New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
PayPal used to side with sellers blindly before. So we all started going around PayPal to use credit cards. As PayPal lost buyer market share, their tone changed.
May help to open a BBB against PayPal. Many global and US brands react to that quickly.
To the best of my knowledge, the provider has to be incorporated in the EU in some form for this to apply. If not, the laws of the country in which the provider is incorporated apply.
Afaik it applies to any company who sells to EU customers. Offering EU locations and having the site's language in English (Indian company) does prove that they are targeting EU customers, so the 14 day withdrawal right should apply.
Why the fuck do you send password in plain text? It can be intercepted and your vps could be taken over and who knows what junk my be put on it.
You on crack op?:) you wanted to share client detail then got called over
I'm not a SmokyHosts customer but from my personal experience, it's... the norm? Except those that let you or force you to use public key, almost all of them are sending the root password in plaintext via email. Probably it's the default from whatever management panel they use. Some are even displaying the default root password on their panel. I don't know whether it's encrypted behind the scene. But as much as I don't like that practice, personally it's not really a big deal unless you're really lazy to change the default password.
This is at best what is called "Friendly Fraud", it' nothing new and it's not even a true fraud. In fact it is the most common type of "fraud". And you did your best to maximize this type of "fraud" by not providing refunds. What did you expect?
You admit to sharing VPS/server access details in plain text and think it's a good idea to complain about "fraud" on a public forum? There's no reason whatsoever to share those in plain text.
It is a common and very reasonable expectation that the access details of the VPS/server will not be shared in plain text. So yes, the product was not delivered. When you buy a car, you expect it to have an engine inside, do you not?
No comment as this speaks for itself.
Great job, you sent personal data without cosent to "fraudrecord" and now an unknown number of companies/entities have access to that data, including many of those outside EU. Fraudrecord website makes a lot of incorrect statement about anonimization when in fact it's not properly done and the data you shared is easy to reverse, and it is still considered personal data under GDPR. (There's another post of mine on let if you want more details.)
Let's make a summary:
You decided not to provide refunds thus maximizing friendly fraud.
You shared VPS access details in plain text.
Your customer made a chargeback request to paypal. (You could have minimized your risks here by providing an easy way for customers to get refunds, but you didn't.)
Your customer won the chargeback.
You decided to share his personal data with fraudrecord and compain about it on a public forum.
Don't let your customers to select their own root password at sign up, and modify your WHMCS email templates to not share the password via email. In the email template, include a link to your Knowledgebase that tells the customer how to manually set the root password or use a SSH key from your VPS control panel.
This prevents their password from being logged in WHMCS and prevents it from being emailed in plain text, even if WHMCS randomly generates it.
Five minutes later, a more secure setup.
None of this is a reason to share access details in plain text or call it a fraud when a customer wins a legal chargeback request. And it's your fault in first place for not providing refunds to avoid disputes like this.
PayPal is a breeze; don't know why people complain about it. Try SEPA, the customer can dispute a payment on a "no questions asked" basis for a period of 8 weeks. Bank will return his money and that's final, no appeals process or anything.
Can someone please explain what's wrong with sharing passwords in email in clear text? Are you that regarded to not change the password you got in the email? Are you special snowflake that you actually give provider your actual root password when you do reinstallation?
You set your root password as "test". You get the email that server is ready, you login and change it to your real password. Then disable root login, Then create yourself new user and add ssh keys.
I don't see a 14-day period as any problem for a normal business. Perhaps you are not aware how things were before that. Here's an example: A large leading telecom would call your half-deaf and senile grandmother and talk her into upgrading her plan to some subscription plan she does not even need. Why did she do it? Because they told her it will be "cheaper" and "better".
now i wonder if this provider did this same shit before and share details with other people whenever shit happens between them and their customers
When I get the email I actually login the cp and turn it off until I have time to reinstall from iso and run my config tooling. Ask me about providers that boot vps that were explicitly turned off when they reboot the host, annoying.
Because even assuming you won the world championship because you're very fast at changing your password; by that time your server is already compromised.
How? That is only possible if there is any MITM attack. And if they can do it, they can simply change your password and reach your server from your hosting's panel.
I guess it is possible if hackers use password lists and they are fast enough to probe it on your server and quickly change it. Such scenario seems rare to me unless you leave your server idle for long periods.
