New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
It's one google search away. I've never used Stripe Identity myself, but it does read like you do see everything.
https://docs.stripe.com/identity/access-verification-results
https://docs.stripe.com/identity/verification-checks?type=selfie
As I said before, "I know we're being pushed ever closer to the inevitable future where privacy no longer exists, but let's not pretend that everyone is happy about it too."
In the mean time, I'll continue to push back where practical and avoid services which require me to sacrifice my ever rapidly depleting privacy.
OK, found it.
To be honest, I don’t even remember seeing that option back in 2023-2024 when we were using Stripe, not that I had any interest in handling that type of data anyway.
As the documentation shows, access to sensitive verification data has to be explicitly configured. It’s not something that just appears in the dashboard by default, so that is why I did not see any of it.... glad.
Thanks for the heads up.
That said, I personally wouldn’t store that kind of data in-house under any circumstances. The legal, compliance, and retention implications alone are a fuqing nightmare.
So your electricity provider has your ID, your mobile carrier has your ID, your bank certainly does, water utility, ISP, government agencies and the list goes on.
And not all of those systems are exactly shining examples of cutting-edge security with 2FA + FIDO2 + Fingerprint scanners when one logs into their desktop.
If KYC is required, I’d rather rely on a specialized third-party operator and limit our system to receiving only a verification result. That keeps the risk significantly smaller.
I also acknowledge the fact that who handles the data, how it’s secured, and why it’s collected is the problem of most, that has no correct answer for now.
Crypto, stolen payment forms and fake accounts will not solve your issue, might briefly for some, but that is not the solution.... what is.... I will let you know when I find it, but none of these are - that is a fact.
That ended on the day you logged in and created your first e-mail account. - it is sadly the truth, so cope with it, or get a push button phone and live off the grid.
But I respect your option.
All that being said, from my perspective this discussion is about abuse prevention ( regardless of its form ) and why some providers choose to implement stricter measures.
This is not about collecting data for fun.
It’s about reducing operational risk from my point of view.
My focus here was strictly on abuse prevention and operational risk, differences between them and solutions that can be implemented — not on expanding the philosophical debate around data privacy. ( Different discussion entirely, and I am not interested )
Personally, I don’t care about the document itself.
I care about a GO / NO GO decision on the order. - can I or should I not take the fella to the payment gateway?
My personal target? Zero.
Will it ever be literally zero? Of course not.
But the mindset matters.
Every operator chooses their tolerance level:
How much fraud is acceptable?
How much friction is acceptable?
What type of customer base do they want long-term? - this matters a lot in my view.
That defines the trajectory of the business.
A model built around low cost + high abuse + constant firefighting is not something I see thriving in 10 years. It survives quarter to quarter. - ain't aiming for that, if that was part of your question.
That may sound old-school to some.
But sustainable businesses are built on controlled risk, not perpetual damage control. ( or as controlled as possible )
I’ll leave the broader debate about who holds your ID and what they do with it to others — that’s a rabbit hole I’m not interested in pursuing.
Cheers!!!
I guess the "problem" here is that there are two - very different - perspectives here.
A provider's and a customer's.
While not only being a customer myself plus also very concerned about privacy I do understand and accept that a provider also has legitimate concerns which can't be just brushed away.
"Funnily" neither the normal honest customer nor the normal decent provider is the guilty party! So it makes absolutely no sense to "attack" each other.
The actual enemies are others and at the end of the day the problem boils down to greed, "pro-active curiosity" (hacking), stupidity and human weakness and clueless and not really interested politsters and governments.
Besides, the way I see it, we customers should want and welcome providers trying to keep fraudsters out! Simple reason: fraudsters tend to abuse hosting.
Finally, kudos to @host_c for having the good will, honesty, and guts to clearly state his position and provider's problems!
