Ask HN: How to provide a free trial without being abused?
I've launched a few weeks ago Elest.io (fully managed open source) and we are struggling with free trials.
If we don't ask for a valid CC people from all around the world abuse the free trial and use the services to do DDOS, port scanning, and a lot of other illegal things!
When we do ask for CC legit users are turned away ... we tried to explain that we don't charge anything and it's only for fraud prevention ... but not effect.
We also tried to ask for a public social network profile to verify the identity instead of a CC but again it was not well perceived.
Is there any solution to this?
75 comments
[ 2.9 ms ] story [ 140 ms ] threadPersonally I will be much more ok to pay a trivial sum to try out something than just have my credit card.
Allow the whole onboarding process to be done without a CC, don't even mention that.
But when a user is doing their first deploy, tell them they need a CC to complete this step.
Thanks to the sunken cost fallacy, users will be more likely to proceed.
All the big SAAS offerings utilize this pattern.
It’s one of the best ways to get a nice core group of dedicated users that will help you iterate.
FYI the idea is to specify the nature of the trigger upfront. e.g. Self harm or whatever. That way people can judge whether they want to read the rest of the comment or not.
Also, I think that for a platform such as yours, credit cards are absolutely a must. The risk in opening it to scammers (mining, torrent seeds, etc) is just to high; I remember reading this from fly.io [0] that explains the pain in reducing fraud.
0: https://community.fly.io/t/new-prepaid-credits-and-a-bonus-s...
You could provide some approved outgoing connections to trusted plugin/package repos.
If you want to get stricter only allow incoming connections from the trial user's IP to stop them hosting scam landing pages.
This could actually be the easiest way to deal with it. You can technically remove the block via system firewall, but I guess the abuse is only for cloud VMs that Elest.io provides and not the BYOVM ones, so you can use provider firewall rules to enforce the limit.
One could utilize HTLCs so that the coins are locked for a predefined amount of time - so you wouldn't need to take custody of the coins during the trial but still be able to <take/claim/freeze> them if you decide there was abuse. If you do nothing after the initial lock-up, once the HTLC expires the user can claim the coins back again. That way there is less risk and impact of losing funds due to errors or compromise on your side, compared to just requiring a deposit going into a wallet.
As a complement and alternative for CC. I would think that the people either unable to, or not willing to provide CC out of principle, and the people comfortable with Bitcoin have a decent overlap.
At that point just factor being abused into your prices honestly
That is, allow either. As an alternative to credit card, not instead of.
Again, I'm pretty sure that a majority of legitimate users who can't or won't link a credit card will already be familiar with, or at least open to, cryptocurrencies.
Just make the minimum amount large enough that abusers would have better payoff from directly using it as payment for compute/IP elsewhere. I'd guess that even 10$ equivalent would suffice for that - there is no shortage of places that will rent you a month of decent resources for less than that.
Consider also that more and more SaaSes require an increasing amount of PII for new sign-ups (no doubt related to solving for abuse, fraud, and spam) while an increasing number of individuals either reject surveillance capitalism and won't participate, or simply can't due to being flagged as false positives by the arbitrary ML and rules at payment providers. Solving for them will give you goodwill and leads from an underserved market segment.
If you want to play it safer, increase the minimum required amount and/or lock-up time accordingly.
If you had a way to get this integrated easily, would it be interesting?
Perhaps that is something that should be addressed, regardless of what you decide on KYC/credit cards/cryptocurrencies/etc?
Random thoughts after a little closer look, may or may not be relevant:
I see now that you host mailu/mailcow. If you give customers an e-mail address under a (sub-) domain of yours - stop that. Make customers bring their own domain, even for a trial. Or keep outgoing public SMTP out of the trial; even they do not use your domain, you probably don't want to risk polluting IP space reputation. If you still really want to let them try it and want to spend some time on it, you could spend some time restricting outgoing mail to a whitelisted email address (not domain) per account.
