MICROSOFT admits serious flaw in 'e-wallet' technology

Monday, November 5th 2001, 12:00 am
By: News On 6

WASHINGTON (AP) _ Microsoft Corp. is making repairs after acknowledging that its ``Passport'' technology for safeguarding purchases on the Internet has a serious design flaw that might have allowed hackers to steal credit card numbers and personal information.

Microsoft said 2 million customers use the vulnerable ``e-wallet'' feature of Passport, and there was no evidence of actual theft. The company temporarily shut down access to virtual wallets Wednesday, inconveniencing buyers at roughly 70 e-commerce Web sites that support the technology, called ``Express Purchase.''

Up to 200 million people have signed up for Passport accounts, which are nearly impossible to avoid under Microsoft's new Windows XP operating system. Passport promises consumers a single, convenient method for identifying themselves across different Web sites.

``We do not believe customer data was compromised in any way,'' Microsoft spokesman Adam Sohn said Friday. ``We know we've got to build and earn trust for (Passport) to be successful. We're taking the right steps to do that.''

Users of Windows XP were never vulnerable because of additional security measures built in, Sohn said.

An outside researcher, Marc Slemko of Seattle, discovered the flaw and notified Microsoft engineers this week.

The vulnerability, which Microsoft said would require a sophisticated hacker to exploit, was significant because Passport is integral to Microsoft's upcoming services, including its .NET initiative. Passport users could entrust Microsoft or another company to hold their personal information _ such as credit card numbers or medical records _ and make it available whenever needed.

Slemko, a prominent Internet security researcher, said he discovered a method for fooling Microsoft's central Passport computers into sending him the contents of someone else's virtual wallet.

The hacker sends a message to the victim's Microsoft Hotmail e-mail account. If the victim clicks on an apparent Web link within the message, Slemko said, ``Within minutes ... I have access to their wallet and credit-card information.''

Microsoft said it fixed problems to prevent such online impersonations, and was making further changes to improve security.

Microsoft's growing emphasis on Passport has angered some privacy groups, who have pressed the Federal Trade Commission in recent weeks to investigate whether the company can adequately guarantee the safety of a customer's information. The groups said the newly discovered flaw reinforces their arguments.

``It's an identity thief's dream come true to be able to grab the online credentials of someone simply by sending the victim an e-mail,'' said Jason Catlett, head of Junkbusters Corp., a New Jersey-based privacy organization.

Marc Rotenberg of the Electronic Privacy Information Center called it ``very serious that so much personal information of so many American consumers is held by a single company with such a bad reputation for security.''

Microsoft responded that its Passport technology allows consumers to store their sensitive records with other organizations they trust, not just Microsoft.

``The long-term vision for all this has never been that Microsoft would be the sole repository for all the data,'' Sohn said.