I never trust a single password given to me. As soon as I am in, I set my own password. And OP said they would share the pattern details, not PII details.
Not sure even if this constitutes as fraud or a scam. If a customer is a special little PITA flake, refund them and restrict their account. Ain't nobody got time for their crap.
Asking for a friend, are you the client who purchased a VPS from OP and had a conniption when you saw the password in plain text?
He mentioned in the thread that he shares the full details of the client.
What fraud and what scam are you talking about.
this thread made me realize how egg tart people are
This shouldn't be allowed as it does not equate to idling!
Next time send VPS password by Priority Mail.
You then have a tracking number to supply PayPal.
Yes, someone hacked into our newly purchased @Hosteroid VPS to run port scans within a hour of delivery, before we had a chance to reinstall.
We had to respond to an angry abuse notice.
All newly purchased VPS should be delivered without an operating system and in powered off state.
@tomazu once migrated our machine to a different host and automatically booted the machine.
It entered a boot loop due to PCI address changed in several virtualized hardware devices, and triggered the CPU abuse script.
A client from UK sent us legal notice about a year ago stating that exact clause after us winning the dispute with American Express CC as we have only 3 days refund policy. We still won, and never refunded anything.
This is right below the "Right of withdrawal: a 14-day cooling-off period":
Exceptions
Please note: the 14-day cooling-off period does not apply to:
plane and train tickets, as well as concert tickets, hotel bookings, car rental reservations and catering services for specific dates
perishable goods that expire rapidly, such as food or drinks with a short “use by” date
goods made to order or clearly personalised – such as a tailor-made suit
goods or services with fluctuating prices following global markets, such as household heating fuel
fully delivered services, such as cleaning a terrace, if you expressly agreed to start immediately acknowledging you would lose the right of withdrawal
sealed audio, video or computer software, such as DVDs, that you have unsealed
online digital content, such as a song or movie, that you started downloading or streaming after you expressly agreed to lose your right of withdrawal by starting the performance
urgent repairs and maintenance contracts, such as inviting a plumber to repair a leaking shower
^ It all depends on how you represent your side of the case.
Dont use any emotional speech with any payment processor or financial institutions, just spit facts and they will most likely lick lol.
Every email can pass through a dozen or even more hops/servers/systems. There's no guarantee for all of them to be encrypted in transit or at rest. Every system the email goes through increases the risks substantially; risks of there being a rogue employee or one of those system already being hacked, etc.
@yoursunny already mentioned it happening in practice. But if the hackers are a bit more smarter and sofisticated they will compromise your system without triggering abuse notices and just sit there without you having a clue about it.
It is actually explained on PayPal website how to prove the delivery of intangible goods:
For intangible or digital goods, proof of shipment or delivery means compelling evidence to show the item was delivered or the purchase order was fulfilled. Compelling evidence could include a system of record showing the date the item was sent and that it was either:
Just a matter of setting up your system to be able to provide such evidence.
is teh uk in teh eu?
No wonder our politicians and monarchs be like:
Try searching: UK GDPR
Correct. If the terms applied by the Provider conflict with the rights prescribed by law in the European Union then they aren't applicable/enforceable there. Also, EU consumer protection is ruthless because disputes are relatively unambiguous, (compared to GDPR), and they're generally very trigger happy.
Correct. Sucks to be a Provider. Great to be a consumer. But the EU is mental, evil and whatever other weird shit that the "too online" crowd dramatize about.
The UK isn't in the EU, and hasn't been for a few years now, but unless the client complains to the appropriate EU consumer authority, (they have one per country and they vary in their ferocity), you don't have to worry. But EU citizens reading this might want to Google their national Consumer Protection organization because they can create a LOT more drama than PayPal dispute if you're so inclined....
Oh bullshit.
In 20-odd years of using VPSes, I've never once had a VPS compromised by someone grabbing a plain text out of my email. Even when I've ordered one and not come back to set it up for months. Sending passwords by email is extremely common.
I'm not saying it's a good practice. I agree with @MannDude that users providing SSH keys is definitely the way to go and I do that whenever possible, but the idea that everyone's systems are being compromised within seconds of a password being emailed is nonsense.