Mastercard and Visa Start Banning VPN Providers(torrentfreak.com) |
Mastercard and Visa Start Banning VPN Providers(torrentfreak.com) |
Adult sites, online pharmacies, ticket brokers are treated the same way, and that has nothing to do with evading the NSA. MasterCard added all internet services (the MCC -- merchant category code -- that covers ISPs) to a high risk tier earlier in the year; I got the letter from First Data in the mail myself.
First, I do not think this is about chargebacks, at all. I don't know what it is about, but it's not chargebacks. This looks like a blanket revocation of anonymizing/VPN services. That isn't how fraud/risk engines work (note: I wrote several fraud/risk engines for ecommerce/banking/travel industry as well as passive device fingerprinting).
Sure, make this a riskier transaction, flag it for review. Uh oh, CC info is from Ohio, but IP is from Russia? Up the risk. Same device that is trying to conduct this transaction also tried 30 others in the past two days? Flag for review, up the risk (several hundred more etc etc).
Second, I can't think of a single thing that is legal to buy that is blanket revoked by some company like this.
Third, adult sites, online pharmacies, ticket brokers and the others are NOT treated the same way. They are treated as higher risk transactions that A. need more/closer review B. have a more comprehensive/exhaustive/deeper risk rules engine run on them. and/or C. have a special set of rules that apply specifically to that domain. The CC companies don't just turn off buying an entire domain of goods (adult, online pharmacies, ticket brokers....or VPNs), that isn't how they work.
If true, this smells of something different.
Not blanket revoked. You can still purchase VPN services other than IPREDator.[0]
I'm surprised people here are taking TorrentFreak as an actual journalistic entity and not a website devoted to enticing a knee-jerk and vehement subset of tech users into clicking their articles.
Firearms.
https://www.paypal.com/webapps/helpcenter/article/?solutionI...
https://payments.amazon.com/sdui/sdui/about?nodeId=6023
https://squareup.com/legal/seller-agreement
Also, at least two of those have prohibitions on "occult materials". I'm not quite sure what that means, but it doesn't sound illegal.
This case may also have other motives (the pirate bay related?) but chargeback is the issue and the story is more complex than it sounds: http://www.securitykiss.com/resources/roboblog/credit_cards/
Not to even speak of the whole NSA spying thing.
Not all of us are corporate drones with the mother ship VPN to connect to, so we have to pay for ours.
I can't believe the number of people here on HN who think that no one but criminals use VPNs.
1. http://arstechnica.com/business/2012/04/90-of-popular-ssl-si...
Thank you. All we hear about is how the government is trying to silence us and there's some vast payment processor conspiracy trying to stop us from using credit cards, as if they would want to stop us from giving them money. No, HN, the majority of VPN traffic is not innocent nerds accessing Facebook on a public wifi.
I say this as someone who does rely on a VPN quite a lot. There's sticking up for righteous ideals and then there's ignoring the fact that a ton of your traffic is nefarious. We can't sit around doing nothing as bad guys use our tech for criminal activities and then get outraged when someone brings it up.
That's a bold claim. Do you have any evidence of that?
If you drink that koolaid, Sounds like you would also believe megaupload was used 'primarily for non infringing use'
The fraud detection team at my bank called me last week to confirm the renewal payment was genuine. The same payment has been occurring every month for two years without issue, so it seems likely something has been tweaked within their detection algorthm.
I think this is always a bad argument to make. By that same logic they'd be banning all torrent sites, too, and a lot of other stuff, possibly even Bitcoin.
I think these VPN's should sue Mastercard and Visa, just like Wikileaks did, and won. They can't just decide "who is the bad guy" and ban them.
Please post source for this. As far as I know Visa and Mastercard have not made any statements and outlined any possible reasons for this action yet.
I know around ten people, who are technically-adept (but not techies), who are using VPNs for Netflix, BBC iPlayer, Hulu, sporting events, etc... In many cases they are "paying to pay" for these services.
Hackers, crackers, carders, and script kiddies can pretty easily get access by compromising insecure hosting accounts or remote windows machines in the desired location.
How am I possibly going to live without access to Facebook?
ssh -D 8080 username@ipaddress
The biggest difference to a VPN is that you need to separately configure every application to use the local proxy – otherwise, everything sent over the local proxy is encrypted and securely transferred (thanks to the SSH protocol) just like with a VPN.
Of course, you can also install a VPN server if you want, but that's probably a bit more complicated.
[1]: http://www.lowendbox.com/ [2]: https://www.digitalocean.com/
The United States and its financial system exist to serve the interests of some truly disgusting people.
There's a reason every risk scoring tool for e-commerce highly weighs whether the connection is from a VPN or other type of proxy. Using a VPN is not illegal or nefarious, but public anonymizing VPNs (as opposed to private VPN-into-the-company-network VPNs) are used for illegal and nefarious purposes to a huge degree. The volume of fraud occurring through them is measured in billions of dollars a year.
Absolutely correct. Fraud scoring systems are heuristic. Your fraud score is positively and negatively correlated with a large number of behaviors, almost all of which are benign by themselves, but in aggregate can be used to predict fraudulent behavior.
Or are you addressing some other issue?
Political action must be taken. All of the forward secrecy and TLS and onion routing and steganography and PGP and AES in the world counts for nothing if they'll just declare such technologies illegal and harass the users.
This said, most of my friends there have moved on to using some VPSs for that long ago, and so do I, when I go there to see them.
Bitcoin sounds helpful for the ones not willing to use those methods, but for how long?
I've tried using AWS + OpenVPN in the past, but really life is too short to maintain your own VPN service (especially dealing with mutating firewalls)
It makes little sense that the US gov had these guys banned because they were anonymous since they aren't. Mounting trafic coloration attacks against a VPN is trivial if you see everything going in and out ( same for Tor). Maybe the RIAA and MPAA had enough clout to do it, but why not usenet providers as well?
What's a credit card?
Dynamic DNS can be used for a singular server, through how reliable depend on the TTL and how accepting other DNS resolvers are in accepting low TTL's (which in practice some aren't). However, if you are behind NAT, VPN is truly the only option for home servers.
Also, is it possible they were banned for other reasons? Eg high chargeback ratios? I can tell you from experience that chargeback ratios in the anonymization industry are very high, for obvious reasons.
I realise I can just search for VPN providers, but I am interested in what is considered the best/easiest/cheapest solution.
Having a VPN configured and available on all of your devices makes it easy to use on a whim, probably the best thing for your privacy.
Who would pay an anonymizing service with credit card?!
Though, it is not without warning. 2 days, if that can be trusted from the original article, is not sufficient warning.
http://www.slate.com/blogs/browbeat/2012/08/17/ebay_bans_mag...
So we're left with anecdote and personal opinions to base our decisions on. There's plenty of opinion in this thread - a few anecdotes won't hurt.
Chargebacks are bad for the VPN company. They cost $15 each.
Even if they cost nothing, a high ratio of chargebacks is not in the best interest of the credit card companies, who are at the top of the value chain. So chargebacks are bad for anybody along the chain.
And while I'm not aware of a properly turn-key solution for a VPN server, it should hardly be an epic undertaking to create one. Setting up a Linode account and running a StackScript is simple enough even for mostly-clueless people.
Why can't they simply ask for a higher fee?
That's exactly the opposite of what credit card companies want. They want to make the process of using your credit card as simple and painless as possible.
Ironically, this is also why they've taken none of the obvious technological steps that could virtually eradicate credit card fraud.
However, I don't like drawing conclusions without evidence, and I don't think it should be considered naive to ask for evidence before making up one's mind. In fact, I'd consider it extremely foolish to do otherwise.
When researching the various scoring mechanisms, we generally find that the VPN was generally just used for masking purposes, so we'd see multiple attempts go through using multiple names and addresses.
Also, the chances of getting a stolen card response back from the bank was much higher.
This isn't to say that a VPN means you are a thief. What it does mean, however, is that the risk far outweighs the potential benefits.
The phrase "bold claim" is usually reserved for cases where the claim seems unlikely.
Examples are claims of majority (A majority of people are suffering from sickness A, B, or C), Or claims of superiority (My car is the fastest in the world).
As I see it there are three main customer groups for VPNs; people using it to circumvent copyright protections (either location based or outright theft), tech savvy people who want privacy, and bad guys.
The original said more bad guys than tech savvy people, I assumed that excluded copyright circumventors (the largest group) and you assumed they were included.
Such a reader can be built into laptops, keyboards, smartphones, available as small stand-alone USB devices, etc.. Web browsers, POS systems, etc. can send a request to the reader and tell the user to place their card on it and check the card's display.
Transactions without a valid signature can simply be discarded.
If the system is implemented properly, the only way to commit fraud should be to physically steal the card.
(A more paranoid version could include buttons on the card for entering a passcode, so that even if the card is stolen, it would be difficult to use, at least before being reported stolen.)
The device is not connected to the computer, rather, you have to type some info (like value of the transaction) and it generates a code you type back in the website
For this device to work you need to type the card pin
Of course this wouldn't work in the US since they're still stuck with the magstripe
I'm curious, what other undertakings do you think are impossible? WiFi? Bluetooth? GSM?
Bad guy gets CC details
Uses stolen CC to sign up to VPN
Goes on a shopping spree via the VPN so law enforcement can't trace him
So you're going to see more use of VPNs by fraudsters trying to hide than you are genuine users... hence the ban.
And yet it is progressing. See Europe. This despite lackluster support from big banks.
> What you are missing is the massive infrastructure investment in retail terminals.
No, I'm not. Not at all. I'm well aware of it. I'm also well aware that they get replaced quite frequently. And virtually every retail terminal I've seen in the last few years is new enough that if the banks had started the push for a smartcard technology when it initially became viable, terminal compatibility would be near 100%.
Did you think there had to be some magic cutover date? There doesn't. Hybrid cards can be used for 5, 10, even 20 years if necessary, with gradual pressure applied to retailers to adopt new equipment they haven't already replaced (or received new, stores come and go) through a reduction in fees for transactions completed via smartcard.
The point is to make actual progress and eventually arrive at a reasonable destination. Right now, we're just sitting on our hands.
You and I have a significant difference of opinion then.
The problem isn't the majority. The problem is just a significant amount. Keep in mind how low the chargeback rates need to be to avoid serious penalties. Also, keep in mind the number of people isn't the issue, but it's the number of fraudulent transactions that occur. One person can attempt many.
It's an attack vector, and one person can cause problem for many, many customers.