Ask HN: Would you send a photo holding your drivers license to rent a VPS?

54 points by c64d81744074dfa 2 years ago | 64 comments

I wanted to try out OVHcloud and signed up and paid for a small, cheap VPS. Then I get this email:

  Please provide full-color photos of the following using the OVHcloudShare app (see instructions below):
    - A government-issued photo ID
    - A picture of the credit card used in the transaction including:
          1. The name matching the listed name in the Manager account, AND
          2. The last 4 digits of the card number
    - A photo of yourself holding the government-issued Photo ID provided above.

I absolutely will not do this - it's incredibly invasive and this is just a hosting service, not a bank. And it's a terrible idea. If every company starts doing this the security implications are far worse than whatever problem they're trying to solve.

Am I crazy? Is this just the way the world works now because of KYC or credit card scams or something? Or is it a European thing? (This is a French company and I'm in the USA.)

rsync 2 years ago |

KYC is already required at banks and they have the most complete - and global - view of all transaction flows.

Therefore we should insist that KYC be solely performed by banks - no other firms should be required to perform it.

Given the extraordinary privileges that banks enjoy, this would be a reasonable contribution to society - especially given that they are doing it anyway.

codetrotter 2 years ago | |

> we should insist that KYC be solely performed by banks

That sounds like a great way of preventing anyone who doesn’t have a bank account from being able to use services at all.

There are ~1.7 Billion people in the world that are unbanked.

Even in the US alone there are around 55 million unbanked adults. (2018 numbers)

I think we should push for the opposite. Less KYC all around.

theturtletalks 2 years ago | | |

KYC is actually a clever trick by the government to pass the buck to the banks to verify if transactions are illegal or not. The main reason is that when you are dealing with the government, you are innocent until proven guilty. Using the banks to money launder? It’s up to the government to prove it and bring charges or its business as usual for you.

With banks having that power, you’re guilty until you prove innocence. Haven’t committed any crimes? Doesn’t matter, you’re banned by default and after you provide ID, we’ll let you bank. Oh and if for any reason, we can ban you and you have no recourse. We won’t tell you the reason either. It’s a great way for the government to not actually go after the money launderers and give the keys of doing business to a select few.

gregjor 2 years ago | | |

I don't think KYC laws keep people un-banked. According to the Federal Reserve only about 5% of adult Americans don't have a bank account. KYC is relatively easy to comply with, about the same as getting a library card. But if a person has a history of writing bad checks or running up overdrafts they can't get a bank account. And some percentage of Americans don't trust banks and remain un-banked by choice.

Source for your claim of 55 million unbanked American adults? That's 21% of the 2020 US adult population, and four times higher than what the Fed reports. If America had 55 million potential customers banks would be tripping over each other opening new accounts at McDonalds.

TrueGeek 2 years ago | |

This is how it’s done in the Netherlands. You sign up for a bank account and they check your ID, your proof of residency, they do a video selfie, etc. It was impossible for me to get a Dutch bank account (as an American) until after I signed my apartment lease which was a bit of a catch-22 but not insurmountable.

But once that is all setup they have a system called digiID that is wonderful. Anytime your identification needs to be verified it’s done through your bank. I signed up for renters insurance, they did a little oauth thing with the bank, the bank asked which details I was willing to share (the insurance company asked for just last name, dob, and address) and I agreed. It took seconds.

clintonb 2 years ago | |

Is this sarcasm? Most banks don't write software, and the third-party software isn't that great. I don't want my bank involved in this at all.

rsync 2 years ago | | |

I think my point was unclear ...

What I am saying is, there is no reason for other firms to perform KYC because it is totally redundant. The banks already have to do it and they have a better view of the transaction flow anyway.

Any KYC that your ISP might do would be both redundant and inferior to what your bank is already doing.

It is a waste of resources - and a drag on smaller businesses - to do this work twice.

cowboylowrez 2 years ago | | |

I pay for a vps with a credit card, isn't this essentially the banking system doing the same thing?

pants2 2 years ago |

AFAIK there's a new law requiring KYC for IaaS providers serving the US. I'm assuming it covers their butts as well regarding malicious activity, they don't want to host a DoS attack, CP site, or similar. You might be hard pressed to find a hosting provider in the US that doesn't ask for these things.

natejlong 2 years ago | |

It's only a recent proposal in the US, not law, if you're talking about what I think you are:

https://torrentfreak.com/u-s-know-your-customer-proposal-wil...

>>> Late January, the U.S. Department of Commerce published a notice of proposed rulemaking for establishing new requirements for Infrastructure as a Service providers (IaaS) . The proposal boils down to a 'Know Your Customer' regime for companies operating cloud services...

lolinder 2 years ago | |

This is probably what you're thinking of [0]. The comments period is closed, but as far as I know it hasn't actually become a rule yet, and regardless:

* The rule would only apply to people living outside the US, so if you pay with a credit card with a billing address in the US from an IP in the US they probably wouldn't need to KYC you.

