Microsoft's CardSpace Attacked by Researchers

Research shows Microsoft's CardSpace is vulnerable.

When surfing the Web for something as simple as a new book or pair of shoes, an alternative to the username and password system seems like a great idea. It saves time from the laborious system of remembering multiple usernames, passwords or even from re-entering credit card information for each site visited while a user is shopping. However, sometimes it's all too easy to forget that the fastest growing crime on the Internet is identity theft, and aside from limited user savvy, a foolproof way to prevent this crime does not exist.

MORE ON CIO.com

Microsoft CardSpace Attack Works but Was Rigged

CardSpace and Attacks

Microsoft's CardSpace system was at first deemed the answer to eliminating the rat race of username and password memorization. Yet, as Sebastian Gajek, Xuan Chen and Jorg Schwenk, three researchers of the Horst Gortz Institute for IT-security Ruhr University Bochum have proved, even the seemingly most efficient steps taken towards solid privacy techniques can be attacked.

When shopping in the virtual world, attackers are essentially invisible. The traditional system of relying on the username/password combination method for website registration has one main drawback; passwords can be stolen.

"It is much more difficult for users to recognize attack activity in the Internet. As more and more high-value transactions take place in the Internet today and the Internet does provide more convenience for attackers, I could imagine that attacks in the Internet would become more commonplace in the future," researcher Xuan Chen pointed out.

Because of how quickly users jump between sites, users may tend to be easily tricked into "freely" giving personal information to non-secure entities. Although there are a number of ways that a user can verify the validity of a website, the average Internet user doesn't even realize that many of these exist.

"Do not share any personal information if you are not 100 percent sure about the transaction," Chen suggested. "Most users cannot tell which privacy settings are related to sharing personal information on the Internet."

One way scammers gain personal information is through phishing, where scammers trick users into opening malicious e-mail. From there, the e-mail invites users to visit a fake website mirroring a real one, and to enter personal information such as a password to log in to the site. As when initially registering for a website, users are the ones deciding which websites to trust with their personal information and which e-mails to open and click through. Since fake sites can display the same graphics as real sites, there need to be steps taken towards differentiating the two. A website needs to have a better way to prove its legitimacy to users and users need to more readily determine what level of assurance they're getting. In the end, it's up to the user to decide whether to trust a website.

There is also a difference between whether a user types in the full or shortened version of a website address. If a user types the shortened version, the certificate is no longer valid and the user must click away the warning page.

"Although the new IE7 warns users of an invalid certificate with a whole warning page now, we still cannot guarantee that users will always pay attention to the warning. Apart from the user's lack of knowledge, many legitimate websites also have certificate problems," Chen said. "Can you still expect an inexperienced user to realize the importance of the warning page if even the legit Web server cannot pass the certificate check? Or can you expect an inexperienced user always to remember which website has and which doesn't have a valid certificate?"

Microsoft's CardSpace eliminates the password creation step. When users go to validate a website or online service, CardSpace automatically appears as a pop-up complete with a set of InfoCards from which the user can choose. Each card has identity information associated with it, kept by an identity provider such as a bank or employer. The user can alternatively opt for self-issued cards, which hold limited personal information, or managed cards, which are created by third-party providers. The user clicks on a card and an encrypted security token (with vital personal information associated with it) is sent to the website. When a user first installs a card into his system, he has to accept the security tokens issued by the identity provider for the card. Then, for each new website visited, he is given the opportunity to send digital identity information, eliminating the need for the username/password identifier.

Although CardSpace is meant to improve the relationship between real websites and users by improving the certificates used, the CardSpace system is not altogether free from risk. In their attack demonstration, Gajek, Schwenk and Chen showed that attackers can modify the domain name server settings so the user arrives at both the real CardSpace website for a shop and the fake one. Since users are unable to distinguish the real site from the fake one, they become victims of DNS spoofing, one of the biggest security issues on the Internet. Chen spent six months studying the CardSpace Metasystem and two additional months with the team working to create and implement the "proof-of-concept" attack. According to Chen, the attack was conducted under real world conditions—no special "rigging" was done.

"Our purpose is not to develop a perfect attack against CardSpace. Instead, we just want to point out that there is a possibility for such an attack and warn people and Microsoft about it and hope that Mircosoft could improve the CardSpace system accordingly. That's also why it is called a "proof-of-concept" attack. A creative real attacker may possibly apply such an attack in a much better way," Chen said.

Microsoft is currently working to rectify the problem that has arisen between users' knowledge and information verification. All in all, using CardSpace is more time efficient than remembering multiple username and password combinations. And, as proven by Gajek, Schwenk and Chen, the average Internet user needs to become more educated in the world of Internet trust and stay aware of common clues that a website is not legitimate.

Related:

Copyright © 2008 IDG Communications, Inc.

7 secrets of successful remote IT teams