[ISN] A yolk too far: Microsoft does Egg's security

From: InfoSec News (isnat_private)
Date: Thu Nov 01 2001 - 02:21:33 PST

  • Next message: InfoSec News: "[ISN] Hacker jailed for revenge sewage attacks"

    Wednesday 31st October 2001   
    Online bank Egg is to use Microsoft's controversial Passport
    authentication software to give users access to their accounts,
    despite widespread concern that Microsoft's security technology isn't
    up to the job.
    Egg CIO Dana Cuffe will move over to the web-based system when a full
    assessment is completed, and currently has no timeframe for the move.
    Analysts immediately criticised the move and claimed the system isn't
    good enough for banking.
    Jose Lopez, research analyst for Frost and Sullivan's security
    division, said: "Passport is not good enough - not at all - for the
    purposes of online banking. Any other bank will tell you the same
    He cited past security problems and added: "I think many Egg customers
    would leave if Microsoft did its authentication."
    Ian Brown, security expert and researcher at UCL, said he would not be
    comfortable banking at Egg if it moved to the Microsoft platform for
    authentication. "I would certainly think twice about my Egg account,"
    he said.
    Egg is an early adopter of Microsoft's new operating system, Windows
    XP, and a firm supporter of its .NET strategy, but thus far it has
    used Entrust technology to authenticate its customers online.
    Cuffe said he planned to replace Entrust's GetAccess product with the
    Passport system.
    He told silicon.com: "At first we will use Passport alongside
    GetAccess but the aim is to replace it entirely. At the moment we're
    still to assess and validate the system, but the assumption is that it
    will be rolled out."
    The news is a boost to Microsoft, which has faced stern criticism in
    recent months for the poor security of its products as well as
    increasing concerns about the ramifications of Passport on user
    privacy and security.
    Bill Malik, VP at Gartner Group, said: "This is a real coup for
    Microsoft. To persuade someone with the heavy fiduciary
    responsibilities of a bank that Passport is adequate."
    Passport is the authentication system Microsoft currently uses to
    identify Hotmail users, but will ultimately be the way in to a wide
    range of .NET services, theoretically allowing a user to sign in just
    once for multiple services.
    Passport has faced criticism both because of the nature of its design
    gives hackers just one entry point to a wide range of valuable
    information, but also because many suspect Microsoft particularly is
    ill-equipped to deliver such a service, given its poor record on
    computer security.
    Microsoft was unable to provide a spokesperson to comment on the
    [Egg bank: http://www.egg.com]
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Nov 01 2001 - 07:32:56 PST