New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
@host_c You are absolutely right in your suggestions.
They will do this to lifetime plans first.
Because lifetime plans don't offer any return, and StackCP is constantly increasing its prices.
In this situation, the provider will gradually close accounts one by one, using this as an excuse.
That's my opinion. StackCP usually sends a notification and suspends a very large number of accounts. The provider can contact the user and request this. But if this happens to everyone, it's certain that it will be as I said.
The first eliminations will be for lifetime plans, and this number will decrease.
What happens after that is unknown.
That's my opinion.
StackCP has not been aggressively increasing pricing.
If we consider this situation from the seller's perspective in terms of lifetime services...
The prices look the same as last year.
Precisely
Prices haven't increased yet. But prices will definitely increase with lifetime plans. 20i will definitely raise prices. Imagine you bought a lifetime package.
WUT?! Return to reason and thinking realistically? I call HERESY!. And to make it worse, sorry but I have to spill the beans: you also do not vibe-config your nodes! * stern gaze
Precisely
I’m old-school: RFCs > vibes.
Fair point.
Now, if we are talking about lifetime plans, since you brought that up....
Let me be the elephant jackass in the room and raise a simple question:
Why do people expect a product to have a lifecycle longer than 3 years? Honestly?
No offense to anyone — but a lot of the frustration comes from unrealistic expectations. And when those expectations aren’t met (regardless of the time-frame), disappointment turns into anger. - aka you are pissed off
Let’s look at normal market behavior:
Mobile subscription contracts → typically 1 to 2 years.
A car model generation → 3 years, maybe 4 before refresh.
A specific smartphone model → sold actively for about 1 to 2 years. After that, it’s leftover stock.
Why should hosting — be somehow immune to lifecycle realities?
If it lasts longer than 3 years? Perfect.
Expecting any product — to remain unchanged indefinitely isn’t aligned with how modern markets operate. - aka you live in ferry-land and drink get high on unicorn tears.
Yet you are right, if it says lifetime should remain lifetime.
But what is lifetime????
See where I am going with this? that is extremely subjective and non defined, open to interpretation on both sides.
A realistic and correct approach would be to ban those types of offers.
But enough of that for now, let's bring the pitchforks and kick xHosts in the nuts for trying to clean out the room of "questionable gentleman".
@xHosts — if it makes any difference, you absolutely have the right as a provider to double or triple-check any account that appears suspicious of abuse, regardless of the verification method used.
At the end of the day, it’s your infrastructure, your risk exposure, and your agreements with upstream providers and payment processors.
Taking additional steps when something looks off isn’t “getting rid of customers” — it’s responsible operation in my view, and legitimate users shouldn’t feel threatened by reasonable verification.
Cheers!!!
20i does not sell lifetime packages.
The relevant company sold lifetime Hosting accounts
You can find their topics by searching
The relevant company receives stackcp service over 20i
20i never made a lifetime plan
You can search to see related topics
xHosts pays 20i a monthly fee each and every month. If they stop paying 20i every month their 20i plan gets cancelled.
xHosts, a small provider in the UK, then sells (some) lifetime plans.
Even worse HERESY!
Putting tens or even hundreds of thousands of $ or € into a business doesn't give any rights! ALL the rights are reserved to $5/yr customers only!!!11!
Besides KYC is the law in many countries, and as "everybody" feels a law we don't like is [communist&woke or fascist& right wing - pick your preference] and must be fought!
The problem in hosting is not abuse and risk, it's them damn providers who think about protecting their investment, work, company, and operations.
10 TB NVMe storage on current Ryzen, 4 vCores, 16 GB memory and 25 Gb/s for $5/year WHEN?
[stupid image]
Nonsense!
You do as some known government leaders do. They cut Internet and say that they do it for save legitimate people.
I don't know if xHosts is being dishonest. They may just have written that falsehood out of ignorance of Stripe's features, which can happen to anyone. The answer to whether or not they are being dishonest will come from whether or not they correct the false statement now that they are aware that it is wrong.
If a hosting "lifetime" is 3-4 years. It might as well be @VeloxMedia and its previous incarnations.
Perhaps lifetime "minimum" clause should be added
@rpqu
You are right, my analogy with physical products was not the best, yet, you understand my point as Is see.
Lifetime deals are similar to how triennial deals work. It enable young-companies to grow fast, as customer paid it upfront. And the difference with the lifetime deals, it's not limited by time. So, these young companies may find their operation to be constrained by the lifetime deals. Because it's 100% loss making beyond certain point of time.
