All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
xHosts UK "security and abuse-prevention update"
Stepbacktocensorship
Member
Email received:
Dear Name,
We are writing to inform you of an upcoming security and abuse-prevention update that will affect certain hosting services provided via our StackCP hosting platform over the coming weeks.
Due to increased abuse across the hosting industry, xHosts UK will be introducing additional identity verification requirements for some StackCP-hosted accounts. This measure is intended to protect our network, service reliability, and legitimate customers.
What this means for you
At this stage, no action is required.
If identity verification is required for your account, you will be contacted separately with clear instructions and a reasonable timeframe to complete it. Verification will be handled securely by a trusted third-party provider, and xHosts UK does not receive or store identity documents.
If required verification is not completed when requested, this may result in temporary service suspension.
For more information about identity verification, please see our FAQ:
Identity Verification (KYC) – Frequently Asked QuestionsYou may also review our policies here:
Terms of Service
Privacy PolicyIf you have any questions, our support team will be happy to assist via the client area.
Best Regards
xHosts UK
- I hope this is just a joke, dear @xHosts, you brought April Fool's Day forward!
- If it's not a joke, then I hope your infamous government isn't behind it.
- You know very well that after such an action, you will lose 90% of your customers who have purchased "unlimited" storage space. Is this how you want to be cost-effective?
- I think you should forget about this. Payment itself is a form of authentication, and a simple hosting provider cannot feel entitled to request personal documents, even with the help of a third party.
Comments
Just to clear up a misunderstanding — the email is a heads-up, not a blanket demand.
The wording says “if identity verification is required” on purpose. It doesn’t mean everyone is being asked to verify, and there’s no action required just from receiving the email.
Verification is only applied selectively where it’s needed for platform security and abuse prevention, and people are contacted individually if it applies to their account.
If you have a specific issue I invite you to raise a ticket from your account and we can discuss any issues as we do with all customers on a per account basis
Just curious who the 3rd party is.
We’ll be using Stripe Identity.
It’s a well-known third-party provider and we don’t see or store ID documents ourselves — we just get a verification result.
The goal here is mainly to protect the platform and our ongoing relationship with 20i by keeping abuse to a minimum, so services stay reliable and IP/email reputation isn’t impacted for everyone else.
I expect hosting is one of the top 5 industries for fraudulent payments. If a chargeback happens on a £2 service, the company has to pay £27 in fees for the chargeback.
We get about 15 fraudulent orders a week at VM6; it's not sustainable. Don't hate the provider, hate the people who force the providers to do it. We have to make money at the end of the day.
Does anyone have a link to the FAQ?
Thanks
But this is for existing customers right and not new? Is it common for people to pay some invoices and then chargeback on a later payment?
The FAQ can be found here
https://my.xhosts.uk/knowledgebase/article/9/identity-verification--kyc----frequently-asked-questions/
Yes, the main issue a provider can face is eg a £5 VPS then payment disputed by card
Fee of £15 + £5 server, makes no sense to providers.
We have recently seen a increased amount of customers who bought a service and silently transfer the whole account to another unknown person and we are suddenly made aware of either network abuse or direct abuse along with threats.
An example that we have seen a huge increase of customer signed up from USA based address, contact number and payment details and recent weeks suddenly signing in from China, Korea or Russia, while we have no issues with customers from any country when we see a increase of abuse on a certain line of services we must protect the legitimate customers and ensure our ongoing relationship with 20i remains workable and safe.
Is the investigation focused specifically on those who broke the law, or is it a random selection of individuals?
I think once company starts asking for KYC after order, the chargeback amount will only increase. Not sure how is KYC enforcement (after payment) linked to preventing chargebacks.
In my opinion more effective methods would be to:
I get that it's easier said than done and I by no means support anyone who chargebacks for no reason. I'm pretty sure most sane people understand it does not help anyone and ends up hurting provider's ability to do promotional offers here.
Also, as much as I like @xHosts , I don't like this recent KYC change. Big plus for warning about it in advance, but thankfully I'm not their customer.
That's unfortunate but somehow expected - on forums other than LET, transferring entire account seems to be standard practice unless the providers offers free transfers of services.
I hope the new procedure will be applied only when such behavior (changing account owner) is detected and documented. And hopefully it will help you get rid of such customers, leaving only the legitimate ones
I cannot really put that on a public forum since it could then allow people advance information to try and navigate measures we are attempting to put place.
As we host a number of local clients (bossiness and leisure activity (kids weekend sports) our main aim has to ensure we remain a viable and reliable customer to 20i which with any provider if you receive too many abuse reports to they are spending too much of their time simply dealing with issues cause by your sub customers they would eventually ask you to leave, same with any business.
