Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Microsoft

MS Passport and... Visa 438

HeUnique writes "Well, people have seen it coming. According to this story Microsoft is extending the Passport authentication system to process Credit card payment (currently: Visa and MasterCard) through a deal with Arcot Systems. Of course, with the ever-changing privacy terms that some companies keep changing without notifying their user - it won't take much long until they'll take your credit cards info for 'verification' and who knows what they'll do with it.. sigh.." In a nutshell: "Microsoft and Arcot plan to offer, later this fall, a service that will let banks require computer users to type in their Passport username and password to authenticate Visa or MasterCard credit cards." Take the word "require" in that sentence with a grain of salt, I guess. Favorite quote: "People will start trusting the system now that it's linked to credit cards." Sure.
This discussion has been archived. No new comments can be posted.

MS Passport and... Visa

Comments Filter:
  • Fight Club (Score:3, Funny)

    by KingKire64 ( 321470 ) on Tuesday July 09, 2002 @11:24AM (#3849609) Homepage Journal
    Isnt it about time call up tyler durden to take out the credit card buildings thus destroying creditcard debt for america.... WAIT we got microsoft the next best thing, Tyler uses explosives and MS uses security holes!!
    • Careful, my friend (Score:3, Informative)

      by Catbeller ( 118204 )
      A guy named Keith Henson responded to a thread joking about about firing Tom Cruise missles at a Scientology compound in California.

      He was convicted of making terror threats and had to flee the country before he was sent to prison!

      Hell, in CANADA the psychos sicced anti-terrorist police on him. And he is still trying to claim political refugee status so the Canadians don't deport him back to the U.S. to serve his sentence for adding to a joke.

      So, careful: perhaps not in this instance, but in future ones, we are not allowed to speak, or joke, if the target is big enough and rich enough and fanatical enough.
  • Are we just crazy now?
    Ignorant?
    I will never associate my creditcards with anything microsoft.
    I dont even care if they start making wallets!
    • If you put money, credit cards, or anything for that matter in a wallet made by M$...you would more than likely lose it, because of holes in the wallet...
    • by arivanov ( 12034 ) on Tuesday July 09, 2002 @12:12PM (#3850012) Homepage
      Ease up. We should actuall chear and appload. This move immediately makes it a valid target for EU data protection law and similar legislations everywhere. Before it was questionanle. Now it is fair game because it is a financial service and subject to a serious regulatory regime in most countries. By the time it gets to market its venomous teeth will be extracted and replaced with harmless prostetics ;-)
    • I dont even care if they start making wallets!

      They already have. It's an optionally installed component of Windows 98, under internet tools, IIRC.

  • by acroyear ( 5882 ) <jws-slashdot@javaclientcookbook.net> on Tuesday July 09, 2002 @11:24AM (#3849617) Homepage Journal
    Of course, with the ever-changing privacy terms that some companies keep changing without notifying their user - it won't take much long until they'll take your credit cards info for 'verification' and who knows what they'll do with it.

    No, they do inform us of changes, as they are often required to do so by laws of various states...Trouble is, they're allowed to change them and tell us later, by 4th class snail mail, taking 2-3 weeks to get to us, by which time its too late to re-file a complaint or a protest before they've already sold our info off.

  • hmm (Score:4, Insightful)

    by seizer ( 16950 ) on Tuesday July 09, 2002 @11:24AM (#3849620) Homepage
    Of course, any real web business would have to be insane to limit its clientele to Passport account holders only. Note how Microsoft has 14 million registered users of Passport (how many just for MS Messenger?). Now note how many people on the net - approximately 400 million? So do you see Amazon saying that only 3% of the net can buy their books? Nope, didn't think so.
    • Re:hmm (Score:4, Insightful)

      by Fly ( 18255 ) on Tuesday July 09, 2002 @11:37AM (#3849751) Homepage
      Yes, but the Passport account is "free" since it does not require uses to pay, so Amazon or other sites would simply coerce users to sign up for their "free" passport accounts. This way Microsoft becomes the gatekeeper for more and more Web services and gets everyone's information, which is part of the actual cost of the "free" service.

      It's much easier for them to dictate the standards for the Web when they've got everyone registered for their services.

      • Re:hmm (Score:3, Insightful)

        by jackb_guppy ( 204733 )
        Nothing is free.

        I stop doing business with company's that want information that they have no need for.

        Like Yahoo has no need for any my personal information to sell... so I changed it all to junk. I want to but a plane ticket and yahoo wanted all this information before I could buy it... So I went to site the yahoo was front-endding... Got the ticket cheap and with less information requiremnets.

        A website wanted an email address and you to be over 13, so they could sell your information.... So you are forced mark over 13 and the email name is under@13.com.

        All the informaiton you give out makes it not FREE.

        Also do you have a card to track your purshing at a groserys store? Opps - discount card? Trade them with friends and strangers messup the computers... Also locally they been wanting your SS#... So encase you lost it, they a issue you another... RIGHT.
        • Also do you have a card to track your purshing at a groserys store? Opps - discount card?

          No, and I never will. The only discount cards I have dont have any of my information on - you get given them free, store points on, then trade them in for vouchers).
      • Yes, but the Passport account is "free"...so Amazon or other sites would simply coerce users to sign up for their "free" passport accounts.

        I wish I could speak for everybody, but I can't, so I'll just speak for myself.

        I hate websites that say you need to "establish" an account on their website. It doesn't carry the Microsoft logo now, and even if it does soon, it still won't get my business. I know that if I make an "account," my name, address, phone number, credit card information, and other private information is stored in a place that puts its privacy at risk, either by being hacked or by (more likely) it being sold to other parties. If I absolutely have to buy what I need from that website, I always call their sales line and demand that if they want my business, they won't save the information I give them. Though I cannot honestly say that they stick to their promise on the phone, I trust them if they say that they'll honor my request.

