DigitalOcean: Introducing Our London Region(digitalocean.com) |
DigitalOcean: Introducing Our London Region(digitalocean.com) |
No thanks.
We'd love to hear suggestion on how we can improve that without resorting to requesting an ID because obviously that isn't something that's ideal.
New policy of requiring scanned documents is unacceptable in the environment of pervasive nation-state level monitoring and destruction of privacy. If this is a permanent change, I won't recommend DO any longer.
The solution is extremely simple: accept bitcoins for payments and/or fair use verification for free tiers. Also there is a market for forged document scans, just read krebsonsecurity.
The reasons are this:
Banks are legally required to conduct some kind of Know Your Customer where an individual has to physically present themselves so their provided ID is matched against their physical person. So KYC is done by a bank. And I'm paying with a bank / credit card.
In the case of someone opening an account by using a fraudulent card, it is trivial to attach what looks like a mediocre scan of a passport or divers licence.
Notarised IDs are not requested, so there is no way to verify with a lawyer. And Notarisation is expensive, so it will turn almost all customers away.
Closing circle: If the name on the card matches the ID provided and it is not a case of a fraudulent transaction, the individual can be pursued via their bank. This is probably not worth it at a time vs reward level, unless the abuse of the network is such law enforcement should be involved, but is not something for you to do, but for your bank, as correspondent bank, to do.
While obviously a liability in terms of information security and the risk of a breach, requiring such personal information is a precedent: If all companies did so for low value transactions, then this information would end up in thousands of online repositories (and therefore of large scale, opposed to, say, a hostel seeing a handful of customers per day keeping paper records) which would surely have leaks. The risk becomes systematic. Which increases fraud.
Let the banks do KYC. Let the hosting company ensure the network is monitored in the way they desire.
Edit: Having worked in a couple of banks at a middle management level, and covering regulatory, compliance and information security roles, what really helps when regulators or general law enforcement audit or inspect a function, what really matters is showing both internal policies showing banking regulations are drilled into employees, and anticipative policies where regulations are not yet set in stone are also followed. If you don't have internal policy documents on how your network is monitored and a kind of minimum standards dashboard, make one and keep records, as it can be invaluable as defense against accusations nonfeasance, misfeasance or even malfeasance.
Barring that, detect mining and terminate it with system monitoring tools, and prevent port scanning/flooding at your network border (your netops team is active on NANOG and seem to know what they're doing).
80$/mo DO: 8GB RAM, 4 Core, 80GB disk, 5TB
163$/mo Softlayer: 8GB RAM, 4 Core, 100GB storage, 5TB
Thanks!
I am a customer of DO's but I am not a happy one since I have to muck around with 6in4 tunnels just to get this basic stuff working.
Not sure what the legal/regulatory differences are for hosting in London compared to elsewhere?
Personally, I love being able to spin up Linode (and now DO) vms in London but pay USD prices.
Is there a conversion charge that your credit card company levies on you for paying in US$?
Anyway, as others have said, there are charges and spreads on foreign currency banking. It also adds complications to my otherwise very simple accounting needs.
At least, it's the case with my French and my Dutch bank.
That's one of the great benefit of the Euro when shopping in the EU (well, except for our British friends :) )
Edit: corrected a typo
About 90% of my company's expenses are in dollars, so I've had to become proficient at dealing with it, but I imagine it's more annoying for companies who only make the occasional USD transaction, especially as they may have smalltime accountants unfamiliar with or unwilling to deal with the exchange rate stuff properly.
If you were never in that situation, my experience is in paying less over time as both GBP/EUR have been getting stronger than USD.
Plus, pricing in the home currency is usually larger than the exchange rate (i.e. $10 = £5.83, so pricing would probably be something like $10, £6. Or even more - if not $10/£10 - you know who does that!...)
I'm worried about a company restricting usage to resources which you have been allocated, as I thought we were well past the problems of shared hosts with the rise of virtual machines / linux containers.
I doubt they are. While DO boxes aren't bad, in terms of the "bad neighbor effect", I think they very much are oversold. Also, the virtualization tech is a continuum between complete and proper isolation of resources and time slicing of the CPU cycles on the one end, and Linux container style resource sharing on the other. Basically, the more isolated your VM is, the slower it will run. I don't believe DO is using any type of really strong isolation. Because of this, if you start mining BTC on your droplet, you will suck the CPU cycles from all the neighbors.
At some point, you're hitting diminishing returns in your verification requirements.
This way, if someone has a stolen credit card, there's a very good chance, they won't have a matching government ID with same name. Hence obvious fraud.
The CARD Act of 2009 mandated that credit card issuing companies clearly describe the fees associated with foreign transactions.
Visa/Mastercard charge a cross border origination fee of 0.80%. However many credit cards (all cards by Captial One for example) waive this fee, and do not charge any fee of their on on top of this.
Edit: The 4th paragraph here seems to settle it: http://www.hmrc.gov.uk/manuals/vatpossmanual/vatposs14300.ht...
The reverse charge mechanism places the burden for accounting for VAT on the recipient if the supplier is outside the UK.
http://www.hmrc.gov.uk/vat/start/register/when-to-register.h...
I do get them from pingdom, and AWS. I do not get them from Mailchimp or hostgator.
CaxtonFX are also really good for foreign currency cards (2% markup, which is lower than I get with any of my British banks) and have really good customer service too.
I use the Halifax Clarity card and I believe The Nationwide and the Post Office do a good card too.
I'd never use a Debit Card for foreign currency transactions though, they always seem to have fees involved.
Nationwide used to have commission-free cash withdrawals on their debit cards abroad, but I think it was abused by people who had second homes in other countries so withdrawn a year or two ago. I believe they still offer a commission-free credit card though.
Their "Select credit card" still offers EUR and USD purchases with no surcharge and no vig.
Their pricing/billing page indicates they'll accept these cards if the payment is made through Paypal, which will shield them from payment fraud, but not if the card is prepaid but the users actions on the instance are malicious.
In regards to pre-paid and debit cards we saw a very high incidence of abuse related to those cards specifically so we've had to put certain restrictions on them as well.
We're going to look for other layered approaches that can be created programmatically to increase the authenticity of a user and need to get that implemented asap because I'm in agreement that this ID request is a horrible workflow and also it still isn't fool proof so its just doubly bad.
Running the product prioritization meeting today so we'll bring up a couple of solutions and begin to prioritize and implement.
The first market we were planning on targeting was for Bitcoin related services that require KYC verification, but we also are planning on targeting any other services that need to know that their users are not bots and that if they ban a user they stay banned.
We just got some Series A funding and we're doing a crowdfunding from people who want to operate their own Identity Registrar. We should be launching our basic services in a month, and the franchise partners that are planning to participate will be able to do so in about two months.
If your problem can wait until summer is over, we'll be able to have a solution that would be free so anyone with a BlockAuth account can log in with a standards-compliant OpenID login form and you can be assured that they've been verified as being a real and unique person and all of the details they've submitted have been put under a microscope.