Anyway, some Chinese EV car maker does offer lifetime battery warranty. 😉
Let me suggest these set of rules. If the host want to execute the lifetime "minimum" (AI suggest better description: service-life floor), I think there should be several requirements:
The independent verification will be difficult since it may contain company secrets . But, when the service lifetime has gone beyond twice the minimum, the requirements should be waived.
Customers who have had their data stolen would appreciate having their data/id/biometrics shared with more third parties? Some with questionable access and retention policies?
I know we're being pushed ever closer to the inevitable future where privacy no longer exists, but let's not pretend that everyone is happy about it too.
Should have hit at their weakness.
Password cycling, IP whitelist is an option, but you can't cycle your ID once it's compromised. What are you going to do? Changing citizenship? That would be €60-250K
These kind of data should be air-gapped for good.
Where did I say shared? - enlighten me please.
I said customers would appreciate a tighter, more secure environment — not that they should be thrilled about their documents being sprayed across random third parties ( hacked provider databases, there is a difference between a KYC processor and in house KYC, more a bit down this post ).
There’s a difference between security and data harvesting. - and you as the user can chose the provider you use.
Now, since we’re on the topic, how exactly do you envision secure account creation and checkout in 2026?
From where I’m sitting, there are basically two realistic paths:
1 - Username + password + weak fraud filters → outcome: garbage.
Card testing, bot abuse, disputes, suspended Stripe/PP accounts or other. I wouldn’t touch that model with a 10-foot pole.
2 - Add stronger controls → layered verification, risk scoring, step-up authentication, possibly KYC when triggered → yes, more friction. But also dramatically less abuse.
You can’t scream “privacy apocalypse” on one side and then scream “provider network is trash” on the other.
Because guess what?
Providers with “trash” networks usually chose option #1.
Why they choose option 1? well might be any one of these: ( or all of them )
Security always adds friction. Always.
Now, if we dive a bit deeper, for logins FIDO2 / WebAuthn as of today is Best-in-class against phishing — but even that has downsides:
There is no magical zero-friction, zero-data, zero-risk solution. ( yet )
So yes — some customers don’t like increased verification. That’s fair.
But pretending you can run a low-cost, high-abuse-target industry with pure username/password and vibes is fantasy. ( damn, forgot + Unicorn Tears )
Pick your tradeoff:
More friction → more stability.
Less friction → more fraud, more chargebacks, more downtime, more complaints, more shit-show
You don’t get both perfect privacy and perfect abuse resistance in the $2 plan market.... tho some providers even apply same rules on the promos as that is how they operate at a larger scale, while yes, they actually loose money on those purchases ( @Neoon pointed that out perfectly )
That is true and that’s exactly why proper KYC implementations don’t store your raw identity documents at the provider level.
In a correctly designed setup:
The identity verification (ID card, selfie, SSN, etc.) is handled entirely by a specialized third-party verification provider.
The hosting provider does not store your documents.
The provider only receives a confirmation token or status like: “verification passed.”
The KYC vendor handles:
The provider’s system simply receives a yes/no result and possibly a verification reference ID.
So no — your passport shouldn’t be sitting in some random hosting provider’s database.
If someone is doing in-house KYC and storing raw documents locally without proper compliance structure, that’s a different discussion entirely. ( and yes, I would not trust one of these as I doubt that they have the same security structure as a KYC processor )
Proper KYC architecture is:
User → Verified KYC platform → Provider receives validation result only.
The login page itself stores nothing related to identity documents.
I wouldn't call inevitable data leaks "security". It's not a matter of if KYC platforms get breached, it's when.
Regulatory frameworks aren't there to protect our security, but to protect their liability. It's why they can't get sued into oblivion when yet another 70,000 children's names, faces, and addresses get leaked to cybercriminals.
That's untrue. With Stripe at least, the provider is allowed to see your government ID. Not good.
This is why MFA is important. "Invasive biometric KYC or username/password-only authentication" is a false dichotomy.
I’ve never seen anything like that in the Stripe dashboard.
I don’t see government IDs.
I don’t even see additional sensitive data for users who made 300 failed payment attempts.
Stripe shows what merchants are supposed to see — billing details and transaction metadata. Nothing more.
So unless you have concrete documentation or evidence that Stripe is exposing customer government IDs to merchants in standard payment flows, I’m going to categorize that claim as internet fantasy + Unicorn Beer.
If there’s proof, I’m happy to read it.
2FA is absolutely a plus. No argument there. -
But it’s not unbeatable. -
2FA protects logins — it doesn’t fix:
TOTP codes can be phished. - hard
SMS can be SIM-swapped. - that is even harder to do
Email-based OTP is only as secure as the email account. - that is BS if the mai account itself does not have 2FA. - see the loop hole here
Even stronger methods like FIDO2 protect authentication — not fraud logic, yet, at that they kinda excel.