        The same thing goes for PayPal. I will not touch their service, because I absolutely refuse to have my credit card number in the hands of a third-party company that, according to its contract, has the authority to manipulate it as they wish. Sorry, but I am not about to be put in a position where someone has a hold of me by the balls. If Microsoft says that they need my credit card number if I am to purchase items online, I'll tell them (as well as Amazon / eBay / NewEgg / etc) that they just lost business.

        For those people who think that Microsoft is going to coerce "everyone" to using Passport, you're downright blind. Websites don't limit their customers to paying with only one company's credit card, and they certainly don't offer only one method of payment period. Even if Microsoft does take over the online payment industry, there's one payment that won't go away: Money Order and Snail Mail. And I promise you, I'd rather wait an extra 7 days for a package rather than know that my credit card information is unsafe.
    • Re:hmm (Score:2, Informative)

      by fermion ( 181285 )
      I am not sure how anyone, with a straight face, can say that real web business would have to be insane to limit its clientele to Passport account holders only. Web bussineses have and will continue to limited their customers to those MS find acceptable. For instance such bussineses require IE by using random IE standards. They were able to justify such laziness by saying the user can always go and download IE for free, although, as has been mentioned, downloading IE is only free if your time, bandwidth, and computer, are wothless. The same brainlessness will hold for passport.

      There are currently few passport accounts because no one really needs them. The passports accounts that do exist were likely ones forced onto users. This is how it has been, and this is how it will be. The day will come when using windows will require a passport account, getting support will require a passport account, and dowloading p0rn will require a passport account. MS will bundle passport connectivity into front page, and developers will use the connectivity as mindlessly as they use other MS profit centers. It will appear free to the all areas of end users, and therefore it will be used. We will again be in the same situation as we are with IE, where getting the 3% of customer who refuse to conform requires more effort than it is worth.

      Furthermore, one would think that users would not like credit card information linked directly to a password, and have that password be the only thing needed to use the credit card. However, there are examples to the contrary [bookpool.com] of vendors doing exactly this.

  • From the text of the article, the "service" will be offered to banks, ans will "force" the "users" to authenticate online transactions with their "Passport" password.

    Which means that if you are one of the people whose bank decides to "pay" Microsoft for this "service", you will be "forced" to get a Passport account.

    It's a great move for Microsoft - they will be getting paid by third parties for the privilege of forcing customers into the MS system. This is similar to me paying somebody to let me force visitors go to their site.

    • I'll happily take my business elsewhere. Simple as that.
    • The scary part isn't here yet, at least not all the way.

      Passport is the string that ties it all together. You will need passport to conduct business, either as a buyer or seller. I'm sure there will be "merchant" (lack of a better word) accounts which costs a bundle for the seller and they must have them to collect.

      But currently many people are safe. You are nagged to death to get a passport or associate your passport with Windows but you can have a passport without Windows. The day will come however where you it is a must!

      It truly scares me. I can see how three business steps, maybe two, could control the whole industry. And I'm not just talking about the "Desktop" market or even the computer market, I'm saying they could literally grab chunks of the Internet and put it in their own pockets.

      Congress and the Justice Department need to jump on this and look into their plans before it's too late.

      That is if anyone is serious about our or privacy or freedom.

  • by Lord_Slepnir ( 585350 ) on Tuesday July 09, 2002 @11:25AM (#3849634) Journal
    ....If you had to use a Microsoft Passport to buy add-free pages on slashdot....
  • Yeah, Right... (Score:2, Interesting)

    by Anonymous Coward
    Quote: "It's good for Microsoft because up until now, no one stood behind the authenticity of the (Passport) identities. You can register as easily as 'Donald Duck' as you can with your real name," Litan said. "Now (Passport users) are linked to credit card companies. There is going to be a bank or credit card issuer standing behind the identity."

    So... how, again, does this magically insure that the credit card isn't stolen?
  • by Anonymous Coward on Tuesday July 09, 2002 @11:26AM (#3849638)
    Linux Redhat: $59
    AOL Account: $20 a month
    Contribution to OSS fund: $1000

    Charging it to Bill Gates Credit Card: Priceless

    There are some rights money can't buy.
    For everything else, there's Microsoft Passport.
    • Charging it to Bill Gates Credit Card: Priceless

      Makes you wonder if Mr Gates uses Passport himself. Can you imagine what it would be like to be a cracker and stumble across that info? It would be like finding the fountain of youth in the town square of Atlantis and drinking from it with the Holy Grail.

  • Once you got their credit card number, you got their money.

    M$102
    If you got their passport, you don't need their credit card number.
  • by FortKnox ( 169099 ) on Tuesday July 09, 2002 @11:26AM (#3849644) Homepage Journal
    Favorite quote: "People will start trusting the system now that it's linked to credit cards." Sure.

    Before we start railing MS about bugs, let he who is without sin [slashdot.org] cast the first stone.

    Anywho, its not the hacking to get the password I'm worried about. Most people don't know how to make a good password, and most are easily guessable.
  • Trust and credit card are two words of which I am highly suspicious being in the same sentence.

