Ask HN: Free VPS trial, how to prevent fraud accounts?

2 points by WhiteOwlLion ↗ HN
I am interested in offering a free 30 days trial for Virtual Private Servers (VPS). I am wondering what security measures work best to prevent fraud or multiple accounts signing up?

I notice cloud providers offering various methods such as credit card verification, SMS code to mobile phone, telephone number verification, email verification (not allowing gmail or free email domains), etc.

Does anyone have experience in this area? What kind of verification method worked best for you? Do you have any other thoughts or advice on this business venture?

2 comments

[ 3.4 ms ] story [ 11.2 ms ] thread
Although I don't sell VPS services, I personally lease dedicated machines and VM/VPSes for my side-projects. I guess you want to grab some attention of pretty saturated market by lowering the entry barrier. So what kind of customer do you want to target?

As a serious user I don't see a problem to pay a few bucks for VPS which is pretty much a commodity nowadays. Welcome discount or a money back guarantee would be nice but not essential for a cheap plan. However for me the most important is the reputation. For sure I won't handover my own or customers' data to some unknown provider who gives away free accounts to anyone with an email.

My previous and current reputable providers asked me for CC and ID/passport scan upfront. And I am absolutely fine with that. I know that my hosted neighbours are also verified and an IP address I get with the machine has low chance to be blacklisted by previous tenant's malcious activity.

I'm pretty much the same as imhoguy and I'm a "legit" customer of several VM/VPS providers. I'd likely have a dedicated box (or two) as well, but $work is an ISP and I have a nice 2U server there for my "important" stuff.

I'm totally okay giving a credit card up front (it's how I'm gonna be paying anyways, assuming your service isn't shitty!). If that gets hacked or stolen or I get charged when I wasn't supposed to, well, it's really not a big deal -- American Express will fix that for me quick, fast, and in a hurry.

I'm a little "less okay" with showing my government identification, but only because I can't be sure they'll store it safely. Ideally, that could be handled by doing a quick Facetime call (or similar), holding the ID up next to my face, and them saying "okay, you're good" after verifying the information matches up. The next best method, IMO, would be sending a photocopy via snail mail, with the promise that they'll destroy it after verifying the information.

I really don't like giving out my personal phone number and I will avoid it as much as possible... but I will give in if it's unavoidable -- as long as the company is reputable and well-known.

Any one of those methods will certainly cut down on fraud, I would think, although the latter is probably most easily "scammed" (due to the availability of services like Twilio, Google Voice, etc.). Any one of those methods will also likely drive away some fraction, however small, of potential "legitimate" customers, but they'll also weed out a lot more of the unsavory folks.

I should probably also mention that I'm not really your target customer with a 30-day free trial, though. I usually avoid providers offering something like that (I did take DigitalOcean up on their $10 credit a few years ago but they weren't exactly some random fly-by-night VPS provider either.)

If you do end up offering a free 30-day trial, please do the Internet (and your future customers) a favor and block 25/TCP outbound. Or, at the least, put those IP addresses on Spamhaus' PBL.