Recently a friends Windows Live account was phished – this on the surface doesn’t seem to be a major issue, then I got thinking about the information that the account would have held for this individual.

Windows Live integrates with many of the Microsoft services – including Hotmail, MSDN, MSN and so forth. And many third party providers, such as Facebook, allow linking to your ID in order to access your contact list.

But what sort of impact could a breach of Windows Live ID have on an individual?

Well, lets look at it from the worst case angle.

A user potentially is using Hotmail as their primary e-mail address, which is obviously their Windows Live ID. If the Live ID were phished, and the password changed by the third party (as it was in this case), the user has immediately lost access to their e-mail. And their contacts. And their calendar. And their profile of personal information. And their blog, website, etc (if on the Microsoft systems).
And before you can say “why not reset the password” … the third parties involved change the password reset alternative e-mail address, so you can NOT get the password reset e-mail. Sneaky.

Many of you will think “that's not too bad”, but bear in mind that people are regularly using Hotmail et al as their primary e-mail accounts these days. That includes personal communications, which could contain information key for identity theft, or even worse, financial transaction information. Worse still, people may have bank account information saved under Contact entries – something we are told never to do, but how many of us actually heed this advice?

For a system that is essentially only a single factor authentication (username and password), it is rather reassuring that it never made it fully mainstream as a single sign on mechanism.
At least Card Spaces provides are far more secure, reliable and phish resistant interface – let’s hope the adoption of Card Spaces accelerates – it might be one of the few things that will protect us against the ever growing threat of phishing attacks.

What we need is an independent third party to provide enough validation of the claims on the Card now so that people trust it …