Precisely @jsg
I am an operator/provider, so naturally I can only speak from my side of the problem. ( yet I am also a user to other services I pay, both as an individual and a business owner )
Users here share their perspective, and that’s completely normal. That’s exactly why I joined the discussion. - that exchange is the whole point, otherwise, most of the treads are just "popcorn".
What I notice in threads like this is that there are often many user questions and assumptions and comparatively little input from operators explaining what actually happens behind the scenes. ( at least from their operating perspective )
Why some operators choose to stay away from these discussions isn’t for me to question. Everyone decides for themselves how and where to engage.
I simply chose to participate because I believe these conversations are more productive when both perspectives are represented, also the subject in case is to an interest of mine.
And NEWS-FLASH!!! - Even among operators, we don’t all agree. We run different models, accept different risks, target different markets. That diversity is normal and healthy.
Topics like this shouldn’t turn into attacking each other. They should be debates between two sides of the same ecosystem.
Not insults. Not assumptions - Just pure facts. ( and the occasional memes
)
An exchange of opinions that are ideally backed by facts and real operational and/or user experience.
That’s how both sides learn:
The most interesting part isn’t what decisions are made — it’s why they are made.
Understanding the “why” is where the real value lies. ( for both parties involved )
soo.. $7?
That's the reason why GDPR is a serious issue. I even remember a news about German SMEs outcry over the bureaucratic burden. These PIIs is hot potatoes and passing it to huge corporates with better resources sounds good... Is it?
It reminds me of this
They may be a corporate specializing in ID verification. But, that doesn't mean they're more compliant than you. They might share it to another party or increase the value of their existing data to be sold again. We know when they got breached, there's no repercussion to them, right? More fraud, more of their service is required. Practically analogous to DDoS business.
As for the government, agencies, ISP, banks, etc. These kind of institution rarely taken photo of your ID. What's even the purpose of the IC chip then? At most they're going to photocopy and file it along your paper application.
It's funny how no one mentioned KYC fraud (as in identity theft). So, what's an approach? More KYC to fight fraudulent KYC? Sounds like useless waste of time and senseless privacy sacrifice.
I'm afraid there's also another factor involved: trust, or more precisely, lack thereof.
And I understand that - from both sides.
How can customers just trust providers when they at least seem to "learn" again and again that e.g. Stripe actually pass PI and even documents on to providers?
How can providers trust any new customer (or "customer") when they experience lots of fraud attempts?
The real solution, to punish, and in case of repetition to severely punish criminal activity and to provide sensible laws and reasonably competent police unfortunately isn't available/feasible in many modern democracies. So, all the concerned parties (have to) come up with solution approaches themselves - and those approaches naturally focus on one's own priorities.
Can we "return" to trust? My personal response based on over 20 years of hosting experience (as a customer) is "yes, but carefully". I have been scammed or defrauded less than 5 times during over 20 years. But I also have relative good "sensors" and am not trusting blindly.
For providers it's a lot harder though I guess.
Well, they would definitely be more competent the any of us, as that is what they do. Yet you are right, if they are incompetent, that is a whole other story.
PS: I have a new story, from QNAP premium, oh boy, now these are the worst I have ever seen, but more on that another time.
Now that was something that until the fellas here showed me, I have never thought that can actually happen, what the fuq for.... actually why the fuq.... no wait, I have to re-phrase that....
For what the fuq should any operator get it's hands on personal documents of users. I see no logic in that, it is a risk exposure that should not exist in the first place.
I see KYC as a service that I pay so I don't have to deal with the security headache of protecting and safe guarding the mis-use of that information in the first place.
Again, I just want a god damn GO/NO-GO and that is all, that is all we as operators should touch. We did not should not implement KYC to have access to that type of information. I am not fine with that sincerely.
Yet, that is my opinion, feel free to bring the pitch-forks.
Because identity theft is less stable than trading identity with the identity owner...