The aim here is to remove anyone who has or may be thinking of passing accounts to someone who is unknown and within a short time we are dealing with either threats of actions towards our services or formal abuse reports in terms of malware, DMCA, people using the FTP as a file backup storage which breaks the terms too.
If a customer has bought an account for example £3.50 and we spend a few hours collecting information on their abuse, also replying to 20i to advise we have remove their account from our billing platform and will prevent future orders, this is a waste of time that we can use on adding features that we are working currently on such as full dedicated server control (power, reinstallation) these new features benefit customers, wasting our time dealing with accounts they have been passed from one to another is not productive to anyone
https://my.xhosts.uk/knowledgebase/article/9/identity-verification--kyc----frequently-asked-questions/
So you will unsuspend them until the end of the contract?
The vast amount of our customers are paying monthly, by this pre notice customers can decide in the coming weeks if they wish to renew or no longer wish to renew. As we advised in the email this is in the coming weeks giving customers the time to consider their options going forward.
not involved, what's this "20i" keep being referred to? I don't recognize the acronym(?).
20i is the platform we are resellers on for this service, we feel its in everyone's best interests to keep a workable and good business relationship by keeping any abuse to the least we can
20i platform.
Ah thanks! No doubt reselling adds another layer of needing to be careful.
Just run. KYC after payment is done (via non-anonymous payment method) is dubious at best. There is other providers.
It's a really good deal for resellers tbf - they get email, managed hosting, reseller api and more for a reasonable price. As a user/consumer the performance is ok - i don't hate it but wouldn't use 20i if I had an alternative.
Also have 2 services with xHosts and I'm satisfied.
We are looking for protect the legitimate users, unlike other providers that will suddenly impose a KYC and lock accounts we are looking to do it in a fair, calm and controlled manner.
If someone does not wish to renew, they have that option since most customers are pay monthly by the time we have started to implement this renewals will be due or passed and this has already been advised.
100% agreed.
3DS should be the standard unless we're talking esim (roaming) business, which would reduce the transaction conversion because not all telco offer free incoming sms during roaming.
Edit:
This happened to me quite often (during trip). Some provider doesn't 3DS, some 3DS to save cards, some 3DS for each transaction.
Just like any LET user, I checked pricing (by price/GB, length of stay). Sometime, I end up consuming the quota and got to purchase another package for the remainder of the trip. Despite my telco offer free incoming sms (roaming), it sometime get stuck 😅
What happens to other customers?
This is a clear example of what happens when you do not control vital assets for your business (in this case, IP addresses).
You are now dependent on the goodwill of your infrastructure provider who demands harsh and retroactive action to stop things as meaningless as DMCA notifications.
We normally look at that as standard, while some accounts have been active 6 months, others over 2 years from some LET offers and suddenly change from logging in eg USA or UK, sudden sign in from Russia, China which we could assume owner is traveling and we have emails to report phishing for example.
This KYC we will hope will allow regular legitimate customers to carry on as normal while others who may be flagged for any number of reasons we will ask KYC. As there has been a lot of threads here "provider demanded KYC without warning, locked my data" we are looking at the fair approach of pre warning, anyone who is ready to transfer an account may think twice if they have provided their KYC in the past.
Since these customers make up less than 3% of our actual base on this type of service we will review their account type on that basis.
@xHosts Does this also apply to existing VPS customers?
Not all DMCA are meaningless, I would say that 98% are meaningless while I have experience from a friend that needed to take DMCA action due to some personal circumstances, while I understand why some providers will ignore these there should never be a blanket ignore either because some cases actually deserve to be taken down without delays.
Currently only anything based on the 20i platform, we only send this email to any customer that has a service on this platform as VPS we are able to use discretion more.
They are meaningless in the sense that they do not compromise your business continuity as long as you do not blatantly ignore abuse. Except when you are renting someone else's resources, that was my point.
I strongly doubt the "90%".
I have 2 VPS with them, one Ryzen based and one Epyc based. Both show decent disk performance and excellent connectivity plus very generous traffic volume (one even an insane 100+TB/mo).
Those @xHosts VPS are among my most appreciated servers.
If they felt the need to KYC me I'd comply, but I doubt they'll feel that need as I'm a clearly white-hat customer who almost certainly doesn't trigger any of their sensors for problems.
And I not only understand their desire to have a clean ship but I welcome and appreciate it. After all, everyone, except for the bad apples, profits from it.
I wonder what kind of abuse though because 20i platform is so much restrictive that even typing some particular command can get you banned.
There is critical mass of users when reached - abuse starts every hour 365 days per year. This is true with digitalocean. Then you have 2 choices: