New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Promotional deals can be covered under "made to order" or "fully delivered".
In our case it was flash sale posted here on LET, and client wanted 5 of them stacked and pay in advance for year. So it was "made to order", and was "fully delivered" once activated. Since it was limited time and stock deal, and client took the opportunity away from other potential clients by ordering 5x, we pushed for "service reservations and catering services for specific dates" too.
Computing (Honours) with Law degree sure comes in handy sometimes.
I didn't say nothing about it being common or not.
How do you know you were not compromised? Hackers usually don't send notices unless it's some ransomware or they trigger abuse complaints like in @yoursunny case.
I agree that more email systems are encrypted in transit today, much more so than 20 years ago. But that's not something you can count on. Even so the major email providers encrypt it at rest. But let's see: weak algorithms, crappy key management, rogue employees, negligence, vulnerabilities, exploits, breaches, backdoors, malware... Like I said email can pass through multiple intermediary servers multiplying the likelihood of all that.
And almost all of them had major security incidents. Let's mention this year Apple ID 184 million unencrypted login credentials available for the public for download and who knows for how long before someone even noticed.
Also, I don't remember the last time if ever I got a password emailed to me in plain text. I don't think it's that common as it's not considered a good practice.
Analogies like that are rarely perfect and if it makes you feel better you can tweak it and make a better one. But I think it gets the point across to most people.
Point is, every cusomer will have some minimal expectations from a service. That being either your password not being sent in plain text, the car you buy having an engine or when you call a taxi the driver not being drunk, etc. In all three cases I would just say; no thanks.
So then only buy services with refund guarantees and not promotions explicitly stating no refunds.
To file a chargeback for "not delivered" is fraud in this case.
Completely irrelevant what the service states. Sending passwords in plain text is considered bad practice and a security risk. And the OP admitted doing it in the first place. In this case the customer is 100% right to make a chargeback.
Fraud is when there's stolen credit cards involved or similar.
"Friendly fraud" (not a true fraud btw) is when a customer makes a chargeback for no valid reason and it is common knowledge that even when the provider gives no questions asked refunds, customers will make chargebacks simply because it's easier. Service providers deal with this by making refunds easy for customers. Simple as that.
"not delivered", might technically be not correct, it seems it was delivered in an unsecure manner. If it makes you feel better paypal has "significantly not as described", this should be good for lack of basic security and improper handling of passwords.
There's no fraud involved here at all. The biggest problem in this case is OP being a smartass and arguing about it instead of fixing this, it's a simple thing to do anyway.
From SmokyHosts ToS:
Customer Security Responsibilities
The customer is solely responsible for any breaches of security affecting servers under customer control. If a customer's server is involved in an attack on another server or system, it will be shut down and an immediate investigation will be launched to determine the cause/source of the attack. In such event, the customer is solely responsible for the cost to rectify any damage done to the customer's server and any other requirement affected by the security breach. The labor used to rectify any such damage is categorized as emergency security breach recovery and is currently charged at $195 USD per hour.
I guess @yoursunny would be out of $195, at least.
That doesn't make sense. "Considered"? By whom and where was this advertised? That didn't prevent him from reinstalling it or changing the password.
But it was delivered and OP said it wasn't. I don't know what your reply is conveying, fraud isn't theft and there's far more ways to commit fraud than one.
Wtf? Are you telling me when someone submits a chargeback and all the language that goes with it, "friendly fraud" is acceptable? It's a legal document they are swearing certain (incorrect) statements to m be true.
The method of delivery wasn't the item being sold, the server was. What was the proof the email wasn't sent over encrypted connections? How is email trusted for 2FA codes and verification emails? Why didn't OP just reinstall the server?
I'd be curious to find any reference to "friendly fraud" in any legal document.
I believe you can search the Internet so I will not post any links. There are various recommendations for email encryption and sending sensitive data over email. Those include for example: GDPR compliance, NIST, HIPAA and other recommendations.
Methods for encrypting sensitive data sent over email, that also includes passwords, are: end to end encrypted email like proton, tuta, etc, PGP, S/MIME, sending an encrypted ZIP archive as attachment while sending the password of the ZIP archive over another channel.
For OP's specific situation @MannDude suggested a solution.
No it didn't. Next time when you order soup in a restaurant and you see someone's hair in it; anyone preventing you from removing said hair from the soup and continuing your meal? Or just paying for it and waking out without eating it?
Depending on how the system is implemented sometimes it doesn't hurt. Again, depending on how the system is implemented 2FA can also make it less secure. When you asked the question you either made some assumptions or were not even aware of them.
