All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Let's talk about customer fraud!
We have users here who openly admitted to reselling VPS and potentially enabling fraud, and as a person who might offer services in the future (not related to servers/hosting), I am interested in techniques that prevent or reduce customer fraud.
On the specific topic of reselling or sharing accounts, I've seen some vendors (although not in the hosting industry) who force you to signup with a Google/Facebook/Twitter account, thus making the potential reseller jump through many hoops and reduce the ease of reselling, so to speak. With Facebook and Twitter, getting a new account might be easy but they do frequent purges of accounts that are not at all (or perhaps only slightly connected to) legitimate accounts.
My question to the folks of LET (and especially the providers around here) are:
What kinds of fraud do you see on your services, especially with resold accounts? Is it the usual port scanning/DDoS/bitcoin mining, or something else?
Some providers are known to restrict signups from certain countries and VPNs (Inception hosting is a well-known example, and probably to the chagrin of many Chinese "customers"). Do these steps actually prevent customer fraud, because from what I understand people can use their pool of VPSes to register more accounts, bypassing VPN detection entirely.
Are there any other products, solutions or practices with regards to fraud that I should keep in mind when offering services? (Please feel free to PM or ignore this question entirely if you believe it's something sensitive and you'd rather not disclose these practices.)
Comments
Let me talk about it.
For example, instead of not even checking the mailbox like VirMach (can even create an account with an empty mailbox), they should ask for real email address, name (with ID card) and matching non-proxy IP.
In addition, when users place an order, forcing them bind real credit card and provide a photo of the credit card is best practices
If necessary, provide a utility bill at regular intervals. The information on the bill, at least name, need to be the same as the initial information at the time of registration.
In fact, I think the most effective way is to allow any user use the original payment bill information or the original email address to retrieve the original account. This measure has been well adopted by BWH.
What do you think of my proposal? I think I have bought a lot of servers and are very familiar with it.
for a $15/yr promo?
anyway surprised you advocate this.
The requirement to provide accurate information goes a long way in fighting fraud. Be strict about this requirement. A VPN masks the IP of the user which is contradictory of this requirement.
User a fraud screening service like MaxMind, tweak their settings before use.
Gather experience
and act based on common sense. If these three can be implemented, you are filtering 99% of them.
Asking for ID is already unpopular enough with customers. They're concerned (and for good reason at least from a customer PoV) about the ID documents being misused or leaked.
Of course, I am not a scalper. I'm just a person who likes toss, like to buy servers and only occasionally sell my idle servers. If it is not allowed sell account or not easy to push up like VirMach, I can also cancel it or make it idel there.
Do you know what is scalper? This is a person who buys very limited stock physical products for sole purpose to resell them at higher price. Term "scalper" does not apply for digital goods. If you buy lowend VPS and sell them at higher price, your are a lowend businessman. Enjoy the status.
Is it just about detecting VPNs, or do you try to geolocate the customer from their provided address as well?
You have to choose how you would do it. You could just cancel users with incorrect information asking to resubmit orders with accurate information.
Good news is, there are more legitimate users than fraudulent ones.
I didn't always do the thing to sell it at a high price as you said. On the contrary, I might sell idle servers at a lower price for example Contabo. I also admit that occasionally I sell my idle servers and may add a bit to the values left. But most importantly, this is not my purpose of buying a server.
So I think it is really inappropriate for you to label me this.
Please keep your bickering about whether @cobydoby is a scalper on the other thread. I just wanted to prevent fraud on my own services and any discussion related on that topic is welcome.
@cobydo>; @codydoby said:
You are an idiot if you expect that. It's so simple. Just don't resell accounts. It's fraud. Shame on you for expecting providers to collect all of that data from legit customers just to avoid a scamming scalper signing up.
Do you see how that's not normal?
I am just a normal user rather than what you are thinking of me. Please stop your hilarious abuse.
Many do it as standard. You won't be able to order anything if address is not valid.
If your address is accepted by our automated screening, you are fine. More stringent verifications for some of the custom service we offer for corporate clients.
hmmm
@stevewatson301 If your future service has nothing to do with hosting/servers then asking here won't help you much. Imo, the problem with chinese (or other "hated" regions) is not necessarily the fraud you are thinking of. You're thinking of people deliberately going against tos. Low end providers who charge low rates get these types of customers by default. It's probably not a problem because they are likely used to catching these guys and shutting them down.
