RSA domain glitch derails UK online retailers
Unverified by Visa
RSA has apologised for a domain name registration glitch, which left clients of its securesuite.co.uk payment processing service unable to process payment as normal last Thursday.
Pizza purveyor Domino's, Dabs and others were hit by the snafu, which meant transactions either timed out or failed. In response to the problems, some online retailers disabled Verified by Visa on transactions that would normally be run through securesuite.co.uk.
RSA, which runs securesuite.co.uk through Cyota (a 2005 acquisition), at first denied knowledge of the glitch, insisting everything was fine with the domain. Initial checks suggested that the domain had expired after someone forgot to renew it. But a web-based system diagnostic tool that RSA uses gave the domain the all-clear.
"RSA is in the middle of updating all of its relevant domain names," the security vendor initially said. "In this particular case presented by The Register, the public WHOIS was not for some reason reflecting RSA's renewal, which has in fact already been processed.
"RSA is unaware of any service outages for our customers and have not received any complaints from card issuers, and all our diagnostics have passed."
However, further investigation, prompted by a request by El Reg to explain multiple independent reports of glitches, yielded the following response:
On 17 July, RSA 3D Secure within the United Kingdom was partially unavailable to certain customers and some transactions were delayed or blocked due to a domain name registration issue. The issue was identified and remedial action was taken. At the time, all Payment Card Issuers were immediately notified of a service interruption and they received continuous updates throughout until resolution.
The securesuite.co.uk is used to add 3D Secure protocol checks as an added layer of security to credit or debit card purchases and offered to consumers through such as the Verified by Visa and MasterCard SecureCode services. The online security and anti-fraud service has been mistaken for a phishing site in the past, but is (though it might appear otherwise) legitimate.
Reports of failed transactions involving securesuite.co.uk came to our attention thanks to Reg reader Martin N. "I first noticed something was wrong when I couldn't order a pizza from Dominos - who have now disabled their Verified by Visa stuff," he told us. "The site [securesuite.co.uk] is down because the site's domain is suspended. Somebody really messed up." ®
you'd kind of expect RSA to know better.
Trust me, having worked there no you wouldn't.
Is "boaring" some sort of hunting activity?
I'm Not Fat
Seriously I'm not - I was up all night writing code and hungry as hell - leave me alone. If I was fat I’d weigh as much as a small moon – I’m 6’ 10” I can get away with eating lots of pizza :)
But seriously it's not the most exciting story in history but there’s a few reasons it being down got my attention.
Firstly you have to wonder at the final significance of it being down for a few hours - a large chunk of internet transactions in the UK (and I'm pretty sure Ireland too) go through this site, and it's a good thing.
As somebody that's suffered from card fraud in the past every extra measure is a good thing, there's some that would say (and I'd probably be included in those people) that would argue it isn't enough but I do get annoyed when I see a site that doesn't use it when I use my card online - simply because it is an extra step between your card numbers and fraud.
But back to the point - yeah if you imagine how much cash would go through this system in that period of time on a normal - I wouldn't like to guess but I can imagine it was a decent ammount. We have to be talking multiple millions here?
I asked some people if it was down and somebody pointed out that the domain expired. This is what piqued my interest - for RSA to miss a domain like that with it's likely financial importance I'd argue is a big thing, I think it was at that point I sent el reg a quick email just saying it was down.
For obvious reasons I didn't hear back until the next day but basically I was forwarded an email which made me ask some serious questions as to what exactly happened. I'll quote a section of it and let the readers decide what it says compared to the reply given quoted in the final article:
"RSA has checked it out and there is still DNS resolution, so
securesuite.co.uk is still a functioning domain name.
"RSA is unaware of any service outages for our customers and have not
received any complaints from card issuers, and all our diagnostics have
Compare that with
"RSA 3D Secure within the United Kingdom was partially unavailable to certain customers and some transactions were delayed or blocked due to a domain name registration issue. The issue was identified and remedial action was taken. At the time, all Payment Card Issuers were immediately notified of a service interruption and they received continuous updates throughout until resolution"
Now come on - those replies are polar opposites. How can you have no issues and everything checks out yet at the same time have transactions blocked and oh "by the way we did tell card issuers". That would have been great if it happened, but obviously you won't get a bank or card issuer to confirm that.
So what's the truth? Did RSA lie to save embarrassment hoping that there'd be not enough evidence for a 'printable' story or did they just not know at all?
Either way doesn't look good (to me at least) which is why when I saw that reply I chased it down a little with Google and saw other people had the same issue. As for percentages of customers affected - well - I asked various people and it had a 100% "yes, it's down" rate, not totally scientific I'll admit but still you have to ask questions again.
So back to why it's important. It's important because this is credit card security. When the domain system breaks like that (no matter who's fault it is - it could be that say Nominet is the guilty party here) - there's at least the possibility that somebody could pick it up in an after-sales domain clearance auction if nobody is paying attention and do who knows what with it – okay, that's a little bit out-there but what I'm saying is that this is stuff you have to get right otherwise people end up getting defrauded.
Plus lets be fair you'd kind of expect RSA to know better.