively doing is adding a password check to your credit card for online transactions. At least one company is already doing this (witness the "I am Emmit Smith" ads) and it's an incredibly good idea. You register your Passport account with the bank who provided your Credit Card, and in return, your card number becomes totally useless without a password for the purposes of online transactions.
I really don't think that it's such a hot idea to be using PASSPORT for this, but the concept, if the card number isn't stored online BY the password system, is a VERY good one.
Fortunately for me, my credit card is through Digital Federal Credit Union, and I don't think they're too likely to implement it without warning.
Re:This is the most insanely stupid concept... (Score:2)
So where is the trick, I can't see it? The basic concept of credit card use under mail order/phone order rules is this: The cardholder posesses some data record consisting of CC number, name on card, expiration date, et cetera. In order to make a payment, the cardholder hands over the whole record to the merchant, who in turn uses the data to acquire the money. Which makes the data record a public data record because hiding it is not part of the concept (though it may make life easier if you don't tell everyone).
This, by the way, is not a weakness of the credit card, its a strength. The obvious insecurity in the technology is balanced by a rather fair and sensible distribution of liability. This non-technical factor makes credit cards a payment system one actually wants to use.
So what does adding a password to the public data record change? Sure, they can have password and other data checked by distinct entities, but still, what does it change to the concept? You have a data record, and it's public because you give it away whenever you pay.
Uh oh, and what does totally useless for the purpose of online transactions mean? Can't you shop in online stores that do not support this scheme? Does telephone count as "online", i.e. will it really block all uses of the card without physical presence of the card? Will you be required to type your passport password on a ticket vending machine's touchscreen? And will you still be able to dispute "verified" transactions?
Re:This is the most insanely stupid concept... (Score:2)
I have been using the MBNA system for a year and a half (after the first, and only time, I had my actual credit card number stolen online). I've probably done about $20K of charges since then using the one-off numbers and have not had a single fraud problem since. The only real downside is that you have to use a flash-applet that I haven't been able to make run under linux yet in order to generate the numbers. But, for a windows-user it is amazingly well designed and easy to use. It fits into the current credit card system transparently (the merchant's never even know the number is "special") and requires very little overhead compared to the original, insecure, send your number all over the web approach. Now I don't even mind emailing cc#'s to people because I know that in the rare chance that it is intercepted, it will only be good for one, very limited, use and I won't have to go through the hassle of canceling my primary card and waiting around until a new one is issued.
See MBNA ShopSafe [mbnashopsafe.com] for their program details.
Not a big risk to your credit card.. (Score:4, Informative)
Seriously, you have a bigger risk of getting your credit card number stolen when you pay for your dinner at a restaurant with it then by submitting it to a website using SSL. Not only does the waiter/waitress handle your card, but in a lot of places they'll swipe it in a magnetic card reader that sends it unencrytped over a phone line, or worse, they'll use a POS system that stores the entire swipe data in an unencrypted text file on their local server's hard drive... which will later send it out over a phone line unencrypted.
Microsoft is evil, but they aren't stupid. If they screw this up the class action lawsuit that will result would likely put them out of business. Wait, maybe we should all sign up, and get Johnnie Cochran on retainer, before Microsoft hires him and we lose to the Chewbacca defense ;)
Re:Not a big risk to your credit card.. (Score:2)
True, my father had stuff purchased on his card right after going out to eat somewhere. It happens. BUT - the number of accounts that a restaurant has access to is miniscule to something like Passport would. Crackers will go for a big score. And in a restaurant, you choose to pay by credit card, and know of the risks. Do you know the risks involved in using Passport? No, you don't! It is none of your business. Trust Microsoft, they have a proven track record of security. Just let them take care of everything...
If they screw this up the class action lawsuit that will result would likely put them out of business.
I am pretty convinced that MS is untouchable, they have too much money and ego. Weren't they convicted of using monopolistic practices to hinder competition. Hmm, let's see, what was their penalty again?
This is one point where I would be dancing for joy if I was proven wrong.
Shops can't afford that (Score:4, Interesting)
Online shops cannot afford to require anything from their customers. The point in running a shop is selling; selling means to make buying as easy as possible. This is especially true on the Net where the customer can even remain sitting in her chair while leaving the shop and entering the competitor's. So how is this going to work? Successful online shops already know the rules and won't even try to require anything from the customers. Those who try will notice soon.
After all, digital signatures (as a legal concept) and all those esoteric digital payment schemes didn't take off; online shops just don't need them. They are even willing to take some risk if this helps them to gain new customers.