So what? @SmokyHosts didn't even prove to PayPal that it was delivered. I'm simply not buying that it is impossible. Don't get me wrong, I also believe that @SmokyHosts delivered it like he said. PayPal on the other hand doesn't have the luxury of picking sides.
Customer had a valid reason to make a chargeback and that's it. Whining about how he did it is funny like listening to two year old childern debating about it.
You used the term "fraud" loosely. I mentioned it to make a distinction between "Friendly Fraud" and "Fraud". I also did say "or similar" to include all other type of fraud that can be considered "Fraud" as opposed to a Friendly one. Seriously, don't expect me to write a legal document here.
SmokyHosts said in his first post "To make things worst, if you don't offer refund, they raise it to PayPal...". That's why I mentioned the term before. You can give the man his refund and go on with your day and your chargeback rate intact, you'll also sell the freakin' $7 VPS to someone else the next day, lol. Or you can be stubborn, waste a day at the end of which you will give the man his refund anyway and also ruin your chargeback rate as a bonus.
Not saying that. I'm saying when making a dispute, the customer will have some kind of menu and pick the reason that is most convenient, or try to fit his reason to whatever option seems most appropriate or closest to the real situation. He'll add some text explaining it in more detail and that's it. Picking "not delivered" instad of more appropriate perhaps "not as described". I ask you again, so what?
That's not correct. Customer has a right to assume a secure delivery method; that means passwords not being delivered in plain text. There are laws of obligatory relations where those kind of things are covered.
You can assume that the connections were encrypted. So what? The email wasn't encrypted as explained at the beginning of my post. The OP also admitted it in his first post that the access details were sent in plain text.
It is a well known term and any kind of normal court would know how to make the distinction.
Whatever drugs or thing that makes you so high to create a BS word as 'friendly fraud'. You should stop using it.
If getting your server passwords over email is a security risk, then requesting password reset is security risk also. As someone can intercept the email, grab the recovery link and reset your password while you are sleeping.
Stop creating bullshit excuses.
https://stripe.com/en-fr/resources/more/what-is-friendly-fraud
I did not create or make up the term. It is in common use.
Yes, password reset is a security risk. That's why there are always additional precautions taken. And you get a password reset link in your email, you don't get a password. Now, whatever you are on I'd like to know? ;-)
Im on beer mate, but I dont walk around spewing random bullshit and 'friendly fraud' terms like you do.
It's a chargeback fraud
You should chargeback that beer asap, obviously.
I would, but what if someone listens my chargeback phone call with the bank and steals my personal data and then use it to create a new hosting account, then get the server password via email, then do friendly chargeback?
That's a risk I can't take.
Ok, then what occurred here wasn't "friendly fraud" by that page's definition:
The whole thing is about how it's a legitimate purchase and fraudulent claim and the damage to business.
A very easy solution to this is to remove the credential fields in WHMCS and just leave the IP address. You give the customer the option to set a password upon registration. This saves you a lot of headache and it's much more secure for both the customers and you as provider.
Hosteroid makes you set your own root password, it's not even about the email.
don't be a dumbass and put "1234", "admin" or some other shit there.
Why there is no validation for when you put such dumb passwords, that idk.
Yes, that's what the term represents in essence. It is actually the most common type of "fraud" and the easiest one to avoid for a business.
No, in this case there's no fraud at all involved. This case is a case of @SmokyHosts delivering a VPS, but failing to deliver the product. But he and a lot of hosts on LET never know to make that distinction.
On top of not delivering the product, he made a false report to fraudrecord when he lost the dispute and not to mention the GDPR violation.
But, what have you lost by letting the customer change their mind? A couple of days service on some cheap service? 10 cents? A dollar? If it's that much of a big deal, offer a pro-rata refund based on days used. It's not like they even logged into the VPS, if they raised the dispute as soon as you sent over the password in plaintext, so you haven't had the service abused or anything like that.
The cost to your reputation arguing about it is going to be more, especially when you create drama threads like this and threaten to share customer details with any other random company that's interested, and over PM on a third party system. It gets even worse when it's about a legitimate security concern that you don't even seem to comprehend.
In any case, do you really want to force a customer who will hate you based on your actions to keep your service for a month / year / whatever your term is for the sake of cents or a few dollars? What if they decide to be actually vindictive in response and use exactly the advertised resources by downloading stuff / benchmarking / whatever? Or do you think that because they requested a refund, you can get to keep the money and deny them service?
Just let it go. If your customers aren't happy, the easiest course of action for everyone is just to let them go and not piss them off more.
Lesson learnt and time to move on!
Thank you everyone for all your perspectives shared.
I'm gonna save your entire post to drop in future threads like this, well said.
Perhaps they know that once you put a server online the motherboard firmware gets infected with unremovable root kits. So why bother with basic useless security.