The problem is these chinese customers almost always provide fake details. It is understandable because almost anything they do on the internet with a server is illegal in china. But this also means things like fraudrecord wouldn't be useful for chinese customers. (And it pretty much goes against hosting standards. You're supposed to provide valid contact details) Also, they may chargeback for no valid reason. (They may think their IPs being banned by the great firewall is valid but obviously it is not valid) Then another problem is they would require support and would likely do it through a translator. It's probably not worth the time doing business with them for hosting especially when most of them buy only the smallest plans, pay peanuts and expect the world from providers.
And fortunately, this kind of rubbish doesn't really apply to other industries.
If you don't block IP Spoofing proactively, you deserve to get taken advantage of. Once the DDoS folks find you, they will turn your network into cesspool of shit.
Some of the recent cases in 2020:
Softlayer (Especially the Meppel location) - Abused like mad until AMS-IX mailed them to stop the spoofing. According to the email, they had 500Gbs peak traffic on DDoS amplification traffic (before the actual amplification, so stuff like DNS,NTP,etc).
Hostunlimited.de - Network was grinded to standstill until they finally stopped offering spoofed servers.
PerfectIP - Was full of booters and stressers untill exposed at Caida and they smoked everyone out finally by blocking the spoofing
Netminders - The Chinese folks at Canada decided at some point that it was a great idea to advertise spoofed attack servers in various blackhat/greyhat forums. 3 Months ago they started cleaning out these people due to bandwidth cost, and finally stopped spoofing according to caida reports.
And the donkey award goes to everyone's favorite: Creanova! Not only they ignore abuse and cater cybercriminals, they actively allow outgoing DDoS according to some support ticket pictures of kids asking about it which are going around in various discord servers. They are truely the worst offender and a business based around DDoS services and spoofing. Fun fact: They block CAIDA's test servers, in order to appear normal.
The hosts don't usually seem to care unless they receive abuse, which they don't if its spoofed attack traffic. So they like to cater these people who buy dozens of expensive servers until they are finally exposed of spoofing and the kids start to buy them.. Once that happens, the abuse letters start to come in due to simple Perl scripts that are used in attacks and which do not spoof the source IP and finally the host will be exposed at Caida, who will then attempt to solve the problem with a local CERT authority, forcing the host to finally take action.
@smallbibi
That was insightful. Without going into too many details, what I'm planning to offer is an "internet service" despite not being related to hosting, so the lack of cooperation of these "customers from hated regions" with the provider is good to know, nevertheless.
Because some companies need ID, I can only look for other providers, between the trade-offs, you sell services, I paid for the purchase of services, it is a two-way choice, can not choke on it
The fact that you're looking for a high number of VPSes in a very short span of time, combined with the fact that you're not willing to provide ID for customer verification does raise a red flag.
If a person succeeds in signing up for an account and buys servers, then strictly speaking, it's hard to prevent those servers from being "resold" or "shared".
I say "resold" or "shared" (in quotes) because I imagine that it's not so easy to change the main account credentials (name, address), so I guess that the "reseller" or "server sharer" continues to maintain the main account in such cases (after "reselling" or "sharing" a server) -- it's only the server credentials that are "resold" or "shared".
(At least I don't see how the main account credentials could be changed easily.)
Does Paypal/the bank disregard the provider's statement on the issue? Issuing a chargeback for a service that works, but that you can't make use of, due to various external factors, is not the provider's responsibility. (Unless, perhaps, the provider makes statements that their server is, or can't be blocked, by the GFW.)
It largely depends on the rep at PayPal/bank deciding the outcome of the chargeback and how informative your response was. Poor response almost always result in client winning. A good, friendly and informative response might make you the winner.
Don't buy the service if the provider think you are fraud
People who are alive need to serve others to get paid, and also pay money for others to serve, unless you have entered another world
Did you come here for the purpose of having fun and enjoying yourself? You didn't come to this forum to seek to serve and be served, did you?
I came here looking for the right cost effective service provider, that's what I came here for, any questions? I don't have time to waste looking for the lowest-priced junk, although I did buy an outdated CPU server at the beginning, causing me to lose $300, so consider it tuition
Chargebacks are bad regardless of outcome. It kinda affects your "credit score" as a merchant. And you can't always win even with proper documentation.
Not Softlayer, Serverius. Unable to edit anymore.
There are a lot of shady resellers, I reckon. Most are smart enough to operate it discretely in shadow.
Then, occasionally we have a dumbass like we have on hand who does it openly.
Ladies and gentlemen, this is why you have sign up hassles.