[dangrossman]

Keep in mind that this is about chargeback risk, not implementing some secret government policy. "Anonymizing VPNs" are a high risk service -- the people signing up for them are more often "bad guys" than tech professionals looking for privacy -- and they're signing up with stolen payment information. There are far more hackers, crackers, carders, "script kiddies", spammers and other people that need to hide their location or appear to be connecting from a different country than there are IT professionals interested in paying for extra privacy.

Adult sites, online pharmacies, ticket brokers are treated the same way, and that has nothing to do with evading the NSA. MasterCard added all internet services (the MCC -- merchant category code -- that covers ISPs) to a high risk tier earlier in the year; I got the letter from First Data in the mail myself.

[fingerprinter]

> Keep in mind that this is about chargeback risk,

First, I do not think this is about chargebacks, at all. I don't know what it is about, but it's not chargebacks. This looks like a blanket revocation of anonymizing/VPN services. That isn't how fraud/risk engines work (note: I wrote several fraud/risk engines for ecommerce/banking/travel industry as well as passive device fingerprinting).

Sure, make this a riskier transaction, flag it for review. Uh oh, CC info is from Ohio, but IP is from Russia? Up the risk. Same device that is trying to conduct this transaction also tried 30 others in the past two days? Flag for review, up the risk (several hundred more etc etc).

Second, I can't think of a single thing that is legal to buy that is blanket revoked by some company like this.

Third, adult sites, online pharmacies, ticket brokers and the others are NOT treated the same way. They are treated as higher risk transactions that A. need more/closer review B. have a more comprehensive/exhaustive/deeper risk rules engine run on them. and/or C. have a special set of rules that apply specifically to that domain. The CC companies don't just turn off buying an entire domain of goods (adult, online pharmacies, ticket brokers....or VPNs), that isn't how they work.

If true, this smells of something different.

[ceol]

> blanket revoked

Not blanket revoked. You can still purchase VPN services other than IPREDator.[0]

I'm surprised people here are taking TorrentFreak as an actual journalistic entity and not a website devoted to enticing a knee-jerk and vehement subset of tech users into clicking their articles.

[0]: https://news.ycombinator.com/item?id=5988527

[fingerprinter]

This, then, is generally fine. CCs often shut off merchants with high chargebacks etc.

Though, it is not without warning. 2 days, if that can be trusted from the original article, is not sufficient warning.

[randallsquared]

> I can't think of a single thing that is legal to buy that is blanket revoked by some company like this.

Firearms.

https://www.paypal.com/webapps/helpcenter/article/?solutionI...

https://payments.amazon.com/sdui/sdui/about?nodeId=6023

https://squareup.com/legal/seller-agreement

Also, at least two of those have prohibitions on "occult materials". I'm not quite sure what that means, but it doesn't sound illegal.

[brownbat]

A year back, eBay had to ban spells and potions, "as transactions in these categories can be difficult to verify and resolve."

http://www.slate.com/blogs/browbeat/2012/08/17/ebay_bans_mag...

[rdl]

I checked with Simplify (the MC Stripe clone), and they're cool with firearms and accessories sold online, and firearms sold in-person with card swiped. They're going to get back to me on whether an FFL could sell online MOTO -- I'm pushing them to allow it IFF the FFL ships to another FFL, which is federal law anyway.)

[xkidug]

> First, I do not think this is about chargebacks, at all.

This case may also have other motives (the pirate bay related?) but chargeback is the issue and the story is more complex than it sounds: http://www.securitykiss.com/resources/roboblog/credit_cards/

[jnbiche]

I'm pretty dismayed to read this. If you regularly connect to random wireless networks in cafes and hotels, you're a moron if you don't connect through a VPN. If you're not connecting through a VPN all your non-SSL/TLS traffic is available for reading for whatever bored cracker has found his way onto the router. Plus, not all sensitive sites implement SSL/TLS and those that do often implement it poorly[1]. .

Not to even speak of the whole NSA spying thing.

Not all of us are corporate drones with the mother ship VPN to connect to, so we have to pay for ours.

I can't believe the number of people here on HN who think that no one but criminals use VPNs.

1. http://arstechnica.com/business/2012/04/90-of-popular-ssl-si...

[dangrossman]

I don't think anyone thinks that. You only need more than 1% of the customers of a service to be paying with fraudulent instruments to be unable to accept credit cards, practically. 1% of your volume coming back in chargebacks consistently is the cutoff with most MAPs.

[bravura]

Can someone explain why the CC companies ban high-chargeback-risk companies?

Why can't they simply ask for a higher fee?