* KYC != "send me a photo of you holding your driver's license". I can open a bank account by just typing in my name, address, birthday, and SSN. That's enough KYC for a bank, it would be more than enough for a hosting provider even if that proposed rule became law.

What this company is asking for is beyond the pale even by full finance KYC standards. The most likely explanation is that an automated fraud detection system got set off and OP was selected for a much more rigorous review than they typically do.

[0] https://news.ycombinator.com/item?id=40158752

pants2 2 years ago | | |

That is what I'm thinking of, thanks for the context

arealaccount 2 years ago | |

I’ve never seen this, maybe Im missing context? Amazon/Google/etc don’t require pictures of ID and CC?

pctTCRZ52y 2 years ago | | |

agreed, I don't recall any large cloud or VPS provider asking for an ID.. maybe a French thing?

KomoD 2 years ago | |

Source? OVH has had this for years.

chatmasta 2 years ago |

Blur everything but your name and photo and then unblur pieces of it until they accept it. Also make sure to watermark it with repeating 10px red text saying “only for purposes of ID verification with OVH.”

jimmydorry 2 years ago | |

Places that require this level of identification will generally insist on no watermark or edits. If this is the make-or-break for you, you will end up not proceeding and having given away your ID for naught.

perihelions 2 years ago |

Not in a thousand years.

monero-xmr 2 years ago |

Here are some vendors that care more about privacy https://kycnot.me/?t=service&q=vps

GianFabien 2 years ago |

There are lots of VPS providers, why not just choose one that meets your expectations for privacy, security, etc?

The power of the market is when customers refuse to go along with unacceptable demands.

kkfx 2 years ago |

Well, for me being in UE with eIDAS docs I have just a response: implement eIDAS and I'll give you a certified ID out of my public docs, nothing else. If you want a proof of my identity you'll get the best proof. Otherwise you just want to scam me or you live in another world.

eIDAS could be simply described as "a smart-card in any documents" (so far some UE state have started with identity cards, some with drive permit as well, nothing different than classic/modern e-passports) you can use with a reader and a PIN to identify yourself. The main usage so far is almost only for public administration services but some example of private use are discussed and used ante-litteram for instance as a proof of majority for buying cigarettes on vending machines, some discuss the option of a public SSO identifying a citizen who allow send SOME (detailed in the redirect page) to a private party. Nothing exists AFAIK outside the public but it start to spread. The public became the guarantor of the citizen's identity.

Outside EU various countries have some form of e-IDs so... It's just about time to steamline them ALSO for contract signing instead of absurd SMS-based signature on third parties.

gtirloni 2 years ago |

I'm pretty sure someone is selling all this private data in the deep web right now. It's not OVH you have to sorry about.

The cat is out of the bag. There's no way back.

newscracker 2 years ago |

Of course, you’re not crazy. The more the number of people who just give in, the larger and more widespread this problem becomes.

IMO, this is one of the ways governments get more ideas — to encourage companies or have them collect a lot of data so that they (the government agencies) can legally (or even illegally) demand them for mass surveillance and their expeditions. It’s like a fire hose that won’t stop.

c64d81744074dfa 2 years ago |

Original poster here. I heard back from OVH that this was their automatic fraud detection system kicking in, and after manual review they removed this requirement. Apparently I made a mistake entering my CC info. Doh...

Now I feel like I jumped the gun posting, but I also feel relieved. In any case, thanks for all the support.

gregjor 2 years ago |

I have not had to do that and might not want to. But nothing on a US driver's license is private information anyway. Banks, credit reporting agencies, car dealerships, landlords, police, etc. all have access to your license info and much more. So I wouldn't call it "incredibly invasive."

Easy to blame the hosting company, or the government, but it's the bad actors and fraudsters and scammers who drive these kinds of rules. I'd rather have to show a hosting provider my ID than have all of their IPs blocked out of the blue one day because they rented a VPS to a scammer or botnet, maybe using my name and credit card number to do it.

einichi 2 years ago |

Hosting providers get an obscene amount of fraudulent sign-up attempts, including attempts where they try to assume the identity of the person they have acquired the passport scan/photo of.

I don't like it, but it's very understandable.

lbotos 2 years ago | |

I once saw a scammer upload Jason Bourne’s passport to try and validate their VPS account at the provider I worked for lol

lanstin 2 years ago | | |

Not the actor but Bourne's passport from the movie? Interesting.

tiffanyh 2 years ago |

Three ways of looking at this:

1. Maybe something about you is triggering their fraud system for step-up verification.

2. They might experience a lot of fraudulent (scammer) users, which is a net-negative for anyone who host there because ISP might black list that hosting providers IPs.

