Get It Right, Redmond

If I were one of the millions of customers whose personal information may
have been exposed because of a security flaw in Microsoft’s vaunted .NET
Passport service, I’d be pretty concerned.

If I were running a business that depends on Internet transactions, I’d be
pretty ticked off. This is exactly the kind of high-profile incident
that causes a large percentage of consumers to shun online business in the first place. And in a sputtering economy, that kind of lost revenue opportunity can be disastrous.

The security flaw, revealed last Thursday, allowed hackers possessing a user’s email address to trigger Passport’s password reset feature. Armed with a
password of their own choosing, hackers then could access personal
information such as addresses and credit card numbers.

Passport, which is tied to the company’s Windows XP operating system, is
designed to offer consumers a means of identifying themselves on hundreds of
Web sites, avoiding the hassle of setting up numerous separate accounts, thus making it easier to buy online. In addition, Passport provides Windows users access to the Hotmail service and instant messaging accounts.

Microsoft announced it acted immediately to fix the hole, but the Pakistani
researcher who discovered the flaw said the folks in Redmond, Wash., never replied to any of the 10 emails he had sent warning of the problem.

However responsive Redmond was, it may now face another Federal Trade
Commission (FTC) investigation and a possible fine. Last year, the company settled
with the FTC after the federal agency alleged that Passport, despite Microsoft’s assurances, did not protect users’ email addresses and credit card numbers. As part of the agreement, Microsoft promised to create reasonable safeguards for Passport accounts and agreed to be audited every two years for the next 20 years. (Only 19 to go!)

This latest incident also blows another hole in the software giant’s
Trustworthy Computing Initiative announced early in 2002. According to the
New York Times account of the Passport vulnerability, Microsoft reported
more than 70 security flaws last year.

This gets back to my initial point. Stories in the New York Times and other
media outlets about major flaws in software exposing vital user personal and
financial information tend not to be terribly helpful to the thousands of
merchants dependent on consumer confidence in online transactions. But when
you’re talking about the world’s largest (and perhaps most resented) software
company and 200 million potential victims…well, word travels fast.

Unfortunately, it’s the kind of word that reinforces negative impressions.
In a recent survey of 10,000 consumers, 41 percent said they had never made an
online purchase. Of those, more than half (53 percent) said more secure payment
options might persuade them to conduct transactions online. But after being bombarded with news about Passport flaws, rising
Internet consumer fraud, credit-card
account hacks and online
identity theft, how many of
them will stay on the sidelines permanently?

Online merchants face enough obstacles to growing their customer base. If
the FTC finds that Microsoft could have done a better job of securing
Passport, or if it dragged its feet when the vulnerabilities were first pointed out,
the company deserves to get hammered. And even if the Feds decline to pursue
the matter, Microsoft owes it to the rest of the industry to do better.

Chris Nerney is Executive Editor of the EarthWeb.com IT Management Channel.