It is a simple attack, but it seems that Microsoft’s latest attempt to create a secure retail experience on the web has already been compromised. ComputerWorld
provides a simple explanation:

The attack against CardSpace involves directing a user to a malicious Web server. In the explanation, the attack involves modifying the victim’s DNS settings — another trick known as “pharming” — and directing the person to the malicious Web server, which is then able to grab the authentication token.

This suggests that there is an improper trust relationship to initiate communication, which is not far from the problem already faced by web consumers. What then is the benefit of CardSpace?