3. Maybe they are super serious and KYC all onboarding because they only what super vetted customers because that benefits everyone to have a “clean network” (basically the opposite of #2).

Given OVH super low pricing, my guess is #2.

orbit7 2 years ago |

I think KILT DIDs look to hold the tech answer to this type of problem. https://www.bitdigest.io/posts/taking-control-secure-identit...

ephimetheus 2 years ago |

I think Hetzner is doing this as well now. I’m assuming they’re required to.

yashg 2 years ago | |

Yes, I recently signed up and they asked for a photo id. Just a photo id, not this ridiculous request.

Tblue468 2 years ago | |

I ran into this with Hetzner recently, but instead of ID, they also accepted a pre-payment of 20€ instead (will be used as credit for further purchases).

bomewish 2 years ago |

It's a fraud detection thing.

Get in touch with their support directly. They did this to me but I contacted them and complained and said they approved it without the need for this.

cft 2 years ago |

A second passport is an increasingly common answer to these attacks

bagels 2 years ago | |

Like... a fake one, or someone else's?

xupybd 2 years ago |

I'm with OVH and I've not had to do this.

xupybd 2 years ago | |

In thinking about this, I think the email is fake and this is an attempt at scamming you.

delduca 2 years ago |

Go for Hetzner. I am using and it is great.

rcstank 2 years ago |

Don’t do it

kevinsync 2 years ago |

10 years ago I registered a dot-ru and let’s just say the requirements were quite overreaching LOL. I’m embarrassed to admit to the documentation I provided to make it happen. My identity has probably been sold a thousand times by now ¯\_(ツ)_/¯

pelagicAustral 2 years ago |

Why OVH? I've had awful experience using their services... Vultr, Linode, UpCloud, Hetzner are far better options... none of them require this nonsense.

perihelions 2 years ago | |

Hetzner has asked some HN'ers for passport scans [0], and in my case, they asked me to consent to a video scan of my face, with some of ersatz machine vision [1]. Their loss.

[0] https://hn.algolia.com/?query=hetzner%20passport&type=commen...

[1] https://www.idenfy.com/identity-verification-service/

BOOSTERHIDROGEN 2 years ago | | |

Hetzner requires me to provide a photographed government ID.

fragmede 2 years ago |

the reason they're doing this is because of credit card fraud. the attacker takes a stolen credit card, signs up for their service, and then runs up a huge bill. when the credit card owner discovers this, they do a chargeback, which means the hosting provider is out the money. do this enough times and the hosting provider gets kicked off their credit card processor and can't take payments anymore.

so yeah, it sucks, especially for privacy aficionados. there are places online that will take your untraceable Moreno (XMR) for hosting, but they end up getting used to anonymously host CSAM until the feds take that and hopefully the people creating that down as well.

lolinder 2 years ago | |

The issue OP has here isn't that they want anonymity, it's that the demands that this particular hosting provider is making are bizarre.

This is not the norm yet for hosting providers, and you don't have to pay with Monero to avoid having to send a photo of the credit card you used to pay for a service. Just pick almost any other hosting provider and they'll happily accept your credit card via an online checkout flow and be done with it until they get an abuse report.

lbotos 2 years ago | | |

A decade ago at the provider I worked at we’d routinely ask for id verification like this for accounts that tripped our fraud signal system.

fragmede 2 years ago | | |

it's not bizarre and totally makes sense from the perspective of the hosting company being used for nefarious purposes and not wanting to get shut down. tragedy of the commons and all.

gpm 2 years ago |

Yes.

Ultimately the internet is a lawless extremely low trust place, because it isn't limited by borders, so there is no effective law enforcement over a significant fraction of the people on it. Hosting providers bear a fair bit of the brunt of this because they're a staging ground for doing actually evil things.

I want to work with high trust places. I don't want an IP address that was just being used to hack people. I don't want to have to jump through hoops that verify I'm not doing evil things before doing things. I want to be offered things that can't be offered to people who are abusing trust, like generous free trials.

Verifying I'm an actual person in a place where they can pursue me through a functional legal system and functional law enforcement agencies is a step that allows the trust level to be stepped up slightly from "literally none". That's a good thing IMHO.

And I already have no privacy when I'm paying with a credit card under my real name. There's no actual cost here to me.

That said, I'd be very careful I was actually sending that information to a reputable hosting company, because the internet is a lawless place and there are definitely people who would try and pretend to be your hosting company.

Repulsion9513 2 years ago | |

> I want to work with high trust places. I don't want an IP address that was just being used to hack people

Then don't use OVH :)

gpm 2 years ago | | |

Maybe, I don't have any real opinions on them, but wherever they are this is a step in the right direction with regards to that.

Hizonner 2 years ago | |

> I want to work with high trust places.

OK, so get off the Internet. Don't fuck it up for the rest of us.