Correcting the fundamental flaw in the Microsoft Passport Approach
Recent revelation by a Pakistani researcher - Muhammad Faisal Rauf Danka - that, by typing in a certain Microsoft web address together with the appropriate command, a malevolent could access and modify the information held on any Microsoft Passport account, is unlikely to be the last discovery of a critical vulnerability.
The mi2g Intelligence Unit expects confidence in online
trading to decline if there is a failure to initiate a radical overhaul of the prevailing approach and practices.
The Microsoft Passport flaw left 200 Million subscribers'''' personal and credit card details open to malevolents on the web. Unlike the Microsoft Hotmail flaw discovered in August 1998, which left 50 million email users vulnerable, nearly five years later, much more sensitive information has been exposed to those who could carry out the simple web-commands. The Federal Trade Commission could levy a fine on Microsoft - up to a maximum of $11,000 per user - which would amount to a theoretical $2.2 Trillion, although any such fine is likely to be contested and end up being significantly lower.
If the basic criteria of Confidentiality (C), Integrity (I),
Authentication (A) and Non-Repudiation (NR) for each such transaction are examined, Microsoft Passport''''s flaw is not just limited to the software vulnerability but points to a deeper user-interface issue that also afflicts the one click online payment and trading culture of larger eBusiness players amongst others. In the rush to make security
procedures simple to achieve single mouse click trading, reduce the cost of rollouts and acquire the maximum number of users as soon as possible, is web-based-trading missing the complexity needed for proper CIA-NR guarantees?
The fundamental problem with the web interface remains the same as that in 1995: Due to improper investment it is not possible to really know whether the user accessing, altering or deleting the information is really who he or she claims to be. If this security challenge is not solved and leads to a low user confidence storm, it may undermine the second wind in the sails of outperforming eBusiness stocks whose market capitalisations are again racing towards several multiples of traditional well established stocks within their sector.
Why should a user''''s sensitive personal details be available to another person for access, alteration or deletion without some type of sophisticated CIA-NR assuring check at every stage as opposed to a user name and password giving access to already entered personal information and credit card details that allow immediate trading?
Identity theft and "passing off" in the context of CIA-NR type
violations in numerous high profile online financial fraud cases studied by mi2g''''s experts, demonstrate the need for a Triply Modular Redundant (TMR) approach to determine who the user is before giving access to sensitive information and then continuing to test the user''''s bonafides at every trading or information seeking, alteration or deletion point; this is achieved through:
Trust lost even in a single mass incident can take years to regain. Unless Microsoft Passport as well as the big eBusiness players go down a similar TMR approach to mitigate CIA-NR type risk exposures at the user level, the sensitivity of the trust lost in each successive revelation
that afflicts Millions of users'''' sensitive details, will create
declining confidence in doing business over the web. This could adversely impact the reputation, brand name, business growth and stock price of online-trade reliant stocks along with massive downstream (customer) and upstream (supplier) liabilities.
www. mi2g .com
Delicious
Digg
Reddit
Magnoliacom
Newsvine
Furl
Google
Yahoo
Technorati
Comments
Post new comment