    ---
    I'm tired of waltzing for pancakes. -- Gwen Mezzrow
  • Security? (Score:5, Interesting)

    by dfn5 ( 524972 ) on Tuesday July 09, 2002 @11:28AM (#3849668) Journal
    So how does the backing of a credit card company increase the security of the Passport system? If the Passport system is cracked then your credit card info is vulnerable, yes?
  • What is there not to trust when [avirubin.com] dealing [eyeonsecurity.net] with Passport [wired.com]?
  • What's next ? eBay ? (Score:5, Interesting)

    by selderrr ( 523988 ) on Tuesday July 09, 2002 @11:28AM (#3849671) Journal
    I'm really wondering when MS is going to buy a large content provider and force Passport upon us. eBay, or Amazon. They're both in the red, so should be purchaseable for a giant like MS.

    I've really wondered many times why MS doesn't drop it's dollar weight on passport.. Compared to the XBox, they've invested practically nothing in passport !
  • by Beautyon ( 214567 ) on Tuesday July 09, 2002 @11:29AM (#3849676) Homepage
    Many companies have their own branded credit cards. I wonder how many people here carry VISA / Mastercard / Amex?

    If anyone doesnt like what these companies are doing, there is always an alternative [216.239.51.100].

    People use credit cards because the massive lapses in security are never properly publicised and also, whenever someone steals from their card, they get the money refunded.

    Basically, they have nothing to loose, and like I said, if they want privacy, there are many ways to achieve this, PrivateBuy being just one.
    • People use credit cards because the massive lapses in security are never properly publicised and also, whenever someone steals from their card, they get the money refunded.

      Another way of saying this is to say that credit cards are secure enough just as they are. Of the millions of credit card transactions processed every day, only the slightest fraction are fraudulent, and in those cases, the customer is taken care of appropriately practically every time. In other words, most of the time it's secure, and when it isn't, there's no real harm done.

      Don't get me wrong; I'm all for ultra-secure military grade encryption on everything. But is it really necessary?
      • Another way of saying this is to say that credit cards are
        secure enough just as they are.
        Really? Look back at what you're quoting:
        ...the massive lapses in security are
        never properly publicised ...
        That's not "secure enough." That's the same kind of security you had investing in Enron or Worldcom before their problems became public knowledge. The public not knowing there is a problem is not the same as there not being a problem.
      • People use credit cards because the massive lapses in security are never properly publicised and also, whenever someone steals from their card, they get the money refunded.

        Liability for CC fraud is not the responsibility of the card-holder. This is mandated by banking laws. It is the responsiblity of the card-issuer. However, the major CC companies shift the liability to the individual merchants as part of the merchant agreements that they must sign in order to accept CCs. The reason you never hear about major CC theft is individual merchants are generally too small to make a big stink. Besides, most of them either have insurance to cover this, or the big retailers all have a substantial fraud write-off built into the budget.

        Another way of saying this is to say that credit cards are secure enough just as they are. Of the millions of credit card transactions processed every day, only the slightest fraction are fraudulent, and in those cases, the customer is taken care of appropriately practically every time. In other words, most of the time it's secure, and when it isn't, there's no real harm done.

        One of the reasons it's secure is that there is a separate processing network with dedicated encryption hardware in place to handle all these transactions. Fraudulent transactions almost never originate from inside the network - they are entered into the system by a vendor. And since everything's encoded with the vendor ID, it can be tracked back to the originating site quickly.
        Once Internet stores started accepting CC's for on-line purchases, CC fraud went through the roof because all you need is a few names and numbers. And since there's no way to "show" the store your card, with your name on it, the CC companies jacked up the merchant rates (something on the order of .5% of the transaction for off-line purchases, and 2-3% for on-line purchases). Still, there isn't an law on the books regulating every aspect of internet purchases.
        But, a lot of the confidence in the current CC processing networks is in the fact that every aspect of the process is gonverned by laws, with strict penalties, and not by one company. You can argue that VISA and MC are an oligarchy, but they still have strict regulations to follow. MS has no regulations to follow here - and given their refusal to admit to any wrongdoing in the anti-trust case, even after an appeals court upheld the conviction, does not bode well for their handling this kind of sensitive data in a responsible or secure manner (Trustworthy Computing be damned).

  • by (trb001) ( 224998 ) on Tuesday July 09, 2002 @11:29AM (#3849681) Homepage
    According to research firm Gartner, the service has about 14 million registered users.

    <sigh> I have to wonder if they're including the hotmail users in this number, since signing up for passport and hotmail are linked. If so, this number is hugely overinflated...the number of people actively using passport is way smaller. Too bad, companies may read this and decide it's a great way to reach a large audience.

    --trb
    • Counting Hotmail (or Messenger) users is not artificially inflating the numbers. Those users have Passport accounts, that's all that matters. That means if a site they shop at asks them to enter a Passport username/password, they can. Granted, the site may have to explain that their "Hotmail" username/password will work but that's very minor compared to having to go create a Passport account.
    • I disagree (Score:5, Interesting)

      by MemeRot ( 80975 ) on Tuesday July 09, 2002 @01:17PM (#3850433) Homepage Journal
      If you're set to 'always sign me into any passport site' then when you go to a passport site after having earlier checked your hotmail account, you find yourself automatically logged in, whether you actively wanted to use passport there or not. For a long time I visited no passport sites other than hotmail, and it never affected me. Now there are a couple I go to, and at first finding myself automatically logged in as whatever identity's email I happened to check last was really disconcerting. I have several hotmail accounts, but the whole passport thing is based on the assumption of one computer, one person, one identity. I feel like I should be able to be logged in at msdn.microsoft.com using my work/business hotmail account, while still reading email from one of my personal hotmail accounts. Can't do it. Even though they're separate sites, they completely identify you by your passport cookie, so you can only be one 'identity' to all of them. If passport verification starts popping up all over the place, other people will run into this issue too.
  • Simple (Score:5, Interesting)

    by unformed ( 225214 ) on Tuesday July 09, 2002 @11:29AM (#3849685)
    Any bank which requires me to have a Passport account won't get my business. The one thing about capitalism is that you -can- force unwanted business to end, simply by going to their competitors.