Take for example the singapore sim crackdown which limits sim to only 10. Mule traders would pay youngsters 12 or 20SGD per registered sim card
And average wage in SG is around $4350/m
So, people could have obtained matching banking details + sim + selfie for really cheap with low income country.
You mean this?
BIGGEST STORY: IDMerit — ~1 Billion Identity Records Exposed
This is the most significant recent development. Cybersecurity researchers uncovered a massive unsecured MongoDB database belonging to IDMerit, an AI-powered KYC (Know Your Customer) identity verification provider. The exposed 1 TB database contained roughly 3 billion records, approximately 1 billion of which included sensitive personal data spanning 26 countries. The leaked data included full names, addresses, dates of birth, national IDs, phone numbers, and email addresses. The US was the most affected with over 203 million records, followed by Mexico, the Philippines, Germany, and Italy. Downstream risks include account takeovers, targeted phishing, credit fraud, and SIM swaps. The database was discovered on November 11, 2025, and IDMerit promptly secured it after being notified.
PS:
This is why larger doesn't mean more secure. I hope @host_c would consider doing in-house KYC, encrypted and stored inside diskette (no more hassle with GDPR, since each is dedicated to a single customer)
Nop, regarding incompetence of QNAP, yet your story beats mine by a mile
1-1 - it seems we have a tie
Fair enough
Bonus meme
There's nothing wrong with using LLMs to help correct and format your texts, or to even translate them completely. However, your LLM is, with or without your knowledge, taking considerable liberties. I doubt you yourself are regularly ending your arguments as "X, not Y" or giving loquacious but superficial analyses of subjects that are besides the main point, for example. Your LLM is changing the meaning of what you are writing, or is trying to paraphrase you based on the "vibe" of what you wrote.
A more literal translation would have made it easier for everyone to come to the conclusion that:
And we could have done that without multi-paragraph side discussions about unicorn beer as a result of the AI's context window being too small to realize that the very thing it confidently hallucinated was impossible was not only possible, but is the norm and was discussed a single page back.
LLMs are great, but perhaps prompt it with something like:
Operators will always be handling PII. In the GDPR, operators will still be the Data Controller. There's no way around that. The best that can be done is to minimize your own exposure to customer PII, focusing on privacy-preserving fraud detection techniques. And taking steps to make your platform less attractive to scammers, phishers, etc. All of that can be done without any invasion of privacy (either by yourself or by a huge corporation that is bound to keep getting breached).
I would reserve KYC only for very larger orders where your own money is on the line so you don't end up buying thousands of dollars in new server parts for a dedi customer who paid you with something that will end up getting frozen (basically, don't do what Calin did, buying over $22k worth of servers for a fraudulent customer just to have all $22k frozen by the bank).
That was for "Fruits and Vegetables" as I recall, maybe digital Fruits and Vegetables???
KYC has it's use case, yet for the average JOE operator, fraud detection will work just as fine.
As I said before, the fella should remain in Fairy Land and not reach the checkout in the first place. I could not care less about he's ID, I am just not that interested and have other things to do on a daily basis.
To the fella that recognizes this, nice try,
And yes, I genuinely appreciate the ticket you opened. Your account has also been deleted by now.
Next time, maybe don’t place the order from the Moon, as I recall Mars has a lovely internet cafe, you might have better luck there.
I have shown the above as an example that for the basic stuff, you do not need KYC necessarily. The fella in question never reached the the checkout.
Mentally strong people must fight against KYC!
Looks like my $4 or something service is also included in this, while the strange part is I haven't received any updates or email asking me to provide kyc or such. Especially if it's related to "Abuse" I mean I did payment with my Amex using stripe link that in itself proves that the account is atleast real. I mean if my service is also suspended for KYC purpose, I can supply my cc statement with that exact charge but supplying my selfie+govt issued id over $4 service isn't something I would feel comfortable with. Anyways I have opened the ticket regarding the suspension reason if it's for KYC I would just ask them to unsuspend the account for a day or two so I can move everything to namecrane(been years with buyshared no issues so far except SG node going haywire occassionally). Let's see how will it unfold for me.
