New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I understand the above part. But have you seen the 20i platform?
For security they (20i) have implemented so many restrictions that you feel straightjacketed even when you have no intention to break any rules. If you deviate just here and there from what 20i intended, an immediate ban.
So that's what makes me curious. what type of abuse can break that "firewall" of 20i?
There is always patterns. Usually such strict flow prevents automated controls via bots. Why this is a problem - a good question.
I could understand the reason if it was phising, etc. However, demanding KYC (especially when it requires ID) because of suspicion over account selling and profiteering over IP geolocation is just...
It feels like privacy costs extra.
That's why I think it's better if hosts offer personalized promo code to good withstanding member. Or minimize the value of these account by indicating
the specified deal will not recur if we suspect account tradingwhich will reduce the value of the trade. The nature of account trading is similar to bonds trading, where the valuation of long-term bonds (20Y+) are higher than short-term. Thus, by specifying the nature of the deal, hosts could:Also, hosts could've offer 1-month free service if they could disclose the person (social handle, on-chain transaction) who sold it
A non legit user will 99% get forced into KYC, and will 99% abandon the account and file a chargeback. It will hurt you if you require KYC after payment.
I don't see any KYC warning during the order process, and nothing about it in the terms either. The abusers probably won’t even bother reading it, but soon enough will end up warning each other not to use your service.
So, KYC for a £2 plan?
I am not xhost customer; I am not planning to be either. I don’t mind doing KYC either, but what is my “guarantee” that xhost or other LET provider won’t leak my real info (name surname address or at least country name) when they are all using same shitass WHMCS panel?
If Stripe fucks up and leaks my data, I do know who to go after.
Whom should I go after if some hosting company registered with some forwarding office address closes their business and disappears in the business.
Again, I don’t mind doing KYC with Stripe or other well known ID verification company but I don’t trust with my personal details with some random individuals.
xHosts can disappear and show up as yHosts in next month as a new company
The cost of losing a few customers who either do not want to KYC or cancel their orders will be much smaller than costs in terms of time of dealing with abuse reports
I also highly doubt most legitimate users will be issuing threats and abuse, legitimate people if they face an issue will make contact, explain their issue allow time for it to be resolved, the customers who are not legit will move to another provider who will soon do as most others are now doing and start KYC unless too.
Customers agree to provide legitimate and accurate details during the order process, that is part of 99% hosts terms and conditions, if a customer does not do that they are in breach of the terms with any provider that wishes to enforce it, also when someone issues a charge back and its proven to most banks or card issuers their customer attempted deception the case is closed and fees returned for winning the case, it is just time consuming, when people do that while you have people publicly shaming providers for "slow support" this can often be a factor fighting these types of cases too.
Having a clean customer base, helps the businesses keep chargebacks to a minimum, network and ip ranges cleaner and less time wasted on these types of issues, more time to invest into support and improvements.
That is one of the reasons I moved from WHMCS.
You also review at which place the breach has happened, its that simple.
If the system was hacked on Stripe's servers which after the ID have been validated it is deleted, it simply shows X was verified or X was not verifed
I was under the impression that Stripe Identity allowed the business to see a copy of the customer's government ID.
@xHostsUK I wanted to reach out regarding an issue I’ve encountered when trying to access the Control Panel. I'm receiving an error message that says "user is required" or something similar, and I’m unable to Control Panel.
Ticket-474615 Access Control Panel
I have replied to your ticket, a lot of tickets are coming in at the moment following the above email, we are replying as soon as possible.
This is what ChatGPT says about the Stripe Identity feature:
So, businesses using Stripe Identity Verification can access and store your personal details you share with Stripe. And there is no option to tell Stripe to not share those personal details with the business and only Stripe use it.
So wherever you share your details with Stripe Identity, always act like the business can access those details also.
It's up to business to check this data just by logging into their Stripe Dashboard.
inhope maybe?
LowEndHosts are not the people to be handing this data to - especially as they are fond of fibbing and many have quite patchy histories at best...
xHosts are being dishonest here, Stripe Identity does allow a business to view the identity documents of a user and in this case the business you are verifying with actually is acting in the role of a data controller.
That second part is unfortunate as xHosts are not, from what I can tell, registered with the ICO. Bit naughty really.
The host only lists a po box/virtual office on their site too, not their registered company address. Looks like this violates Companies Act 2006, even more so as it implies a different place of registration (Scotland instead of England) where different laws can apply.
They seem to value their privacy, I wonder if a customer can ask the provider to perform KYC too?
What a shit show.
All because someone's public private bin had file uploads turned on and it had CSAM.
KYC... Know your company.
This is brilliant, actually.
It costs them €1.25 for each verification, given he paid him 2 british rupies.
He clearly makes a loss if he verifies.
The bet is probably, he doesn't verify.
Plus, he gets rid of someone, saves him money in the longterm.
Usually you would role out such change for new customers, not existing ones.
But its a good way to get rid of costumers.
I think xhosts is a trading name of their Ltd company
I checked that too, neither are present in the register.
@AS203446
No, I wouldn't for existing customers. To be honest, we don't even use KYC at VM6, just FraudLabs and manual review. I'm just saying I kind of understand why providers implement KYC. I also understand the customers' side, though, about handing over their ID.
