The story is boaring
Lets set up the sweepstake on how fat "Reg reader Martin N" is instead!!
RSA has apologised for a domain name registration glitch, which left clients of its securesuite.co.uk payment processing service unable to process payment as normal last Thursday. Pizza purveyor Domino's, Dabs and others were hit by the snafu, which meant transactions either timed out or failed. In response to the problems, …
"RSA is in the middle of updating all of its relevant domain names"... or roughly translated as...
"Oh phukin' 'ell, quick, buy the domain again, quicker, RUN dammit... O-F-F-S HURRY man!!!! Right you!!! re-run the DNS script - What?... NO NOW!!!! quickly... and you!!! get the backup systems reset - FAST dammit.... O-M-G what if the register gets a hold of th.... oh bugger!
Imagine Nominet had not disabled the unrenewed domain but had put it back in the pot to be re-registered on a first come, first served. Real live CC data gushing in from online shoips worldwide. My, that would have made TNT's custodianship of the HMRC appear very secure.
Ever had a phone call from the bank?
"Can I just verify who you are sir?"
"No, verify yourself first."
"Sorry we can't for security reasons ..."
Muppets - Paris who knopws a thing or two on first come, first ...
A certain large building society neglected to renew itsVersign certificate earlier this year. Despite being emailed a number of times, they ignored it.
On a call to Verisign US (the UK outfit being useless) got it sorted.
And the certain large building society are promoting this Verified by Visa service
PS Reg was in formed, but it obviously wasn't newsworthy
This post has been deleted by its author
Verification of callers:
I refused to answer questions purporting to be from the census folks because they couldn't verify their identity. And it was so easy! Just give me a listed telephone number I can call you back at, one that's listed in the "government numbers" part of the telephone book.
The guy offered me one number, but it wasn't in my local telephone book.
Odd thing is, 15 years or so ago, I took a course from Statistics Canada in survey methodology and that's the very method they recommended -- and said they used themselves. Seems like they've forgotten their own business m.o.
[Statistics Canada carries out the Canadian census, btw.]
As for banks, these days all they list in the telephone directory is a single toll-free number, making it difficult for someone calling from the bank to offer a verifiable call-back number.
Why does this amuse me?
As Mr Coward says above, the real scam is Verified by Visa/MasterCard SecureCode. This brilliant piece of security theatre adds no real protection to the transaction. It does however force banks and retailers to interrupt transactions with either a pop-up or an iFrame (both security nightmares). The screen that appears lacks the full branding and looks amateurish. Customers are confused by it, so the retailer/bank loses sales, or has to deal with increased call-centre traffic. The long-term effect is that customers get used to random, bodged-looking pop-ups appearing during transactions. The phishers then won't even have to try to make their screens look real. Smacks of the kind of dumb idea thought up by a CEO, then half-assedly implemented by staff who know it's doomed to fail.
Seriously I'm not - I was up all night writing code and hungry as hell - leave me alone. If I was fat I’d weigh as much as a small moon – I’m 6’ 10” I can get away with eating lots of pizza :)
But seriously it's not the most exciting story in history but there’s a few reasons it being down got my attention.
Firstly you have to wonder at the final significance of it being down for a few hours - a large chunk of internet transactions in the UK (and I'm pretty sure Ireland too) go through this site, and it's a good thing.
As somebody that's suffered from card fraud in the past every extra measure is a good thing, there's some that would say (and I'd probably be included in those people) that would argue it isn't enough but I do get annoyed when I see a site that doesn't use it when I use my card online - simply because it is an extra step between your card numbers and fraud.
But back to the point - yeah if you imagine how much cash would go through this system in that period of time on a normal - I wouldn't like to guess but I can imagine it was a decent ammount. We have to be talking multiple millions here?
I asked some people if it was down and somebody pointed out that the domain expired. This is what piqued my interest - for RSA to miss a domain like that with it's likely financial importance I'd argue is a big thing, I think it was at that point I sent el reg a quick email just saying it was down.
For obvious reasons I didn't hear back until the next day but basically I was forwarded an email which made me ask some serious questions as to what exactly happened. I'll quote a section of it and let the readers decide what it says compared to the reply given quoted in the final article:
"RSA has checked it out and there is still DNS resolution, so
securesuite.co.uk is still a functioning domain name.
"RSA is unaware of any service outages for our customers and have not
received any complaints from card issuers, and all our diagnostics have
passed."
Compare that with
"RSA 3D Secure within the United Kingdom was partially unavailable to certain customers and some transactions were delayed or blocked due to a domain name registration issue. The issue was identified and remedial action was taken. At the time, all Payment Card Issuers were immediately notified of a service interruption and they received continuous updates throughout until resolution"
Now come on - those replies are polar opposites. How can you have no issues and everything checks out yet at the same time have transactions blocked and oh "by the way we did tell card issuers". That would have been great if it happened, but obviously you won't get a bank or card issuer to confirm that.
So what's the truth? Did RSA lie to save embarrassment hoping that there'd be not enough evidence for a 'printable' story or did they just not know at all?
Either way doesn't look good (to me at least) which is why when I saw that reply I chased it down a little with Google and saw other people had the same issue. As for percentages of customers affected - well - I asked various people and it had a 100% "yes, it's down" rate, not totally scientific I'll admit but still you have to ask questions again.
So back to why it's important. It's important because this is credit card security. When the domain system breaks like that (no matter who's fault it is - it could be that say Nominet is the guilty party here) - there's at least the possibility that somebody could pick it up in an after-sales domain clearance auction if nobody is paying attention and do who knows what with it – okay, that's a little bit out-there but what I'm saying is that this is stuff you have to get right otherwise people end up getting defrauded.
Plus lets be fair you'd kind of expect RSA to know better.