[raiyu]

Unfortunately we deal with a large amount of abusive and fraudulent signups which leads to a bunch of abuse on the network such as mining, port scanning, and flooding. We do everything we can to filter out abuse automatically and then determine whether or not a customer is legitimate outside of that but unfortunately that information isn't always available or conclusive.

We'd love to hear suggestion on how we can improve that without resorting to requesting an ID because obviously that isn't something that's ideal.

[vdaniuk]

I am a current DigitalOcean client and I was recommending DO to my friends and professional contacts.

New policy of requiring scanned documents is unacceptable in the environment of pervasive nation-state level monitoring and destruction of privacy. If this is a permanent change, I won't recommend DO any longer.

The solution is extremely simple: accept bitcoins for payments and/or fair use verification for free tiers. Also there is a market for forged document scans, just read krebsonsecurity.

[mtmail]

Same here. DigitalOcean can't verify if a document is real (vs photoshopped) so the requirement might as well be sending a letter head. I'm glad I got access to all levels of VMs early by asking nice (for legitimate adhoc large data processing that required lots of RAM).

[zhte415]

I don't understand why a scan of a passport or ID of someone signing up is required when it cannot be verified.

The reasons are this:

Banks are legally required to conduct some kind of Know Your Customer where an individual has to physically present themselves so their provided ID is matched against their physical person. So KYC is done by a bank. And I'm paying with a bank / credit card.

In the case of someone opening an account by using a fraudulent card, it is trivial to attach what looks like a mediocre scan of a passport or divers licence.

Notarised IDs are not requested, so there is no way to verify with a lawyer. And Notarisation is expensive, so it will turn almost all customers away.

Closing circle: If the name on the card matches the ID provided and it is not a case of a fraudulent transaction, the individual can be pursued via their bank. This is probably not worth it at a time vs reward level, unless the abuse of the network is such law enforcement should be involved, but is not something for you to do, but for your bank, as correspondent bank, to do.

While obviously a liability in terms of information security and the risk of a breach, requiring such personal information is a precedent: If all companies did so for low value transactions, then this information would end up in thousands of online repositories (and therefore of large scale, opposed to, say, a hostel seeing a handful of customers per day keeping paper records) which would surely have leaks. The risk becomes systematic. Which increases fraud.

Let the banks do KYC. Let the hosting company ensure the network is monitored in the way they desire.

Edit: Having worked in a couple of banks at a middle management level, and covering regulatory, compliance and information security roles, what really helps when regulators or general law enforcement audit or inspect a function, what really matters is showing both internal policies showing banking regulations are drilled into employees, and anticipative policies where regulations are not yet set in stone are also followed. If you don't have internal policy documents on how your network is monitored and a kind of minimum standards dashboard, make one and keep records, as it can be invaluable as defense against accusations nonfeasance, misfeasance or even malfeasance.

[lazyant]

I've requested scan of ID in the past for suspicious sign-ups, the reasoning is that almost all malicious people would just move on at that point to another target.

[toomuchtodo]

SMS verification of a phone number?

Barring that, detect mining and terminate it with system monitoring tools, and prevent port scanning/flooding at your network border (your netops team is active on NANOG and seem to know what they're doing).

[threeseed]

How does SMS verification help ? You can just buy a prepaid phone.

[toomuchtodo]

How does using ID verification help? I can just use a borrowed/stolen/pilfered ID?

At some point, you're hitting diminishing returns in your verification requirements.

[thekonqueror]

I assume they look for name on ID that matches name on payment method. That's what I used to do when I worked in a hosting company ~10 years ago.

This way, if someone has a stolen credit card, there's a very good chance, they won't have a matching government ID with same name. Hence obvious fraud.

[toomuchtodo]

Does a prepaid card name verification occur during an auth? Also, does Digital Ocean disallow prepaid cards from being used to pay for service?

Their pricing/billing page indicates they'll accept these cards if the payment is made through Paypal, which will shield them from payment fraud, but not if the card is prepaid but the users actions on the instance are malicious.

https://www.digitalocean.com/help/pricing-and-billing/

[raiyu]

Here you see the complexity of the process in that anything that is added or used can be circumvented, including IDs and so forth.

In regards to pre-paid and debit cards we saw a very high incidence of abuse related to those cards specifically so we've had to put certain restrictions on them as well.

We're going to look for other layered approaches that can be created programmatically to increase the authenticity of a user and need to get that implemented asap because I'm in agreement that this ID request is a horrible workflow and also it still isn't fool proof so its just doubly bad.

Running the product prioritization meeting today so we'll bring up a couple of solutions and begin to prioritize and implement.

[lazyant]

An idea to automate part of the verification process is to have a "fill as much as you can or want" form asking for public accounts (facebook, G+, twitter, github, personal web site, non-free email accounts etc) and then generating a confidence score used for a pass/no pass/id required. A service (API) for this is one of the multiple ideas I haven't acted on.

[anthonys]

If capturing an ID is important, I'd suggest a solution like jumio.com which when integrated, is pretty seamless.

[meritt]

Why is mining in particular disallowed? Aren't you allocating a set amount of CPU to a paying customer?

[bryanlarsen]

Just a guess: mining produces less than $5 per month of bitcoins, so it's fairly strong evidence of a fraudulent credit card or hacked account.

[meritt]

Ah, if it's indeed related to fraud that's a fine reason generally.

I'm worried about a company restricting usage to resources which you have been allocated, as I thought we were well past the problems of shared hosts with the rise of virtual machines / linux containers.

[IgorPartola]

> Aren't you allocating a set amount of CPU to a paying customer?

I doubt they are. While DO boxes aren't bad, in terms of the "bad neighbor effect", I think they very much are oversold. Also, the virtualization tech is a continuum between complete and proper isolation of resources and time slicing of the CPU cycles on the one end, and Linux container style resource sharing on the other. Basically, the more isolated your VM is, the slower it will run. I don't believe DO is using any type of really strong isolation. Because of this, if you start mining BTC on your droplet, you will suck the CPU cycles from all the neighbors.