Two security analysts on Friday urged financial institutions and other
enterprises to stop using Microsoft’s .NET Passport
service immediately because the identity of users cannot be trusted.
“Microsoft failed to thoroughly test Passport’s security architecture, and
this flaw — uncovered more than six months after Microsoft added the
vulnerable feature to the system — raises serious doubts about the
reliability of every Passport identity issued to date,” according to a
report by John Pescatore and Avivah Litan, analysts for tech research firm Gartner .
Passport is Microsoft’s service that is billed as a one-stop-shop where personal information is stored and used for online activity such as shopping and accessing content.
The hard-hitting report was issued in response to last week’s detection of a
serious security hole that could have put personal information of millions of
Passport and Hotmail users at the mercy of attackers.
The vulnerability, which has since been fixed, could have allowed an
attacker to use a Web-based scenario to change any Passport user’s password
to an arbitrary value. Once the password is reset, the attacker would get
complete access to the hacked account.
According to the Gartner researchers, the breach was serious enough to
cause businesses to stop using the Passport service “until at least November
2003.”
“It could theoretically have enabled unauthorized access to any of the
more than 200 million Passport accounts used to authenticate e-mail, and
e-commerce and other transactions,” the analysts said. They also noted that Microsoft
did not know of any accounts that were damaged as a result.
“Whether any attackers exploited this flaw before Microsoft patched the
problem is important to enterprises that depend on Passport identities, but
it doesn’t affect the actions they must take to limit the damage,” they wrote. “As with any piece of software with serious security flaws, more vulnerabilities will likely surface in Passport.”
The report said financial institutions, credit card issuers, retailers and
other enterprises that use Passport for any meaningful business purpose
should immediately break all Passport connections “until Microsoft can prove
that its security is adequate.”
Additionally, it called for companies to invest in a “more secure form of
authentication for all issued Passport identities.”
Enterprise passport users were urged to contact all customers who use
Passport and make them aware of the recommendations issued by Microsoft for Passport account holders.
“Enterprises considering Passport services should delay adoption until at
least November 2003 or until Microsoft has completed a thorough security
review of Passport, including outside reviewers,” the analysts added.
The duo warned that the Passport hole could further delay any meaningful
demand for e-commerce identity services. “Microsoft can reduce this impact
and regain market confidence by submitting Passport’s code to a full
open-source review,” Pescatore and Litan wrote.
When asked to respond to the report, a Microsoft spokesperson told internetnews.com that the recommendations Gartner makes are not constructive for customers. In a written response, Microsoft said:
“We take all security issues very seriously. In this case, we were able to deal with the issue in hours, and have no evidence at all of any misuse of accounts. The ability to respond to issues in such a quick and efficient manner helps ensure that should a vulnerability exist, that users can be protected from impact.
“While we know that we can always do better, we believe we have a solid set of processes and procedures in place to run Passport as a trusted service. We work continuously to improve the practices and technology and policies we do have and will learn from this episode and are committed to doing whatever is necessary to prevent similar occurrences in the future.”
The harsh words from the Gartner analysts comes in the wake of word that
the Federal Trade Commission (FTC) is investigating the security
vulnerability.
The FTC has an order against Microsoft after a settlement over lapsed
Passport security and the assistant director for financial practices Jessica
Rich told internetnews.com the Commission “routinely monitors
compliance with our orders,” noting that fines ranging up to $11,000 per
violation can be levied for non-compliance.
When asked if the FTC was investigating the latest Passport security
issue, Rich said, “We have an order against Microsoft but all our
investigations are non-public. In all cases, if we find non-compliance, we
can levy fines.”