So my guess was correct, it was indeed suspended for "KYC", saying that they have mailed me multiple times, and I am way past the verification window, and no further KYC is needed, and I am to boot off from their services. I am just curious about how i havene't received any email regarding any deadline for the said KYC(as if I was going to do that), looks like a deliberate attempt to cut off all non-revenue generating services/clients. They could have asked nicely i would have done that over an email if they could have stated in a mail that they are phasing out the product/service and i should move somewhere else. Saving some time for everyone involved. Well i am off to deploying backups to somewhere else, and see how everything is performing on new server.
..and mentally fit
I can't decide if this was most or least clever way to clean out the lifetimers.
This is not about clearing out lifetime packages.
Each verification attempt—whether successful or not—costs £1.25, so if the intention was simply to remove accounts, there would have been much easier ways to do so, such as issuing notices or providing other reasons.
Our goal is to keep the platform safe and secure for all customers. Whether a client is on a one-time lifetime plan or a monthly subscription, all customers are treated equally and subject to the same verification and security processes.
These measures are being implemented purely to protect the platform and its users.
Absolutely. Are you refunding their 3 bucks or whatever? (genuinely don't know the amount, wild guess)
I think the deal was £3.50 if memory serves me, but whatever.
But how do you calculate refund on a lifetime? If a user had the service for 6 months or whatever and then gets cancelled, how much should be deducted for the time they had the service?
This is a hypothetical discussion since xhosts refund policy clearly states, and I quote: "We do not offer refunds once a service has been activated, under any circumstances."
You mean making up reasons?
I don't know how you'd calculate it but that's partly why I asked, because it seems more complicated than it's worth. Also because I suspect(ed) the answer was no anyway of course.
It's even more hypothetical than that because I'd never put myself in this situation! I don't do lifetimes generally, and I definitely don't buy services from people who are so blatant about keeping my money no matter what.
Not directly related, but would you believe I've never been burnt by a host here on LET? The handful of times a service wasn't up to my expectations I've been refunded. One vendor even refunded me the full amount for 2 separate services that were 5 and 7 months into annuals.
I'm just great at picking hosts I guess!
edit: in fairness to @xhosts he may not have seen that because I edited it after posting and added the tag (and just did it again ugh), don't want anyone to think he's just avoiding the question sorry man!
In a hypothetical scenario, providers may take such actions. However, we have already given all customers in the first batch a fair opportunity to complete the process.
It is important to understand that not all KYC verification failures are the same. In some cases, the issue may be minor — for example, a mistyped email address or phone number — which can usually be corrected without much difficulty.
In other cases, however, the reason for the failed verification may be more significant. When the issue raises more serious concerns, it cannot simply be overlooked or ignored.
There have been a range of reasons why some KYC checks have failed. I hope you can understand that I will not be sharing the specific reasons for individual failures publicly, as disclosing that type of information could create additional risks.
Annual customers will receive a proportional refund based on the remaining time on their service. For example, if an account has five months remaining, that unused portion will be refunded. These refunds will be processed as I work through the list of affected accounts.
Lifetime accounts are different and cannot be calculated in the same way. As an example, we had a customer who purchased one of the first lifetime accounts back in 2023. Recently, that account was used to attempt to send spam, and the service was suspended due to abuse. We still offered the customer a backup of their data to ensure nothing important was lost.
Despite this, the customer demanded a refund and continued to open support tickets daily for two weeks, as well as sending messages through WhatsApp and social media. The account in question was over three years old and originally cost £3.50.
If refunds were issued for lifetime accounts, it would create a precedent. To treat all customers fairly, there would need to be a clear cut-off point — and realistically, there is no fair or consistent way to establish one for lifetime services.
Just terminate my shit mate, I don't care. I'm not willing to sell my soul to you