    Of course, people are going to say that we don't want the RIAA/MPAA/??AA/etc but as a matter of fact, general society does, and we -do- still support them (by seeing movies, buying cds, etc) ... the other difference is that they're a monopoly.

    OTOH, no bank has a monopoly. As soon as Passport gets picked again, and credit cards numbers are out, people won't use it, and will demand a different method. (Note: viruses on desktop computers don't matter to people, because the general public doesn't store crucial data on their home computers) --

    As soon as people start demanding non-Passport methods of authentication, banks -will- provide.
    • Not so simple (Score:4, Insightful)

      by Codex The Sloth ( 93427 ) on Tuesday July 09, 2002 @11:52AM (#3849859)
      What happens to your "choice" when all the bank use Passport? There aren't as many banks as there used to be and an oligopoly is nearly as effective as a monopoly. The RIAA wouldn't be an issue if there were viable music labels that didn't participate in it. An oligopoly can be ad hoc as well without any organizational structure -- I dare say we all object to crazy ATM fees (weren't ATMs supposed to save the bank money?) but we all end up paying them.
      • Actually, there are more banking companies today than there have been in the past -- despite all the predictions to the contrary. Turns out there is quite a market for so-called 'community banks'; a lot of people like doing business with them. And starting a bank, particularly under a state charter, is pretty easy to do.

        If it came down to it, I'd start one. Coming up with funding is almost never a problem because just about the only thing that can prevent a fractional-reserve bank from making a profit is criminal mismanagement. Basically, it's just one hell of a business model.
    • If you pension fund has shares in any of the banks then you are 'supporting' the banks.

      If you bank has shares in any of the passport banks then you are 'supporting' the passport banks.

      If buy anything from any company or anyone that in any way supports those banks then you too are supporting them, that the way that capatilism works, one big giant circle
    • Re:Simple (Score:4, Interesting)

      by Tackhead ( 54550 ) on Tuesday July 09, 2002 @12:08PM (#3849984)
      > OTOH, no bank has a monopoly. As soon as Passport gets picked again, and credit cards numbers are out, people won't use it, and will demand a different method. (Note: viruses on desktop computers don't matter to people, because the general public doesn't store crucial data on their home computers) --

      Huh? This is precisely the problem. Users do store crucial data on their home computers, they just don't know they do.

      Passport stores encrypted credential data on client computers in the form of persistent cookies. Grab the cookies, 0wn the d00d's wallet. (source: Avi Rubin's paper [avirubin.com])

      All we need is a Klez variant that propagates by spreading these cookies to other users in the address books (or, more evil still, by posting them on USENET either directly or via mail-to-news gateways in after converting them to text a'la SpamMimic), and any black hat in the world can count on a continual supply of Passport cookies from a large pool of unsecured and compromised machines.

      > Any bank which requires me to have a Passport account won't get my business. The one thing about capitalism is that you -can- force unwanted business to end, simply by going to their competitor

      What you said. I don't trust Passport as a security mechanism. I won't do business with an organization that demands I link it with my credit card. If that means I switch banks, the branch manager and head office will get copies of a letter explaining precisely why I switched.

      I prefer to bank at large national or regional banks, but even if they "all" go Passport, I'll happily switch to small regionals, of which America has hundreds, if not thousands, to choose from.

    • Neither you, nor any other person I have ever met, will switch your bank b/c they sign up with passport. You chose your bank because it has convenient atm's, is close to your work or business, has the right hours, or whatever. NOBODY will ever be so upset by this that they'll switch to a bank whose atm's they can't get to, that's closed by the time they get off work, etc.

      So yeah, as soon as you and all the other smart mouths on here go out and demand no riaa, no mpaa, no passport etc - the rest of the world will still fucking ignore you.
  • by levik ( 52444 ) on Tuesday July 09, 2002 @11:31AM (#3849700) Homepage
    This Windows XP (tm) installation does not match the hardware profile recorded at activation. Press "OK" to charge credit card on file with Passport $199.99 for new Windows XP (tm) lisence. Press "Cancel" to remove the unauthorised copy of Windows XP (tm) from your system.

    • Our records indicate that your use of the song, "I wanna kick some MS ass" is in violation of your current license. Press "OK" to charge the credit card on file with Passport $19.99 to acquire the correct license, or "Cancel" to remove the song from your hard drive. If you choose to remove the song, you will be charged a $10.00 fine for violating the terms of the license. Have a nice day, and thank you for using Microsoft!
    • "Windows has detected that you have installed a new mouse. Please reboot this machine for changes to take effect and relicensing charges to be applied to your Passport account."
  • AOL used a trick similar to this back in the day (which is why I stuck with my good ol' PPP dialup) where in order to get the free hours you had to give them a credit card number for "verification". Of course, once your free hours ran out, they just started charging you. (Do they still do this?)

    Why do I get the feeling that Microsoft will probably not be more honest than AOL when it comes to making sure that your credit card is only used to buy things when you actually want to buy them:

    "I've noticed that you're not running Windows XP! Don't click on 'cancel' to decline acceptance of the purchace of a new copy of Windows XP, which will be automatically installed when you accept this offer."
    • Given M$'s current plans for software rental, it will be more likely that, halfway through editting a Word document, a message will pop up like:

      'Your annual fee for using Windows XP has expired. Click OK to send us another $200 to renew your licence. If you click cancel, Office will shut down, and you will have to activate XP again.'

