Hotmail wants your credit card details

Microsoft wants to take your credit card details and put them on its servers. Security experts advise caution

Less than two months after its embarrassing security blunder Hotmail, is hoping users will entrust their credit card details to its servers.

Microsoft has come up with e-commerce solution it believes will help protect millions of current Hotmail users from credit-card fraud and junk e-mail.

The catch? That they hand over credit card details to Hotmail.

Asked if this was a prudent move so soon after the Hotmail farce, MSN passport spokesperson Andrew Mackles says Hotmail deserves peoples' trust. Security has been beefed up considerably says Mackles.

He refused to offer any guarantees on security.

"Nothing is totally protected from hackers, but we have significant security measures," he says. "All messages will be highly encrypted, there will be strict criteria for selecting companies that can be included in the passport scheme and there will even be steel cages and real live guard dogs protecting the servers."

Despite Mackles' confidence, security experts reckon Microsoft should not be trusted. UK security expert Matt Bevan of Tiger Team security, says none of these measures would have prevented the CGI exploit in August. "These measures would absolutely not have prevented that hack, none of these things are going to make a difference if someone compromises a password," says Bevan.

But despite his hard line Bevan concedes that an attempt to capture a password or a credit card number by targeting the end user directly, rather than cracking Hotmail, would be an easier challenge. "Users need to be more aware of security issues. A browser is completely unable to detect if, say a Trojan is operating. With something like Sub7 Two [A type of Trojan] it is possible to see what someone is writing in real time. These things are getting more widespread and they are very easy to use."

Microsoft plans to monitor traffic on Hotmail and retain all users' telephone numbers. Asked why, Mackles said it was to ensure customers could be contacted immediately if misuse of a card is suspected.

A spokesman for The Association for Payment Clearing Services (APCS), an organisation that co-ordinates the fight against credit-card fraud, confirms that banks and other financial institutions remain most trusted by the public. However, the spokesman did not discount the possibility that people will put their trust in Microsoft.

He is also keen to assert that standards of Internet security for credit card transactions is pretty good. "We would recommend people use a browser with secure features and don't deal with anyone they don't know. But they are relatively safe."