you'd kind of expect RSA to know better.

Trust me, having worked there no you wouldn't.

@gordon pryra

Is "boaring" some sort of hunting activity?

I'm Not Fat

Seriously I'm not - I was up all night writing code and hungry as hell - leave me alone. If I was fat I’d weigh as much as a small moon – I’m 6’ 10” I can get away with eating lots of pizza :)

But seriously it's not the most exciting story in history but there’s a few reasons it being down got my attention.

Firstly you have to wonder at the final significance of it being down for a few hours - a large chunk of internet transactions in the UK (and I'm pretty sure Ireland too) go through this site, and it's a good thing.

As somebody that's suffered from card fraud in the past every extra measure is a good thing, there's some that would say (and I'd probably be included in those people) that would argue it isn't enough but I do get annoyed when I see a site that doesn't use it when I use my card online - simply because it is an extra step between your card numbers and fraud.

But back to the point - yeah if you imagine how much cash would go through this system in that period of time on a normal - I wouldn't like to guess but I can imagine it was a decent ammount. We have to be talking multiple millions here?

I asked some people if it was down and somebody pointed out that the domain expired. This is what piqued my interest - for RSA to miss a domain like that with it's likely financial importance I'd argue is a big thing, I think it was at that point I sent el reg a quick email just saying it was down.

For obvious reasons I didn't hear back until the next day but basically I was forwarded an email which made me ask some serious questions as to what exactly happened. I'll quote a section of it and let the readers decide what it says compared to the reply given quoted in the final article:

"RSA has checked it out and there is still DNS resolution, so

securesuite.co.uk is still a functioning domain name.

"RSA is unaware of any service outages for our customers and have not

received any complaints from card issuers, and all our diagnostics have

passed."

Compare that with

"RSA 3D Secure within the United Kingdom was partially unavailable to certain customers and some transactions were delayed or blocked due to a domain name registration issue. The issue was identified and remedial action was taken. At the time, all Payment Card Issuers were immediately notified of a service interruption and they received continuous updates throughout until resolution"

Now come on - those replies are polar opposites. How can you have no issues and everything checks out yet at the same time have transactions blocked and oh "by the way we did tell card issuers". That would have been great if it happened, but obviously you won't get a bank or card issuer to confirm that.

So what's the truth? Did RSA lie to save embarrassment hoping that there'd be not enough evidence for a 'printable' story or did they just not know at all?

Either way doesn't look good (to me at least) which is why when I saw that reply I chased it down a little with Google and saw other people had the same issue. As for percentages of customers affected - well - I asked various people and it had a 100% "yes, it's down" rate, not totally scientific I'll admit but still you have to ask questions again.

So back to why it's important. It's important because this is credit card security. When the domain system breaks like that (no matter who's fault it is - it could be that say Nominet is the guilty party here) - there's at least the possibility that somebody could pick it up in an after-sales domain clearance auction if nobody is paying attention and do who knows what with it – okay, that's a little bit out-there but what I'm saying is that this is stuff you have to get right otherwise people end up getting defrauded.

Plus lets be fair you'd kind of expect RSA to know better.