  • by sterno ( 16320 ) on Tuesday July 09, 2002 @11:34AM (#3849723) Homepage
    The fact of the matter is that merchants aren't going to want to put any hurdles between the customer and buying something. They won't require passport because it's just one more thing that MIGHT cause a consumer to go elsewhere. Many may offer passport, and there may be some sort of incentives attached to this, but they won't require it.

    If most sites started requiring passport for some reason (credit card processor mandate?), I'd find myself showing up at physical stores once again.
    • You actually buy your groceries online? Heh heh. Actually, I like Discover Card over Visa for online purchases. Discover has an app for your machine (windows only unfortunately) that let's you generate a one time use number for every purchase on the net hopefuly preventing unauthorized charges by the script kiddies. I will never use my Visa online with or without passport...it's too risky. Brings to memory the Gatekeeper software thing in the movie The Net. Now I need to go to the bathroom cuz I just got that image of Sandra Bullock in a bikini....rarrr rarrr!
      • You actually buy your groceries online?

        In the UK this is actually now fairly common, you see lots of Tesco Online [tesco.com] vans running around if you're out and about during their "peak" delivery hours (just after people get home from work).

        Al.
    • They won't require passport because it's just one more thing that MIGHT cause a consumer to go elsewhere.

      Try buying something online from Starbucks. Passport required. (unless it's changed recently).

      Very annoying. So, I signed up for passport, gave them only the barest minimum of information (and NOT my CC number -- I gave that only for the one transaction. Granted, I'm trusting they don't store it w/out my consent, but what can I do?).

      At this point, I think I've done this two or three different times. Each time, a few months later, my passport's expired, or I forgot the password, so I just create a new one.

      By and large, though, I'd like to agree with you, but the point is, it's already happening....
      • Okay, I just checked Starbucks, and either I'm entirely mistaken and they've always had an alternative, or they recently added their own "starbucks account" option. Either way, you can now use something other than Passport, if you like.

        my apologies. :)
  • Trust? (Score:4, Insightful)

    by Ride-My-Rocket ( 96935 ) on Tuesday July 09, 2002 @11:34AM (#3849727) Homepage
    Why in God's name would I trust a company that changed its privacy policy overnight, much to the chagrin of millions of people worldwide (Hotmail.com)? Why would I trust a company that surreptitiously modified the EULA of their _media player_ to include consent to modify the DRM / OS it runs on?

    I trust my VISA (and credit card companies in general), because they tend to work in my interest and take care of me when I have bonafide problems with unauthorized usage and such. I have zero trust in Microsoft, a company that has systematically undermined my digital rights on a regular basis without apparent consideration of what I want. It may be "good for business", but it's not good for me.

    That being said, I plan on reformatting my Win2k boxes at home this weekend and uninstalling the Media Player. I'll also be removing the "Automatic Updates" feature they added to their "Windows Update" site recently -- I don't trust them not to modify my preferences there, either.
    • Re:Trust? (Score:5, Interesting)

      by Fizzlewhiff ( 256410 ) <jeffshannon@@@hotmail...com> on Tuesday July 09, 2002 @12:08PM (#3849983) Homepage
      I trust my VISA (and credit card companies in general), because they tend to work in my interest and take care of me when I have bonafide problems with unauthorized usage and such. I have zero trust in Microsoft

      I used to work for the second largest Visa issuer. We tracked every thing a cardholder did. We knew your spending habits and what you liked to buy. We knew when you were on vacation and when you fooled around on your wife. We sold this information to advertisers and gave it to other ventures within our corporation. Sometimes we'd even turn it over to the Secret Service. Every cardholder had an agreement similar to a EULA. We changed it all the time, raising rates and fees to our benefit. By using the card you were bound to the agreement.

      Essentially we did the same thing you say Microsoft does, and maybe even a little more, yet you trust Visa over Microsoft. Interesting.
      • Re:Trust? (Score:4, Insightful)

        by 4of12 ( 97621 ) on Tuesday July 09, 2002 @02:51PM (#3851379) Homepage Journal

        yet you trust Visa over Microsoft.

        Good point which many probably aren't aware of in this forum.

        I dislike VISA [pbs.org] for what it does to maintain and to milk its monopoly as much as I dislike Microsoft for the same. VISA does arm twisting and revenue extraction not just from consumers, but also from participating retailers that get charged fees that, well, are as economically inelastic as what Microsoft charges for licensing fees.

        As a computer geek, I'm just more cognizant of MS actions than I am of VISA. The other thing about MS is that it's monopoly stands to grow substantially more invasive, instrusive and unavoidable as Web services increase. VISA is relatively static by comparison, though people are buying groceries and fast food on the things where they didn't 10 years ago.

        Now if VISA were able to subsume the role the central government and be the de facto electronic cash, then there'd be more reason for concern.

        I can just see it advertised how recording every dime spent and tracing every transaction eliminates terrorism, pedophiles, drug dealing and prostitution. Every cash related movement of every individual such as Mohammed Atta would be recorded and analyzed for "suspicious activity". And the sheep I call my fellow citizens might just buy into it given enough FUD at the right time. The Islamic extremists will win as our governments become as restrictive as their own.

