RealTime IT News

Get It Right, Redmond

If I were one of the millions of customers whose personal information may have been exposed because of a security flaw in Microsoft's vaunted .NET Passport service, I'd be pretty concerned.

If I were running a business that depends on Internet transactions, I'd be pretty ticked off. This is exactly the kind of high-profile incident that causes a large percentage of consumers to shun online business in the first place. And in a sputtering economy, that kind of lost revenue opportunity can be disastrous.

The security flaw, revealed last Thursday, allowed hackers possessing a user's email address to trigger Passport's password reset feature. Armed with a password of their own choosing, hackers then could access personal information such as addresses and credit card numbers.

Passport, which is tied to the company's Windows XP operating system, is designed to offer consumers a means of identifying themselves on hundreds of Web sites, avoiding the hassle of setting up numerous separate accounts, thus making it easier to buy online. In addition, Passport provides Windows users access to the Hotmail service and instant messaging accounts.

Microsoft announced it acted immediately to fix the hole, but the Pakistani researcher who discovered the flaw said the folks in Redmond, Wash., never replied to any of the 10 emails he had sent warning of the problem.

However responsive Redmond was, it may now face another Federal Trade Commission (FTC) investigation and a possible fine. Last year, the company settled with the FTC after the federal agency alleged that Passport, despite Microsoft's assurances, did not protect users' email addresses and credit card numbers. As part of the agreement, Microsoft promised to create reasonable safeguards for Passport accounts and agreed to be audited every two years for the next 20 years. (Only 19 to go!)

This latest incident also blows another hole in the software giant's Trustworthy Computing Initiative announced early in 2002. According to the New York Times account of the Passport vulnerability, Microsoft reported more than 70 security flaws last year.

This gets back to my initial point. Stories in the New York Times and other media outlets about major flaws in software exposing vital user personal and financial information tend not to be terribly helpful to the thousands of merchants dependent on consumer confidence in online transactions. But when you're talking about the world's largest (and perhaps most resented) software company and 200 million potential victims...well, word travels fast.

Unfortunately, it's the kind of word that reinforces negative impressions. In a recent survey of 10,000 consumers, 41 percent said they had never made an online purchase. Of those, more than half (53 percent) said more secure payment options might persuade them to conduct transactions online. But after being bombarded with news about Passport flaws, rising Internet consumer fraud, credit-card account hacks and online identity theft, how many of them will stay on the sidelines permanently?

Online merchants face enough obstacles to growing their customer base. If the FTC finds that Microsoft could have done a better job of securing Passport, or if it dragged its feet when the vulnerabilities were first pointed out, the company deserves to get hammered. And even if the Feds decline to pursue the matter, Microsoft owes it to the rest of the industry to do better.

Chris Nerney is Executive Editor of the EarthWeb.com IT Management Channel.