A yolk too far: Microsoft does Egg's security

[InfoSec News <isn () c4i org>]

http://www.silicon.com/public/door?6004REQEVENT=&REQINT1=48760&REQSTR1=silicon.com

Wednesday 31st October 2001   

Online bank Egg is to use Microsoft's controversial Passport
authentication software to give users access to their accounts,
despite widespread concern that Microsoft's security technology isn't
up to the job.

Egg CIO Dana Cuffe will move over to the web-based system when a full
assessment is completed, and currently has no timeframe for the move.
Analysts immediately criticised the move and claimed the system isn't
good enough for banking.

Jose Lopez, research analyst for Frost and Sullivan's security
division, said: "Passport is not good enough - not at all - for the
purposes of online banking. Any other bank will tell you the same
thing."

He cited past security problems and added: "I think many Egg customers
would leave if Microsoft did its authentication."

Ian Brown, security expert and researcher at UCL, said he would not be
comfortable banking at Egg if it moved to the Microsoft platform for
authentication. "I would certainly think twice about my Egg account,"
he said.

Egg is an early adopter of Microsoft's new operating system, Windows
XP, and a firm supporter of its .NET strategy, but thus far it has
used Entrust technology to authenticate its customers online.

Cuffe said he planned to replace Entrust's GetAccess product with the
Passport system.

He told silicon.com: "At first we will use Passport alongside
GetAccess but the aim is to replace it entirely. At the moment we're
still to assess and validate the system, but the assumption is that it
will be rolled out."

The news is a boost to Microsoft, which has faced stern criticism in
recent months for the poor security of its products as well as
increasing concerns about the ramifications of Passport on user
privacy and security.

Bill Malik, VP at Gartner Group, said: "This is a real coup for
Microsoft. To persuade someone with the heavy fiduciary
responsibilities of a bank that Passport is adequate."

Passport is the authentication system Microsoft currently uses to
identify Hotmail users, but will ultimately be the way in to a wide
range of .NET services, theoretically allowing a user to sign in just
once for multiple services.

Passport has faced criticism both because of the nature of its design
gives hackers just one entry point to a wide range of valuable
information, but also because many suspect Microsoft particularly is
ill-equipped to deliver such a service, given its poor record on
computer security.

Microsoft was unable to provide a spokesperson to comment on the
story.

[Egg bank: http://www.egg.com]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.