  • by toupsie ( 88295 ) on Tuesday July 09, 2002 @11:36AM (#3849737) Homepage
    Revelations, Chapter 13

    11 Then I saw another beast which rose out of the earth; it had two horns like a lamb and it spoke like a dragon.
    12 It exercises all the authority of the first beast in its presence, and makes the earth and its inhabitants worship the first beast, whose mortal wound was healed.
    13 It works great signs, even making fire come down from heaven to earth in the sight of men;
    14 and by the signs which it is allowed to work in the presence of the beast, it deceives those who dwell on earth, bidding them make an image for the beast which was wounded by the sword and yet lived;
    15 and it was allowed to give breath to the image of the beast so that the image of the beast should even speak, and to cause those who would not worship the image of the beast to be slain.
    16 Also it causes all, both small and great, both rich and poor, both free and slave, to be marked on the right hand or the forehead,
    17 so that no one can buy or sell unless he has the mark, that is, the name of the beast or the number of its name.
    18 This calls for wisdom: let him who has understanding reckon the number of the beast, for it is a human number, its number is six hundred and sixty-six.

    Sounds like a marriage between Microsoft and Visa to me. In order to order, you have to bear the mark of the beast [ihatebillgates.com].

  • by Saggi ( 462624 ) on Tuesday July 09, 2002 @11:36AM (#3849738) Homepage
    In Denmark some of the major telecompanies have just released a method where you can pay with your mobile number. In this case you register your credit card to your mobile phone. When you want to do a purchase, you type in the mobile number (more easy to remember), and the system verifies it by sending a SMS to you phone that you'll need to verify by typing in a pin-code.

    Now this is a very secure way of doing business. Of cause no system is 100% secure. But in the same manner as the passport solution, you still need to register your credit card to a database, connected online, that can be contacted by the merchants. Sound similar to me.

    Of cause you still have the additional security of the SMS and the pin code and Microsoft don't have the best reputation when it comes to securing their systems. But it still gives time for thought.
    • In Denmark some of the major telecompanies have just released a method where you can pay with your mobile number. In this case you register your credit card to your mobile phone. When you want to do a purchase, you type in the mobile number (more easy to remember), and the system verifies it by sending a SMS to you phone that you'll need to verify by typing in a pin-code.
      Now this is a very secure way of doing business. Of cause no system is 100% secure. But in the same manner as the passport solution, you still need to register your credit card to a database, connected online, that can be contacted by the merchants. Sound similar to me.

      Note some of the words in bold above. See, what you have described is a service where people have a choice. You can pay like this if you want to. It doesn't sound like this is forced upon users. THAT is why it is different than the MS vision.

  • Arcot Systems [arcot.com] and Arcot Press Release [arcot.com]. For those interested.
  • by Rahga ( 13479 ) on Tuesday July 09, 2002 @11:40AM (#3849781) Homepage Journal
    You can do NOTHING on Yahoo's auction site unless you give Yahoo a credit card to "verify your identity". One of the many reasons eBay has complete domination of Yahoo Auctions in America is this fact. Privacy isn't even the biggest issue.... It's the fact that few will stake their credit card on a company who has proven that they will change EULAs in midstream. Remember when Yahoo bought GeoCities, then claimed various ownership rights to all of the content?

    What REALLY pisses me off about this? International commerce. It is impossible for me to directly by goods from auctions.yahoo.co.jp (Jahoo Auctions Japan). Yahoo's Wallets are localized, and if I don't have a credit card or account to a Japanese bank, I can't use that yahoo auctions website. I can't even ask a question to the seller! To that website, no member can live outside of Japan....

  • So, does this mean that my wife, Jamie, will be denied a "Passport Wallet".... With the constant barrage of credit card mail sent to someone here named "Jamike", I've got to wonder how well these guys are organized.

    I'll be worried when they ask my cat, Griffin, to sign up for a credit card. I used her name to sign up for my wife's AOL, so it's only a matter of time.....
  • Most good online vendors offer a phone based ordering system. If they require Passport, then call them up and order with a person - it costs them a lot more to pay the order taker than to take the order via web form. Oh yeah, ......... orderrrrrr .......... sloooooowlyyyyyyy ........ and ...... quadrupleeeeee ...... cheeeeeeeeck ....... everythinggggggggg .......
  • If you are unhappy with Micro$oft and its p-A$$-port, like I am, then simply don't use it. If your bank switches you and forces you to use it for online purchases switch to a bank or credit card that does not. Your dollars will tell them what you want. Course if we all just file in like cattle to the slaughter we will have all sorts of things forced down our throats.
  • by Wolfstar ( 131012 ) on Tuesday July 09, 2002 @11:57AM (#3849890)
    ...that I think I've ever heard of.

    I play Asheron's Call (only published by MS, not made by them, BTW.) They changed over their auth system about 8 months ago from the old kludgy Zone auth system to Passport, and it's been downhill ever since. Each game account requires a separate Passport account, and most of the people who are big into the game have at LEAST two accounts (I have 3, myself). There's some inflationary numbers on how many are using Passport for you.

    Furthermore, there was a recent rash of folks getting their accounts hacked because folks don't understand password security, and had their Passport e-mail address listed in YaBB and UBB boards centered on the game, used the same password for those boards as they do for their Passport account, and an exploit was discovered allowing folks to actually retrieve that info from those BB packages. If this idea is similar to the concept of the MS Wallet - which I haven't heard anything out of in a while - it's going to be an utter and complete disaster. Credit card fraud will reach new all-time highs, banks will start to go under, cows will fall out of clear blue skies, chaos and destruction will reign, et al.

    BUT.

    Here's the trick. If it is NOT like Wallet, and your CC info is NOT stored within Passport, then what they're effectively doing is adding a password check to your credit card for online transactions. At least one company is already doing this (witness the "I am Emmit Smith" ads) and it's an incredibly good idea. You register your Passport account with the bank who provided your Credit Card, and in return, your card number becomes totally useless without a password for the purposes of online transactions.

    I really don't think that it's such a hot idea to be using PASSPORT for this, but the concept, if the card number isn't stored online BY the password system, is a VERY good one.

