When surfing the Web for something as simple as a new book or pair of shoes, an alternative to the username and password \n\nsystem seems like a great idea. It saves time from the laborious system of remembering multiple usernames, passwords or even \n\nfrom re-entering credit card information for each site visited while a user is shopping. However, sometimes it's all too easy to forget that the fastest growing crime on the Internet is identity \n\ntheft, and aside from limited user savvy, a foolproof way to prevent this crime does not exist.\n MORE ON CIO.com\n \n Microsoft CardSpace Attack Works but Was Rigged\n \nCardSpace and Attacks\n\nMicrosoft's CardSpace system was at first deemed the answer to eliminating the rat race of username and password \n\nmemorization. Yet, as Sebastian Gajek, Xuan Chen and Jorg Schwenk, three researchers of the Horst Gortz Institute for \n\nIT-security Ruhr University Bochum have proved, even the seemingly most efficient steps taken towards solid privacy \n\ntechniques can be attacked.\nWhen shopping in the virtual world, attackers are essentially invisible. The traditional system of relying on the \n\nusername\/password combination method for website registration has one main drawback; passwords can be stolen.\n"It is much more difficult for users to recognize attack activity in the Internet. As more and more high-value transactions \n\ntake place in the Internet today and the Internet does provide more convenience for attackers, I could imagine that attacks \n\nin the Internet would become more commonplace in the future," researcher Xuan Chen pointed out.\nBecause of how quickly users jump between sites, users may tend to be easily tricked into "freely" giving personal \n\ninformation to non-secure entities. Although there are a number of ways that a user can verify the validity of a website, \n\nthe average Internet user doesn't even realize that many of these exist.\n"Do not share any personal information if you are not 100 percent sure about the transaction," Chen suggested. "Most users \n\ncannot tell which privacy settings are related to sharing personal information on the Internet."\nOne way scammers gain personal information is through phishing, where scammers trick users into \n\nopening malicious e-mail. From there, the e-mail invites users to visit a fake website mirroring a real one, and to enter \n\npersonal information such as a password to log in to the site. As when initially registering for a website, users are the \n\nones deciding which websites to trust with their personal information and which e-mails to open and click through. Since \n\nfake sites can display the same graphics as real sites, there need to be steps taken towards differentiating the two. A \n\nwebsite needs to have a better way to prove its legitimacy to users and users need to more readily determine what level of \n\nassurance they're getting. In the end, it's up to the user to decide whether to trust a website.\nThere is also a difference between whether a user types in the full or shortened version of a website address. If a user \n\ntypes the shortened version, the certificate is no longer valid and the user must click away the warning page.\n"Although the new IE7 warns users \n\nof an invalid certificate with a whole warning page now, we still cannot guarantee that users will always pay attention to \n\nthe warning. Apart from the user's lack of knowledge, many legitimate websites also have certificate problems," Chen said. \n\n"Can you still expect an inexperienced user to realize the importance of the warning page if even the legit Web server cannot \n\npass the certificate check? Or can you expect an inexperienced user always to remember which website has and which doesn't \n\nhave a valid certificate?"\nMicrosoft's CardSpace eliminates the password creation step. When users go to validate a website or online service, \n\nCardSpace automatically appears as a pop-up complete with a set of InfoCards from which the user can choose. Each card has \n\nidentity information associated with it, kept by an identity provider such as a bank or employer. The user can alternatively \n\nopt for self-issued cards, which hold limited personal information, or managed cards, which are created by third-party \n\nproviders. The user clicks on a card and an encrypted security token (with vital personal information associated with it) is \n\nsent to the website. When a user first installs a card into his system, he has to accept the security tokens issued by the \n\nidentity provider for the card. Then, for each new website visited, he is given the opportunity to send digital identity \n\ninformation, eliminating the need for the username\/password identifier.\nAlthough CardSpace is meant to improve the relationship between real websites and users by improving the certificates used, \n\nthe CardSpace system is not altogether free from risk. In their attack demonstration, Gajek, Schwenk and Chen showed that \n\nattackers can modify the domain name server settings so the user arrives at both the real CardSpace website for a shop and \n\nthe fake one. Since users are unable to distinguish the real site from the fake one, they become victims of DNS spoofing, one of the biggest security issues on the Internet.\nChen spent six months studying the CardSpace Metasystem and two additional months with the team working to create and \n\nimplement the "proof-of-concept" attack. According to Chen, the attack was conducted under real world conditions\u2014no \n\nspecial "rigging" was done.\n"Our purpose is not to develop a perfect attack against CardSpace. Instead, we just want to point out that there is a \n\npossibility for such an attack and warn people and Microsoft about it and hope that Mircosoft could improve the CardSpace \n\nsystem accordingly. That's also why it is called a "proof-of-concept" attack. A creative real attacker may possibly apply \n\nsuch an attack in a much better way," Chen said.\nMicrosoft is currently working to rectify the problem that has arisen between users' knowledge and information verification. \n\nAll in all, using CardSpace is more time efficient than remembering multiple username and password combinations. And, as \n\nproven by Gajek, Schwenk and Chen, the average Internet user needs to become more educated in the world of Internet trust and \n\nstay aware of common clues that a website is not legitimate.