Kim Cameron on Information Cards as a solution to site redirection
Kim Cameron, Chief Architect of Identity in the Connected Systems Division at Microsoft has an interesting post up about at his Laws of Identity blog on the vulnerability of passwords to "site redirection", a problem that Information Cards don't have:
The UK's Register has been running a a series of articles by John Leyden (here, here and here) about Verified By Visa. (VByV) Verified By Visa uses the same kind of "site redirection" I've written about many times with respect to OpenID and other password-based federation technologies - but in this case it is a banking password that can be stolen.
The phishing scenario is simple enough. If you happen onto an "evil" site and are tricked into purchasing something, it can "misdirect" your browser to a counterfeit VByV signon page. As John explains, you have little chance, as a user, of knowing you are being duped, but once you enter your password it is available to the evil site for both instant use an future reuse. Those familiar with this site will understand that this is yet another example of an attack that cannot be made against Information Card users.
Beyond focusing attention on the phishing problems inherent in "site redirection" approaches, John argues that the system - though claiming to be more secure - is actually just as vulnerable as non-VByV mechanisms. He then argues - and I have know knowledge as to whether this is the case - that the false claims about increased security are being used to reject complaints by end-users about irregularities and fraudulent purchases made in their name. If that were true, it would be scandalous.
Friends, this is a case of "The Writing on the Wall". I think people in the industry should see John's work as a sign of what's to come. He is the guy in the fable who is shouting out that "the Emperor has no clothes!" And he's doing it cogently to the wide readership of the Register.
If I were an advisor to the emperor at this point I would insist on two things:
1. admit the vulnerability of all systems based on "site redirection"; and
2. start getting into phishing-resistant technologies like Information Cards while one's modesty can still be protected.