    Fortunately for me, my credit card is through Digital Federal Credit Union, and I don't think they're too likely to implement it without warning.
    • Here's the trick. If it is NOT like Wallet, and your CC info is NOT stored within Passport, then what they're effectively doing is adding a password check to your credit card for online transactions.

      So where is the trick, I can't see it? The basic concept of credit card use under mail order/phone order rules is this: The cardholder posesses some data record consisting of CC number, name on card, expiration date, et cetera. In order to make a payment, the cardholder hands over the whole record to the merchant, who in turn uses the data to acquire the money. Which makes the data record a public data record because hiding it is not part of the concept (though it may make life easier if you don't tell everyone).

      This, by the way, is not a weakness of the credit card, its a strength. The obvious insecurity in the technology is balanced by a rather fair and sensible distribution of liability. This non-technical factor makes credit cards a payment system one actually wants to use.

      So what does adding a password to the public data record change? Sure, they can have password and other data checked by distinct entities, but still, what does it change to the concept? You have a data record, and it's public because you give it away whenever you pay.

      Uh oh, and what does totally useless for the purpose of online transactions mean? Can't you shop in online stores that do not support this scheme? Does telephone count as "online", i.e. will it really block all uses of the card without physical presence of the card? Will you be required to type your passport password on a ticket vending machine's touchscreen? And will you still be able to dispute "verified" transactions?

      • A far better approach to security with credit cards is one-time-use numbers, or merchant-specific numbers. Most credit cards have at least one issuer that provides that functionality. I believe both MBNA and CitiCorp (citibank? whatever their name is today) let their credit card customers generate one-off numbers specific to a merchant and with user-specified expiration dates and credit limits.

        I have been using the MBNA system for a year and a half (after the first, and only time, I had my actual credit card number stolen online). I've probably done about $20K of charges since then using the one-off numbers and have not had a single fraud problem since. The only real downside is that you have to use a flash-applet that I haven't been able to make run under linux yet in order to generate the numbers. But, for a windows-user it is amazingly well designed and easy to use. It fits into the current credit card system transparently (the merchant's never even know the number is "special") and requires very little overhead compared to the original, insecure, send your number all over the web approach. Now I don't even mind emailing cc#'s to people because I know that in the rare chance that it is intercepted, it will only be good for one, very limited, use and I won't have to go through the hassle of canceling my primary card and waiting around until a new one is issued.

        See MBNA ShopSafe [mbnashopsafe.com] for their program details.
  • by RailGunner ( 554645 ) on Tuesday July 09, 2002 @11:58AM (#3849903) Journal
    This is really not a big threat to your credit cards. If anything, the more people that are duped in to using this service will actually help you out by lowering the mathematical odds that it's your card number that's stolen.

    Seriously, you have a bigger risk of getting your credit card number stolen when you pay for your dinner at a restaurant with it then by submitting it to a website using SSL. Not only does the waiter/waitress handle your card, but in a lot of places they'll swipe it in a magnetic card reader that sends it unencrytped over a phone line, or worse, they'll use a POS system that stores the entire swipe data in an unencrypted text file on their local server's hard drive... which will later send it out over a phone line unencrypted.

    Microsoft is evil, but they aren't stupid. If they screw this up the class action lawsuit that will result would likely put them out of business. Wait, maybe we should all sign up, and get Johnnie Cochran on retainer, before Microsoft hires him and we lose to the Chewbacca defense ;)

    • Seriously, you have a bigger risk of getting your credit card number stolen when you pay for your dinner at a restaurant with it then by submitting it to a website using SSL.

      True, my father had stuff purchased on his card right after going out to eat somewhere. It happens. BUT - the number of accounts that a restaurant has access to is miniscule to something like Passport would. Crackers will go for a big score. And in a restaurant, you choose to pay by credit card, and know of the risks. Do you know the risks involved in using Passport? No, you don't! It is none of your business. Trust Microsoft, they have a proven track record of security. Just let them take care of everything...

      If they screw this up the class action lawsuit that will result would likely put them out of business.

      I am pretty convinced that MS is untouchable, they have too much money and ego. Weren't they convicted of using monopolistic practices to hinder competition. Hmm, let's see, what was their penalty again?

      This is one point where I would be dancing for joy if I was proven wrong.

  • by Sven Tuerpe ( 265795 ) <sven.gaos@org> on Tuesday July 09, 2002 @12:04PM (#3849948) Homepage

    Online shops cannot afford to require anything from their customers. The point in running a shop is selling; selling means to make buying as easy as possible. This is especially true on the Net where the customer can even remain sitting in her chair while leaving the shop and entering the competitor's. So how is this going to work? Successful online shops already know the rules and won't even try to require anything from the customers. Those who try will notice soon.

    After all, digital signatures (as a legal concept) and all those esoteric digital payment schemes didn't take off; online shops just don't need them. They are even willing to take some risk if this helps them to gain new customers.

    Waiting for their next smart idea ...

