Microsoft Passport Security breach

Randy Marchany marchany at
Mon Nov 12 16:30:27 GMT 2001

------- Forwarded Message

From: Tom Maier <tom_maier at OIT.PEACHNET.EDU>
Subject: [SYSSEC] Passport Issues

Here's a short note on Passports inauspicious beginnings from Gartner.  I
especially like the comment that 25M users have signed-up but only about 7M
know it!

  - Tom

Passport Problems Show Software-Based
Security's Fatal Flaw

EVENT: Microsoft has acknowledged that it shut down part of its Passport
Internet authentication system for 48 hours beginning 2 November 2001.
Microsoft apparently intended to resolve a security problem related to
cross-site scripting that could enable hackers to access users' credit card

ANALYSIS: Passport offers another example of Microsoft releasing software
with major security vulnerabilities that it later attempts to solve with
patches, "hot fixes" and new releases. This approach may reduce the risk of
the original vulnerability but often opens up new security weaknesses. The
latest Passport "fix" reduces the user's window of vulnerability from 15
minutes after log-in to 30 seconds, but neither delivers adequate security
nor addresses the root cause of the problem. If Microsoft's planned
Passport migration from browser-based mechanisms to Kerberos operating
system-based authentication takes place, it will eliminate the basis for
this weakness by 2003.  However, this approach will not help today's
Passport users (according to Gartner research, 25 million U.S. consumers
have signed up with Passport - though only
7 million know it).

The latest vulnerability also shows that software-only solutions cannot
deliver high levels of security for sensitive or otherwise valuable
information. Software-only protection may suffice for low-value site
registration information - e.g., name, zip code and preferences - but
high-value information requires the use of a smart card, hardware token or
biometric input. Smart cards provide a major additional benefit besides
strong authentication: storage capacity to keep sensitive information offline.

RECOMMENDATION: Gartner's research shows that consumers are already wary of
Passport-type systems; in a recent study, only 2 million U.S. Passport
users reported storing credit card information using the service (see
Research Note M-14-5779, "Microsoft Passport: Build It and They Will
Haltingly Come").  Enterprises should not encourage their customers - or
their employees - to use software-only systems for storage of sensitive
information before 2005, when vulnerabilities of Passport and competing
systems will be thoroughly exposed and resolved and when smart cards for
home PCs will be readily available. All applications developed during this
period should support migration to smart cards as soon as feasible, likely
after 2005 for consumer applications.

SERVICES: Information Security Strategies, and Financial Services Payment
ANALYSTS: John Pescatore and Avivah Litan

Tom Maier
Exec. Dir. Strategic Planning
and Policy Development, OIIT
Board Of Regents
Univ. System of Georgia
(404) 656-6174 v
(404) 657-6673 f

More information about the unisog mailing list