Maybe they should start calling it Microsoft Pickpocket.
Leave it to an open-source programmer to find a major security flaw in one of the most important components of the software giant’s .Net strategy. We’re talking about Passport, Microsoft’s digital identity tool, and specifically the Wallet service that is supposed to safely store member’s financial data.
Through what is known as a cross-scripting vulnerability, Marc Slemko used a 15-minute window of opportunity where Hotmail authentication extends to other Passport services to break in to the Passport servers. Basically, you send a special e-mail to the Hotmail user, they read it, and within seconds you have your hands on their cookies and, subsequently, their Wallet.
There is never a good time for a security breach, but it is hard to imagine a less opportune moment for Microsoft to have to shut down Wallet (as it did last Thursday) than now. The service has been criticized from the start as a way for Microsoft to control and potentially influence millions of e-commerce transactions. In response, Microsoft loosened the reigns a few months ago by allowing third parties to register Passport members, but it said it would still handle the authentication itself. Suddenly their generous concession doesn’t seem to go far enough.
The bad press on Wallet is, of course, great press for the open-source movement, but it is perhaps an even bigger boost for the Liberty Alliance, an effort led by Sun Microsystems and about 30 other companies to develop a Passport-like service of their own. There is no irony in the name. Though Microsoft was apparently invited to join, this is without doubt an anti-Microsoft movement. When it was launched, I spoke to the sole Canadian member, Bell Canada, and asked vice-president of business development Charlotte Burke whether she thought the invitation to register Passport users indicated a change of heart at Microsoft.
“I think they’ve been taking steps because they’ve been getting pressures from various consumer groups and government agencies in terms of the open architecture — or lack thereof – that their approach has,” she said. “Passport doesn’t address all the issues.”
Burke spoke vaguely about finding a set of alphanumeric rules with the appropriate set of privacy that will allow customers to keep their data where they want it. I would challenge that the one place they don’t want it is with monolithic corporations like Microsoft — or Bell, for that matter.
Assuming they are, in fact, secure, the notion of an e-wallet has been pitched by Microsoft and others as a way of fostering more e-commerce transactions by giving consumers the peace of mind they forfeit when they have to give their credit card information online. This is no mild fear, particularly in Canada. Earlier this year ACNeilsen Canada said Web-based retail was up 20 per cent since 1996, but only by five per cent since 2000. Security concerns surrounding submitting credit card information was cited as the leading concern by those who stayed away.
IBM believes those fears are slowly fading away. That was the reason it abandoned plans for its own e-wallet in May. Perhaps David Jones, president of the advocacy group Electronic Frontier Canada, said it best:
“I’m not so happy at this idea of one centralized repository of personal information, partly because they then become the middleman for all of my online transactions,” he said. “The know that, and they can now sell it.”
People will adjust. I just picked up my very first Canadian passport this morning, and I read with unease the notice inside that it is not my property, but that of the government. We have never really owned our public identities. The difference here is that the ownership passes into the private sector.
There is no stopping the advent of e-wallets, even when there is little evidence that anyone wants them. The profit potential will move such services from add-ons to mandatory gateways consumers must pass through to use the Internet. Security flaws undermine those efforts substantially, but it would require massive boycotts of leading online retailers to slow the momentum of Passport and Liberty Alliance. Too many vested interests are already banking on it.