Waiting for their next smart idea ...
Call your card issuer NOW. (Score:3, Interesting)
- I will not be charged for the change.
- I will see an interest rate increase of 0.59% (not an issue because I pay off in full every month).
- The Smard Card reader has a USB port, and will work with Mac OS (yeah, right. We'll see. Didn't get a chance to ask about Linux because my boss wanted me and I had to hang up)
Whatever you do, if this story bothers you (obviously, it bothered me) make sure your bank understands that you do not want to support a convicted monopolist's attempt to extend its tentacles into the financial services arena.Learn how it works first, bitch later. (Score:5, Informative)
Re:Learn how it works first, bitch later. (Score:2, Interesting)
Re:Learn how it works first, bitch later. (Score:2)
Will the user authenticate the particular transaction (i.e., who gets how much money)? How does the system authenticate to the user? Will the user understand this authentication and its necessity? Will the user be sufficiently warned if everything looks fine but system authentication towards the user is omitted? Will any liability shift occur when such a verification scheme is used?
Is it their way of making EULA a real contract? (Score:2)
Any thoughts?
Re:Is it their way of making EULA a real contract? (Score:2)
Re:Is it their way of making EULA a real contract? (Score:2)
passwords nolonger CaSeSeNsItIve (Score:5, Informative)
This rather bothers me.
It used to be that I had to use the proper case to login. Somewhere along the way, microsoft did something to change my password (which I had assumed was stored encrypted) to make case insensitive.
Re:passwords nolonger CaSeSeNsItIve (Score:2, Informative)
hmmm (Score:2)
"People will start trusting the system now that it's linked to credit cards."..... trusting it less..
The truth is, outside of the slashdot and SOME of the technical community, many computer users don't know enough NOT to trust the system. Its like all those people who trust their employers (think enron), car manufacturers (remember Fords / Firestones exploding tires), cable companies (monoploies in many cases), phone companies, electric companies (think PGE in CA) etc.. they don't know any better till they get screwed by one (or all) of these companies...
Yes and .. (Score:2)
I think you'll also find that a lot of people didn't store their credit card details because they saw no need for the system to have it. I've lost count of the number of places i've signed up and they want some personal details that they definately do not need.
You don't just go hand out your credit card number to anyone who asks for it. Well I don't anyway.
Subnote: Having said that, porn sites don't seem to have any problem with people giving their credit card details over for a "free" trial. Mind you, then they start getting billed for it and can't get it stopped. So maybe there are mugs out there.
Be Preemptive (Score:3, Interesting)
Here's a part of what mine, Vancity, gave back to me:
If there are people like me there, they would be relieved to use a post like mine citing the previous security issues that Microsoft has had to the person who may decide that passport-only is a good idea.
Be preemptive. It's easier.
Simple Solution (Score:4, Insightful)
Here is my simple solution to MS' latest Passport move:
- Find what I want online, and then pick up the telephone and dial the toll-free number to order.
Problem solved. Passport dies a slow and embarassing death.Sure way to avoid my business (Score:3, Insightful)
Hotmail (Score:3, Interesting)
And you want to give them your CC number?
Re:American Express? (Score:2)
~Philly
Re:Good Lord! (mod this up, seriously) (Score:3, Insightful)
This needs to be modded up, seriously. Why? Because this is how the unwashed masses think, and MS knows it. But here is what you are not seeing - you may or may not see this "service" as useful, but you should have a CHOICE of whether or not to use it. MS can roll out any service they wish, as long as they don't force people to use it. Get it? They are cutting deals that FORCE you to give up your information to something that has proven to be insecure. I should have the right to decline that service. If you find it useful and more convenient, go right ahead and use it. Maybe you will be one of the lucky ones who doesn't get nailed to the wall when (not if) someone cracks in and steals passports. I can guarantee it won't happen to me, because I won't get a passport account. I'll quit shopping online and get rid of my credit cards before it comes to that.
Re:Wonderful.. (Score:2)
Re:Gee. I own a Mac. That means I can't buy shit. (Score:3, Funny)
But it will come to pass. M$ minions will tout their service as the best, most secure thing in the world since nobody can buy a friggin' thing because the server in Redmond has crashed after being cracked by the 11,111,111,111,111 script kiddie trying a new exploit.
It took me a moment to figure out that when you said, "11,111,111,111,111," you meant the number of script kiddies trying a new exploit. 111-1111111 used to work for Office 97 and NT4.0 OEM codes, so I wouldn't be surprised if it were some MSN administrator's password.