[ketralnis]

They probably do do that, first

[nknighthb]

Because the cost isn't limited to a single merchant, transaction, or customer. Every incident of credit card fraud increases the inconvenience of using credit cards.

That's exactly the opposite of what credit card companies want. They want to make the process of using your credit card as simple and painless as possible.

Ironically, this is also why they've taken none of the obvious technological steps that could virtually eradicate credit card fraud.

[tomjen3]

Can you elaborate on some of those techniques? Plenty of people are reluctant to use credit cards online for the fear that they might get stolen.

[nknighthb]

Picture, for example, a card which has a small OLED display which displays an amount and a merchant name. You press a little button on the card, and an authorization is generated, cryptographically signed with an embedded key, and sent to the card reader (which also provides the power for the card).

Such a reader can be built into laptops, keyboards, smartphones, available as small stand-alone USB devices, etc.. Web browsers, POS systems, etc. can send a request to the reader and tell the user to place their card on it and check the card's display.

Transactions without a valid signature can simply be discarded.

If the system is implemented properly, the only way to commit fraud should be to physically steal the card.

(A more paranoid version could include buttons on the card for entering a passcode, so that even if the card is stolen, it would be difficult to use, at least before being reported stolen.)

[azth]

What VPN provider(s) do you recommend?

[ceol]

> the people signing up for them are more often "bad guys" than tech professionals looking for privacy

Thank you. All we hear about is how the government is trying to silence us and there's some vast payment processor conspiracy trying to stop us from using credit cards, as if they would want to stop us from giving them money. No, HN, the majority of VPN traffic is not innocent nerds accessing Facebook on a public wifi.

I say this as someone who does rely on a VPN quite a lot. There's sticking up for righteous ideals and then there's ignoring the fact that a ton of your traffic is nefarious. We can't sit around doing nothing as bad guys use our tech for criminal activities and then get outraged when someone brings it up.

[rsync]

Just roll your own VPN(s) with EC2 hosts. I have a feeling amazon will not ever get cut off by the processors.

[gonzo]

point in fact, we have a version of pfSense coming for EC2

[weavejester]

> the people signing up for them are more often "bad guys" than tech professionals looking for privacy -- and they're signing up with stolen payment information

That's a bold claim. Do you have any evidence of that?

[chatmasta]

I run a proxy provider and can confirm this is 100% true.

[nothxbro]

Its really not bold at all.

If you drink that koolaid, Sounds like you would also believe megaupload was used 'primarily for non infringing use'

[weavejester]

I suspect that most people who commit copyright infringement are not credit card thieves.

However, I don't like drawing conclusions without evidence, and I don't think it should be considered naive to ask for evidence before making up one's mind. In fact, I'd consider it extremely foolish to do otherwise.

[jasonlotito]

I don't have any evidence I can point to. However, I can reference the hundreds of millions of dollars processed through various payment systems I oversaw to state that if you were trying to pay through a VPN, it would classified as extremely high risk, and outside of a few extenuating circumstances, we'd simply deny the transaction.

When researching the various scoring mechanisms, we generally find that the VPN was generally just used for masking purposes, so we'd see multiple attempts go through using multiple names and addresses.

Also, the chances of getting a stolen card response back from the bank was much higher.

This isn't to say that a VPN means you are a thief. What it does mean, however, is that the risk far outweighs the potential benefits.

[weavejester]

Isn't paying through a VPN a rather different matter to paying for a VPN? I mean, there's no point to using a privacy VPN to hide your identity only to then give out your credit card details, so it sounds like an inherently biased scenario.

[kbenson]

If you are going to use a VPN to charge stolen credit cards, you sure aren't going to use a real credit card to purchase the VPN service, which could then be linked back to you.

[Ensorceled]

Well you did draw the conclusion that it was a "bold claim" without evidence...

The phrase "bold claim" is usually reserved for cases where the claim seems unlikely.

[weavejester]

Claiming that VPNs have more people signing up with stolen credit cards than their own credit cards rather unlikely to me. The penalty fees on the resulting chargeback would make it difficult to make a profit, particularly on a service that competes on price in an increasingly crowded marketplace.

[Ensorceled]

Ah, now I see our problem.

As I see it there are three main customer groups for VPNs; people using it to circumvent copyright protections (either location based or outright theft), tech savvy people who want privacy, and bad guys.

The original said more bad guys than tech savvy people, I assumed that excluded copyright circumventors (the largest group) and you assumed they were included.

[belorn]

I would say that any claim is bold if it is surprising or apparently important, and is not covered by multiple mainstream sources.

Examples are claims of majority (A majority of people are suffering from sickness A, B, or C), Or claims of superiority (My car is the fastest in the world).

[sixothree]

You could easily extend that claim to ISPs as well.

