MrDave
May 11th, 2003, 12:13am
http://news.com.com/2100-1083_3-1000686.html
By Steven Musil
Staff Writer, CNET News.com
May 9, 2003, 10:45 AM PT
A serious security flaw in Microsoft's Passport service put more than just its 200 million customers' accounts at risk of being hijacked--it also gave the software giant a public relations black eye and opened it up to some stiff fines.
The flaw, in Passport's password recovery mechanism, could have allowed an attacker to change the password on any account to which the username is known. The simplicity of the attack method and the high value of the data frequently stored in Passport accounts--names, addresses, birthdates and credit card numbers--combined to make the vulnerability critical.
Microsoft immediately turned off the feature, and security and product teams worked overnight to fix the flaw. By the next morning, the company had replaced the service with a more secure version, one that should have been there in the first place. The feature had been around since September 2002, and Microsoft is investigating to what degree the flaw may have been exploited by online vandals to grab user accounts.
For a company that has publicly made security a priority, the Passport problem was a serious setback. But the damage to the company could run to more than just bad public relations. The software giant may also face an investigation and significant fines for the security lapse.
The potential investigation could lead to hefty fines at a rate of $11,000 per violation. If the FTC tries to levy fines on Microsoft, the total penalty could be as high as $2.2 trillion if all accounts are tallied as violations. However, the number of people that have been locked out of their accounts may be a better basis for determining fines.
By Steven Musil
Staff Writer, CNET News.com
May 9, 2003, 10:45 AM PT
A serious security flaw in Microsoft's Passport service put more than just its 200 million customers' accounts at risk of being hijacked--it also gave the software giant a public relations black eye and opened it up to some stiff fines.
The flaw, in Passport's password recovery mechanism, could have allowed an attacker to change the password on any account to which the username is known. The simplicity of the attack method and the high value of the data frequently stored in Passport accounts--names, addresses, birthdates and credit card numbers--combined to make the vulnerability critical.
Microsoft immediately turned off the feature, and security and product teams worked overnight to fix the flaw. By the next morning, the company had replaced the service with a more secure version, one that should have been there in the first place. The feature had been around since September 2002, and Microsoft is investigating to what degree the flaw may have been exploited by online vandals to grab user accounts.
For a company that has publicly made security a priority, the Passport problem was a serious setback. But the damage to the company could run to more than just bad public relations. The software giant may also face an investigation and significant fines for the security lapse.
The potential investigation could lead to hefty fines at a rate of $11,000 per violation. If the FTC tries to levy fines on Microsoft, the total penalty could be as high as $2.2 trillion if all accounts are tallied as violations. However, the number of people that have been locked out of their accounts may be a better basis for determining fines.