I feel I have dodged a bullet not signing up when I could have.
Respect to xHosts for giving customers some notice of the new requirements in advance but in my opinion it is out of order to sell a product with one set of terms and then later change the terms making it so egregious that no one can accept them.
I feel at a minimum xHosts should be refunding the accounts if they are now unable to honor them.
Who is going to risk having to provide this intrusive level of ID (probably more extensive than required to get a passport) for a hosting account which costs $5.
I am not sure anyone would provide the requested level of ID for any hosting account whatever the original cost be it $5 or $100.
It makes me wonder what is going on behind the scenes that has made what appears to have been a well respected and reviewed host to have to suddenly ask for ID for all customers. It can't be good for business especially with so many other hosting companies to select from.
Kyc after payment and after half a year for "lifetime" plan is a great way to passive aggressively ousting customers. Obvious abuse of hosting malware or sending spam of course need to be booted but panel login from different region is a valid usecase for anyone using vpn, ain't no one going to remember to turn off their vpn just for login to your panel. I got an account but ain't gonna dox myself sending passport scan and whatnot. Shame though, stack is really good for mail hosting.
I don't think xHosts is cancelling existing lifetime accounts that don't accept KYC document submissions. They already paid in full and fulfilled all the terms at the time of signup.
https://lowendtalk.com/discussion/214694/received-an-id-verification-mail-from-xhosts
why do you care so much about them? at this point it just makes you seem obsessive. of course the ddos mitigation provider isn't going to list their address or whatever on their site, are you just entirely unfamiliar with the industry or something? you've been consistently weird about this for months now
I’m genuinely curious to see how that plays out. I really am.
How much compensation do you realistically expect from Stripe — or any major payment processor — when (and let’s be honest, it’s when, not if) they suffer a data breach?
In just the last two weeks, over 1.2 billion accounts were leaked from major companies worldwide. I didn’t see anyone here calling for them to shut down or implement extreme KYC everywhere.
Let’s be realistic.
If the goal is to reduce fraud and abuse, blanket KYC is not the silver bullet. - Never was, nor it has that scope.
If you truly want to clean up the base:
Implement proper order-layer filtering (MaxMind, FraudLabs, IP reputation, ASN filtering, velocity rules).
Yes — sometimes you ban high-risk countries. It is what it is.
Re-run fraud screening on recurring invoices (this alone can wipe out ~70% of what slipped through initially).
Rate-limit payment attempts aggressively.
Block abusers before they ever reach the payment gateway - that is the key way
For example:
3,500+ fraud attempts
Around 150 legitimate orders
Single users making 300+ failed payment attempts for one $5 invoice
That’s not a Stripe problem.
Not PayPal. Not Revolut. Not any processor.
That’s an order-layer control problem.
The all do what you set the up to do, process a payment, not thei'r problem that the payee is a sketchy 14 year old with 45000 rows of excel containing stolen credit cards data - good for the kid, bravo!
You can enable 3DS (and yes, pay the extra percentage), but it won’t stop bot-driven order abuse. Once a malicious actor reaches the payment link, you’ve already lost. And yes — you’ll eat the $20 dispute fee 90% of the time, as in that case the “customer” claims are true, they did get 5 or 7 or whatever USD stolen.
yet....
If someone’s card data gets compromised, that’s unfortunate — but the responsibility chain starts with the issuer, the cardholder, and the security of that payment instrument. It cannot automatically default to “merchant fault” simply because the merchant accepted a properly authorized payment.
This is exactly why prevention before checkout is critical.
The real fix is preventing bad actors from ever touching checkout.
KYC is a very heavy hammer for what is fundamentally a filtering problem.
You can do KYC — and in certain business models, you should.
But once you go full KYC, you’re no longer really operating in this market segment. You’ll outgrow this place by a mile — and by the time you reach that level, you won’t be fighting $5 fraud payments anymore.
You’ll be dealing with entirely different challenges.
Low-end / promo / impulse-buy markets and full KYC do not coexist comfortably.
May you reach that level soon.
May we all at some point.
It has nothing to do with “getting rid of customers.”
Abusers and services paid with stolen cards were never customers in the first place — unless that’s the provider’s operating model, which I doubt is the case here. - yet I might be wrong, so enlighten me in that case.
Abuse levels are increasing every quarter. That’s just reality. So yes, some providers are implementing stricter rules — and honestly, they should.
The basic rule of acquisition is simple:
Provider delivers → buyer pays.
If fraud sits in between those two steps, then it’s no longer a valid contract. It’s abuse of the system.
Do enforcement measures sometimes affect a small percentage of legitimate customers? Yes. That’s unavoidable with any anti-fraud system, regardless the type.
But aside from minor inconvenience, legitimate customers have nothing to worry about.
In fact, customers who have previously had their data stolen will likely appreciate that a provider is actively trying to reduce fraud and abuse in their ecosystem. - Fyck, I would, and so are a lot of you, so be sincere here.
This isn’t about pushing people out.
It’s about maintaining operational stability sanity in a market segment that is increasingly always targeted by automated fraud, especially the cheap IT markets.
It is 0. One thing is to be a keyboard ninja, another thing is to go out and try to launch a legal claim against a company. I guess the point here may be one would trust a mammoth more than unknown elephanto but reality is they are all prone to hacking and leaking.