[rms]

My credit card was once stolen and used to sign up for a VPN

[uniclaude]

Bad luck, but this is only an anecdote, thus hardly any sort of evidence.

[nmcfarl]

The problem is that the only people with data are the Credit Card companies and the VPN providers, and they both have dogs in this fight. We wouldn't believe the numbers they released, if they released numbers, which they probably won't...

So we're left with anecdote and personal opinions to base our decisions on. There's plenty of opinion in this thread - a few anecdotes won't hurt.

[chatmasta]

fraudulent purchases -> chargebacks

Chargebacks are bad for the VPN company. They cost $15 each.

Even if they cost nothing, a high ratio of chargebacks is not in the best interest of the credit card companies, who are at the top of the value chain. So chargebacks are bad for anybody along the chain.

[talaketu]

"Chargeback risk" is the only theory on the table, isn't it?

[weavejester]

iPredator are associated with the Pirate Bay, which is another theory as to why they've been targeted in particular.

[ddeck]

Some anecdotal support: I use a US VPN provider when outside the US to access geo-restricted sites. I've had the account for two years with monthly auto-payment via Visa and never had an issue.

The fraud detection team at my bank called me last week to confirm the renewal payment was genuine. The same payment has been occurring every month for two years without issue, so it seems likely something has been tweaked within their detection algorthm.

[mtgx]

"the people signing up for them are more often "bad guys" than tech professionals looking for privacy"

I think this is always a bad argument to make. By that same logic they'd be banning all torrent sites, too, and a lot of other stuff, possibly even Bitcoin.

I think these VPN's should sue Mastercard and Visa, just like Wikileaks did, and won. They can't just decide "who is the bad guy" and ban them.

[dangrossman]

If torrent sites and bitcoin accepted credit card payments, and a significant fraction of those payments involved stolen credit/debit cards (significantly harming the true owners of those cards even with liability protection), merchant account providers should have the right to not do business with them either.

[everyone]

"Keep in mind that this is about chargeback risk"

Please post source for this. As far as I know Visa and Mastercard have not made any statements and outlined any possible reasons for this action yet.

[furyg3]

While I don't doubt that there are bad guys who are paying for anonymizing VPNs, I wonder to what extent this is a majority.

I know around ten people, who are technically-adept (but not techies), who are using VPNs for Netflix, BBC iPlayer, Hulu, sporting events, etc... In many cases they are "paying to pay" for these services.

Hackers, crackers, carders, and script kiddies can pretty easily get access by compromising insecure hosting accounts or remote windows machines in the desired location.

[perlpimp]

Usually they have lower chargeback cutout rate and higher fines. If the provider keeps customers within provided limits why not keep the service running?

[mfjordvald]

As a westerner working a tech job in China this is honestly a bad trend.

How am I possibly going to live without access to Facebook?

[Livven]

It's easy – all you need is a standard webserver (any VPS will do, check out Low End Box [1] or just use Digital Ocean [2]) and that's it. No need to install or maintain any kind of VPN or proxy software. Just use the following command to connect to your fresh server:

    ssh -D 8080 username@ipaddress

That will establish a local SOCKS proxy which you can configure your browser (or any other application that supports proxies) to use, with localhost as the address and 8080 as the port.

The biggest difference to a VPN is that you need to separately configure every application to use the local proxy – otherwise, everything sent over the local proxy is encrypted and securely transferred (thanks to the SSH protocol) just like with a VPN.

Of course, you can also install a VPN server if you want, but that's probably a bit more complicated.

[1]: http://www.lowendbox.com/ [2]: https://www.digitalocean.com/

[codexon]

Setup your own VPN.

[contingencies]

Run squid on a VPS outside of China and use ssh port forwarding to access it. In my experience this works better than VPNs while in China, since the latter somewhat recently began to be targeted by the GFW.

[AnthonyMouse]

This is the obvious answer for people with the technical skill to maintain a VPN server but what about everybody else?

[nknighthb]

Really, we've all been spoiled by credit cards. Checks, money orders, wire transfers, and even cash, all still work.

And while I'm not aware of a properly turn-key solution for a VPN server, it should hardly be an epic undertaking to create one. Setting up a Linode account and running a StackScript is simple enough even for mostly-clueless people.

[icebraining]

Using sshuttle[1] you don't even need to setup a VPN, just get a VPS and run a simple command on your client machine to connect.

[1] https://github.com/apenwarr/sshuttle

[_b8r0]

You could always connect to a Lahana[1] node for emergency situations. It's not as quick as a normal VPN and you shouldn't run a torrent client through it, but it works.

[1] - http://lahana.dreamcats.org/

[jaxb]

Pay someone who has the skill?