Should account verification with scanned ID be necessary?

[easyhostmedia]

I agree with you that it is an inconvenience. As a user, I would try to avoid hosting companies which ask for this kind of verification. The hosting company I am using now required phone verification and I think that's OK.

yes most hosts will use telephone verification as a standard anti fraud method, but when someone ordered an expensive service such as a dedicated server, hosts will ask for photo ID and address ID as an extra security feature.

Take this as an example. You get an order for a $300 a month server from a Joe Blogs who gives his address as 1600 Pennsylvania Avenue Northwest, Washington, D.C. and he gives a valid phone number that passes telephone verification. Would you still accept this order?

 

[CeraNet]

We've been asking for ID & calling the card issuing bank for verification.

We ran into several issues of identity theft & using prepaid cards to get service up and running (most likely as part of a snowshoe spam operation or similar), so we request that the card issuing bank call their customer for verification. Once we say we think it is an issue of identity theft, they are pretty much obligated to call their customer and get 'independent' verification.

It's a pain & costly, but it is cheaper than setting up the service and dealing with the aftermath + chargebacks...

 

[Alex - A2 Hosting]

We've been asking for ID & calling the card issuing bank for verification.

We ran into several issues of identity theft & using prepaid cards to get service up and running (most likely as part of a snowshoe spam operation or similar), so we request that the card issuing bank call their customer for verification. Once we say we think it is an issue of identity theft, they are pretty much obligated to call their customer and get 'independent' verification.

It's a pain & costly, but it is cheaper than setting up the service and dealing with the aftermath + chargebacks...

Might be profitable whilst a small operation but when your dealing with thousands of signups per day would it still be viable? How do you handle that? You call their bank asking for verification, they call the customer then what happens? You call them back, they call you back?

Just seems like it isn't such a good way to handle fraud signups in my opinion, especially in a long run.

 

[easyhostmedia]

and also making all these calls will cost you money and if you do these too many times, you may find some banks or card companies like Visa refuse to deal with your company as you will become listed as a high risk

 

[CeraNet]

True it is cumbersome and somewhat costly, but we found it was more economical to have our customer service reps call to verify info than deal with the problems.

Unfortunately, we found that maxmind + call verification were missing the worst offenders who wanted to use the servers as a proxy or send out spam until we shut them down. They were using stolen identities most from the south Florida area and signing up for prepaid VISA / debit cards, then using that info to start service. True, we cannot not do this for the simple web + email hosting account at $10 per month (we just flag them as suspend until further confirmation vs checking on them), we do it for everyone ordering a dedicated or cloud server. We average 8 to 10 orders like this week & about 1/3 of them are fraud of some sort. I lump someone who uses the server for one month to send out junk as fraud.

Easyhost Media -- We've found that most every bank will work with us once they know it is suspected fraud. You are correct though, i am sure at some point we'll get flagged as a risk and need to figure out a different method. Any suggestions?

 

[easyhostmedia]

We've found that most every bank will work with us once they know it is suspected fraud. You are correct though, i am sure at some point we'll get flagged as a risk and need to figure out a different method. Any suggestions?

Yes most bank call centres will work with you as they are just advisors, but if you are calling certain banks many times a month checking on card payments as you suspect are ID theft, then when they bank does their regular audits, this will be flagged up and that particular bank can block their customers using your services, but for all you call the bank, Visa/Mastercard etc. will also be informed of these checks/reports and if you get someone like Visa block you then this will almost close down your business as MC would soon follow, which as they run approx. 95% of credit/debit cards you wont be able to accepts any of their cards through any means

 

[CeraNet]

I agree with everything you've said. However, I need to find a resolution.

Our business has been mostly managed services & custom solutions until recently. The world of retail and selling to anyone with a credit card is relatively new for us...

Any suggestions are appreciated.

Here is the best we've come up with:

1) on web + email hosting -- anything over 10 score on maxmind, no orders from the BRICK countries, and strict limits of email and services provided
2) ded / cloud - all orders without previous communications (emailing/calling with questions before they order) require third party issuing bank verification (OUR ISSUE HERE).
3) colo - no problem we have their equipment as collateral

thanks!

 

[Alex - A2 Hosting]

@CeraNet - I'd really just go with the fraud prevention systems provided by your payment gateway coupled with MaxMind miniFraud or another anti-fraud service. So I'd go against the 3rd party issuing bank verification - I can only imagine this would annoy the customer, take quite some time for each order and be quite costly.

