German Students Break CardSpace Security

Three students from the Ruhr-University Bochum in Germany were able to intercept the security token and, based on that, read the plain text of the cards' content, e.g. name, credit card number and other things impersonate the legitimate user during the lifetime of the security token. They basically did this by means of an extended man-in-the-middle attack through DNS manipulation:

We study the security of Cardspace and show that the browser-based protocol is susceptible to attacks, where the adversary steals the security token. Consequently, we prove evidence that users are impersonatable and the one who potentially suffer from identity theft. We confirm the practicability of the attack by presenting a proof of concept implementation. Finally, we discuss countermeasures, addressing both the CardSpace identity metasystem and the protocol.

See the short description and the full report (pdf).

Heise Security tried to reproduce the attack without success, though. Microsoft is already working on a solution.