But pretending that “just add 2FA” solves abuse in a low-cost, high-target environment is oversimplifying the problem. ( or not understanding the core issue )
Login protection ≠ checkout protection ≠ fraud prevention.
Different layers, different threats, different solutions.
Once you start addressing them properly, friction appears. And that friction is exactly why we’re having this debate.
EDIT:
@forest
MFA is about account access protection.
KYC is about identity assurance / regulatory risk.
Fraud filtering is about transactional abuse control.
These are three different control planes, and we shouldn’t mix them up. Each has its own purpose, and they address different threat models.
Not every business needs all three.
It depends entirely on the problem you’re trying to solve.
If you’re worried about credential theft → MFA makes sense.
If you’re operating in a regulated or high-risk environment → KYC may be required.
If you’re dealing with card testing and checkout abuse → fraud filtering and velocity controls are critical.
Large-scale or higher-risk operations might implement all three.
But treating them as interchangeable solutions is where the confusion starts.
Maybe read up in this very thread.
Hm? But you were the one who was conflating the two issues earlier by comparing KYC and user/password-only authentication? After all, you were the one who just said:
Anyway, it would be best not to write with AI slop, as there's little motivation to engage because it makes these kinds of mistakes in the most garrulous way possible. It's hard to know what is you and what is bot.
In-house KYC isn't what's happening here. The provider is using a third party.
In reality, many of these KYC services retain your data for decades. Sometimes they store it to train their AI models, sometimes they'll share it with 'trusted' agents and third parties. At minimum, the provider can usually still access the documents, like in the case of Stripe.
Right, and as a user I wouldn't use a provider that forces invasive KYC. This is an incredibly competitive market, there's always going to be another option, or just use a provider that accepts crypto.
And even if KYC providers didn't have a history of severe data breaches, that fact alone is a serious issue, which is certainly not an "internet fantasy". Even if I trusted Stripe (I don't, and for good reason), I certainly wouldn't trust random summerhosts with my government documents which Stripe provides to them.
In the end, it's a tradeoff between convenience for the provider (reduced fraud) and security/privacy for legitimate buyers (data breaches, enhanced risk of identity theft, etc.). No one will claim that KYC isn't helpful to providers, but the downsides to legitimate consumers must not be understated just because it's nice to have some fewer MJJs hosting nonsense.
Ya, Stripe basically gives access to everything, which is not good.
I used that sa comparison , I did not say nor imply this was the case.
That can be the case yes, yet, google knows more about you then your own self, unless you have a push button phone and live off the grid for the past decade 2 decades.
If you are implying that the data is gathered to track us or to be misused by who ever has interests, LOL, well, news flash, that is not new.
Now imagine the same recognition done on your google photos ( that also contain GEO Location among other things ). Ah yes, that is ~7 years ago, imagine the same thing with today computational power.
The fact that some store KYC data for years is the last of your problems.
Exactly, that was my saying also, don't like it, move on.
If a provider’s policies don’t align with your preferences, the market gives you options. That’s the benefit of competition.
But just because someone personally dislikes stricter verification doesn’t automatically make it evil or malicious. - it is a chaoice
Account creation, login and payment are one part of the business, and a business has much much more moving parts.
I did, otherwise I would have not started this conversation.
They explicitly stated identity verification will be handled by a trusted third-party provider (Stripe Identity), and that xHosts does not receive or store identity documents itself.
I already stated that the provider does not see or receive government ID data through standard Stripe payments, personally I have never seen anything like that in the Stripe panel/dashboard, not for normal transactions, not even for accounts with hundreds of failed payment attempts, and also not for disputes.
That is why I categorized that statement under “internet fantasy + Unicorn Beer.”
@Sree
It’s not “AI slop.” I’m simply not a native English speaker, and I run my sentences through grammar correction tools to make sure my message is clear and understandable. ( grammarly is one of them for example )
Clarity matters to me more than stylistic purity.
We can switch to one of my native languages if you prefer. You have 2 to chose from.
Stripe itself notes on their page that the provider DOES see everything - ID, selfie, ID's data etc.
Send me that link, as I did not find nor I saw any option like that.
I understand, using a specialized vendor is a good practice... Until they get breached 🤪. That's the reason discord is bleeding hard once they demand KYC
You have explained the usage of MaxMind, FraudLabs, ASN & country level filtering, 3DS (and the limitations). But, that's not enough to reduce the fraud-associated costs to reasonable level? Or zero is the goal?