Also anything over 10 is quite a high risk score, you should lower that a little then monitor each transaction and increase that as you go.

Taken from the MaxMind page:

At what riskScore values should I accept, reject, or manually review transactions?
There is no single recommended set of riskScore values to use for deciding whether to accept, reject, manually review, or submit transactions to complementary services for analysis. In determining what thresholds to set, you should consider the costs of chargebacks and lost goods, the cost of manual review, the cost of complementary services, and the cost of potentially rejecting good orders.

A recommended strategy is to at first only automatically accept orders under a low riskScore (e.g., 3.00), only automatically reject orders above a high riskScore (e.g., 70.00), and manually review all other transactions. After monitoring the riskScores received for the manually reviewed transactions, you can adjust the thresholds appropriately to reduce the amount of manual review required.

Below is the distribution of riskScores returned by the minFraud service across all users. You can use this data to estimate the number of orders that will be approved, rejected, or held back for review given the thresholds you set. Please note that the distribution of riskScores you observe may differ.

Approximate distribution of riskScores across all minFraud clients
riskScore range Percent of orders in range
0.10 - 4.99 90%
5.00 - 9.99 5%
10.00 - 29.99 3%
30.00 - 99.99 2%

 

[mikho]

were they will ask for verification is for dedicated servers, so high end VPS, if you are from a high risk country and fail other fraud checks.

This.

I've found that whenever a hosting company asks for this it's because some other trigger has gone of with your order. It could be that they at random pick an order to do some more checks or if the order got a Maxmind score that is not high enough to mark it as fraud but it could be.

Some providers do it on every order (first order as customer, when ordering additional servers/packages they already trust you) to be 100% sure to avoid scammers/spammers or what you call it.

 

[Dedispec]

We utilize a form of ID for many uses with our customers. If there's anything in their information that looks odd we'll politely request some form of ID. I'd say a large majority actually appreciates the checking, especially with how many Paypal accounts and credit cards get stolen.

We did recently start requesting ID verification on any IP blocks /28 or higher due to how serious spam is getting out there. We actually noticed our amount of attempted spammers dropped considerably once we implemented that practice. Our customers that are legitimate don't mind providing that either.

 

[WizzSolutions]

While scanned ID should be as a last option, Some times due to screening alert from our system we ending up to do so. Of course in most cases we will rather let the order go into the system without additional verification to allow smooth order experience for our customer. Yet, Some times its still needed unfortunately.

 

[rds100]

I believe the world is moving in a direction that will make the scanned ID verification of hosting / VPS / dedicated servers customers mandatory for everyone in the future.

Look what ICANN is doing - they want to have mandatory email and phone verification for domain owners now. I can't really fault them for this, but this is just the general direction in which things are moving. There will be less and less anonymity on the internet in the future.

 

[Shine Servers]

The rate of spammers are increased from last few years, so i guess its correct idea to have scanned copies of their identity along with Phone verification.

 

[DTN_VPS]

I believe the world is moving in a direction that will make the scanned ID verification of hosting / VPS / dedicated servers customers mandatory for everyone in the future.

Look what ICANN is doing - they want to have mandatory email and phone verification for domain owners now. I can't really fault them for this, but this is just the general direction in which things are moving. There will be less and less anonymity on the internet in the future.

True, but we cant have the best of both worlds, we cant be anon, but then we need to be confirmed because scammers will be all over it, there has to be a inbetween, but that is up to the ICANN guys i suppose.

 

[easyhostmedia]

Dont forget 'Chip and Pin cannot be breached' they kept saying, what has the scammers managed to breach 'Chip and Pin' No matter that security ICANN or others come up with and implement, you will always have someone that will find a way to breach it

 

[dedideals]

If you fail the initial system fraud check, you might get a call, but if it all looks to strange and you flag as a high risk, we want a call and ID, you never know and you have to be careful since fraud is on the rise.

 

[cpoalmighty]

I agree with easy hosting and to add to this, the more a hosting company stands to loose if you bail, is the more rigid they would (and should) be with account setups. If you are from a high risk country, you may not actually be in the business of scamming, but your location is labeled that way so hosting providers would tend to request ID in those circumstances

 

[prosecure]

We use to ask I.D Verification when the Client has payed some bigger amount to cross check the identification.