  • by sh00z ( 206503 ) <sh00z&yahoo,com> on Tuesday July 09, 2002 @12:09PM (#3849990) Journal
    I read the article and noticed that it says "credit card issuers have other options, such as banks' own username and password systems as well as smart cards." I was on the horn to Citibank within seconds, informing them that I will not allow my card info to pass through Microsoft in any way, shape or form. This actually surprised the first rep I spoke with. To hedge my bets, I asked for an account "upgrade" to a Smart Card. What Citi told me:
    • I will not be charged for the change.
    • I will see an interest rate increase of 0.59% (not an issue because I pay off in full every month).
    • The Smard Card reader has a USB port, and will work with Mac OS (yeah, right. We'll see. Didn't get a chance to ask about Linux because my boss wanted me and I had to hang up)
    Whatever you do, if this story bothers you (obviously, it bothered me) make sure your bank understands that you do not want to support a convicted monopolist's attempt to extend its tentacles into the financial services arena.
  • by friday2k ( 205692 ) on Tuesday July 09, 2002 @12:12PM (#3850018)
    This is known as 3D Secure or verified by Visa. Just because MS is offering the client piece (and this is what they do) they do not have access to all your personal information. Here is how it works: When you choose to pay through 3D Secure you enter your credit card # at the merchant, the merchant talks to his acquirer, the acquirer figures out whether the Issuer who gave you your credit card is enrolled in 3D Secure (by talking to the so-called Visa directory) and then they redirect you to the Issuer of your credit card. Now the Issuer (and last time I checked MS is NOT an Issuer) will have to identify you. This is where Passport comes into play. Passport does the auth piece for you (Kerberos in Passport's case if I am not mistaken) and sends the ticket to the Issuer. The Issuer compares whether the auth piece and the CC number match and generates a response token for the merchant. This response token gets transmitted back to the merchant (by the means of standard passport auth I suppose), the merchant takes this response token and sends it to his merchant acquirer. The merchant acquirer now sends it through the Visa Directory back to the Issuer and the Issuer compares whether this is a replay or whether this is a valid token. If it was a valid token the transaction is authorized. So, bottom line is, Passport is the authentication piece. Whether you trust MS Passport or not is one thing, but they do not get access to your CC data. And by hijacking a passport you still cannot go shopping on behalf of the account owner. Check your facts guys.
    • Even with no credit card risk, there's still plenty of wrong going on here. Microsoft has already been proven to have a monopoly in the desktop computer industry. This little scheme gives them a foot into the door of financial services. If we don't stand up and shout "NO!" now, they will become the de facto standard for on-line purchases. Do you really want to give them that much control over your life? Do you really not mind having Microsoft at the hub of everything you do?
    • So, bottom line is, Passport is the authentication piece.

      Will the user authenticate the particular transaction (i.e., who gets how much money)? How does the system authenticate to the user? Will the user understand this authentication and its necessity? Will the user be sufficiently warned if everything looks fine but system authentication towards the user is omitted? Will any liability shift occur when such a verification scheme is used?

  • Remember, you have to *SIGN* to purchase something with a credit card - it'd be an incredibly convenient idea for MS if they stick an EULA on a bill and say "if you sign this credit card bill you agree to the EULA".

    Any thoughts?
  • by emptybody ( 12341 ) on Tuesday July 09, 2002 @12:27PM (#3850117) Homepage Journal
    I discovered recently that hotmail and, in fact, all passport sites are nolonger case sensitive when it comes to passwords.

    This rather bothers me.
    It used to be that I had to use the proper case to login. Somewhere along the way, microsoft did something to change my password (which I had assumed was stored encrypted) to make case insensitive.
  • Isn't "Microsoft security" an oxymoron like army intelligence?

    "People will start trusting the system now that it's linked to credit cards."..... trusting it less..

    The truth is, outside of the slashdot and SOME of the technical community, many computer users don't know enough NOT to trust the system. Its like all those people who trust their employers (think enron), car manufacturers (remember Fords / Firestones exploding tires), cable companies (monoploies in many cases), phone companies, electric companies (think PGE in CA) etc.. they don't know any better till they get screwed by one (or all) of these companies...

  • Microsoft has always offered an option for people to store their credit card information on Passport, but only 14 percent of Passport users did, because they didn't feel the system was secure enough, Litan said.

    I think you'll also find that a lot of people didn't store their credit card details because they saw no need for the system to have it. I've lost count of the number of places i've signed up and they want some personal details that they definately do not need.

    You don't just go hand out your credit card number to anyone who asks for it. Well I don't anyway.

    Subnote: Having said that, porn sites don't seem to have any problem with people giving their credit card details over for a "free" trial. Mind you, then they start getting billed for it and can't get it stopped. So maybe there are mugs out there.

  • Be Preemptive (Score:3, Interesting)

    by Sludge ( 1234 ) <slashdot.tossed@org> on Tuesday July 09, 2002 @12:51PM (#3850272) Homepage
    Let your bank or credit union know.

    Here's a part of what mine, Vancity, gave back to me:

    Thank you for your recent e-mail and for your suggestion regarding Passport. I have forwarded your e-mail to the Manager, Direct Services as well as to the Website Coordinator for their review.

    If there are people like me there, they would be relieved to use a post like mine citing the previous security issues that Microsoft has had to the person who may decide that passport-only is a good idea.

    Be preemptive. It's easier.

  • Simple Solution (Score:4, Insightful)

    by eples ( 239989 ) on Tuesday July 09, 2002 @01:08PM (#3850367)

    Here is my simple solution to MS' latest Passport move:
    • Find what I want online, and then pick up the telephone and dial the toll-free number to order.
    Problem solved. Passport dies a slow and embarassing death.
  • by vanyel ( 28049 ) on Tuesday July 09, 2002 @02:32PM (#3851208) Journal
    Any business that requires a passport login can be sure that it won't get any business from me...
  • Hotmail (Score:3, Interesting)

    by theolein ( 316044 ) on Tuesday July 09, 2002 @04:42PM (#3852258) Journal
    This is the same company that owns Hotmail, that well known porn spamming, personal info relay service.

    And you want to give them your CC number?

"Irrigation of the land with sewater desalinated by fusion power is ancient. It's called 'rain'." -- Michael McClary, in alt.fusion

Working...