Gartner: MS Passport IDs Can't be Trusted

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  

Two security analysts on Friday urged financial institutions and other enterprises to stop using Microsoft's .NET Passport service immediately because the identity of users cannot be trusted.

"Microsoft failed to thoroughly test Passport's security architecture, and this flaw -- uncovered more than six months after Microsoft added the vulnerable feature to the system -- raises serious doubts about the reliability of every Passport identity issued to date," according to a report by John Pescatore and Avivah Litan, analysts for tech research firm Gartner .

Passport is Microsoft's service that is billed as a one-stop-shop where personal information is stored and used for online activity such as shopping and accessing content.

The hard-hitting report was issued in response to last week's detection of a serious security hole that could have put personal information of millions of Passport and Hotmail users at the mercy of attackers.

The vulnerability, which has since been fixed, could have allowed an attacker to use a Web-based scenario to change any Passport user's password to an arbitrary value. Once the password is reset, the attacker would get complete access to the hacked account.

According to the Gartner researchers, the breach was serious enough to cause businesses to stop using the Passport service "until at least November 2003."

"It could theoretically have enabled unauthorized access to any of the more than 200 million Passport accounts used to authenticate e-mail, and e-commerce and other transactions," the analysts said. They also noted that Microsoft did not know of any accounts that were damaged as a result.

"Whether any attackers exploited this flaw before Microsoft patched the problem is important to enterprises that depend on Passport identities, but it doesn't affect the actions they must take to limit the damage," they wrote. "As with any piece of software with serious security flaws, more vulnerabilities will likely surface in Passport."

The report said financial institutions, credit card issuers, retailers and other enterprises that use Passport for any meaningful business purpose should immediately break all Passport connections "until Microsoft can prove that its security is adequate."

Additionally, it called for companies to invest in a "more secure form of authentication for all issued Passport identities."

Enterprise passport users were urged to contact all customers who use Passport and make them aware of the recommendations issued by Microsoft for Passport account holders.

"Enterprises considering Passport services should delay adoption until at least November 2003 or until Microsoft has completed a thorough security review of Passport, including outside reviewers," the analysts added.

The duo warned that the Passport hole could further delay any meaningful demand for e-commerce identity services. "Microsoft can reduce this impact and regain market confidence by submitting Passport's code to a full open-source review," Pescatore and Litan wrote.

When asked to respond to the report, a Microsoft spokesperson told internetnews.com that the recommendations Gartner makes are not constructive for customers. In a written response, Microsoft said:

"We take all security issues very seriously. In this case, we were able to deal with the issue in hours, and have no evidence at all of any misuse of accounts. The ability to respond to issues in such a quick and efficient manner helps ensure that should a vulnerability exist, that users can be protected from impact.

"While we know that we can always do better, we believe we have a solid set of processes and procedures in place to run Passport as a trusted service. We work continuously to improve the practices and technology and policies we do have and will learn from this episode and are committed to doing whatever is necessary to prevent similar occurrences in the future."

The harsh words from the Gartner analysts comes in the wake of word that the Federal Trade Commission (FTC) is investigating the security vulnerability.

The FTC has an order against Microsoft after a settlement over lapsed Passport security and the assistant director for financial practices Jessica Rich told internetnews.com the Commission "routinely monitors compliance with our orders," noting that fines ranging up to $11,000 per violation can be levied for non-compliance.

When asked if the FTC was investigating the latest Passport security issue, Rich said, "We have an order against Microsoft but all our investigations are non-public. In all cases, if we find non-compliance, we can levy fines."

Submit a Comment

Loading Comments...