If you're also referring to hosting scam websites and you don't want to require trials to bring their own domain, consider making the subdomain you provide autogenerated, long, unattractive, and verbose.
If you haven't addressed all of the above, it should hopefully improve things.
For ddos/hosting illegal content, there is no shortage of places where people can get VMs and VPSes with connectivity, storage and compute for reasonable prices in various jurisdiction anonymously just a quick web search away - so even for those who don't know where they can get it for way cheaper underground, I'd assume that criminals wouldn't have a reason to burn even close to that much money for such things?
Heard similar anecdotes from of other Iranians and Syrians I've talked to. But not everyone - it does seem arbitrary.
* I can concoct exceptions of course: worker who wants to try it for work but doesn’t have their own company card being one. But if you’re targeting cloud users, “doing whatever AWS does to gate accounts” is perfectly reasonable.
This is extremely weird. It's a B2B - I won't ever use my own credit card just to try some service, heck - I won't provide my credit card to an unknown entity that may lack PIC compliance, either. Asking for the company/budget/contract review/etc. for trial, etc. is a massive hassle as well.
>doing whatever AWS does to gate accounts” is perfectly reasonable.
Not really, Amazon is beyond well known and massive, and it has all the policies in place. This a small unknown startup.
If you were a really hot prospect, super-interested in using elest.io for a big project but didn’t want to give a CC because <reasons>, I’m sure you’d find a way to contact them by email and try to work something out. And they’d find a way to vet you or just turn on a free account for you.* The casual “no way I’m giving my CC” people aren’t high-likelihood future paying customers.
Gate with a CC, make sure there’s a way to send an email/free text form and move on with building the company.
* “no way I’m sending an email either for a free trial just because I won’t give a CC.” “OK, you’re not a prospective customer. It’s a numbers game.”
I refuse to give my credit card details to google because I suspect I know what they will use it for, tracking, sneakily taking payments by dark patterns in apps or if my phone gets stolen.
Just because AWS can get away with something doesn't mean you can.
I can see why people don't want to give their credit card to someone they haven't made a deliberate decision to give money to, or to mix their social life with business. Edit: there's also the problem of trusting a company to hold onto your card data securely - I let almost no companies I do business with save the card details, and prefer to just type it in every time. Storing credit card details makes you a target, and I'm doubtful many smaller companies have the security skills to defend themselves.
BTW, "software" is not a countable word. Instead of "softwares" you mean "software services" or something.
You could make a link allowing them to explain by email their need for a no-CC-required trial.
That way you make a little speedbump and get a an email you know they use to market to (with opt-in).
In reality though, I suspect that most of the users who won't put in a card for a trial won't put in a card to pay either.
I suspect this is true; however, they may mention the service to other people who will.
Market it as a positive (free trial!) and not a negative (if you don't want to give us your CC info...) and you'll have human psychology in your favor. You also get insight into your users' use cases for free.
Personally I'd be okay providing a CC for verification/fraud prevention, but what puts me off doing it most of the time is it'll then automatically start being charged if I forget to cancel within a certain time. If there was a manual step of moving from free trial -> paid subscription I'd be less hesitant
Put Cloudflare in front of your IP. Everytime someone abuses you then block their IP at CF. If you can automate this even better.
Reduce the service for a free trial in someway that hurts hackers but not real customers. You will have to think about this it might tricky or not possible.
Add software to your stack to watch for port scans and cut the users off instantly. Or watch for DDOS. There is some number of packets that come out of a valid session vs the number that comes out of DDOS.
And then finally the trials that abuse you are junk trials they will never convert. The CC definitely will keep your trials low it just will I have seen that first hand but your conversion rate will be through the roof.
Once you have your CC subscribers really work on retaining them and reducing churn, if they try to cancel show then messaging that reminds them of the value of the service or offer them a discount, as examples.
> another hack: lotta people have free trials. 15 day free trial, 30 day free trial. makes sense. customers want to test us out first, no one trusts anyone, that's fine. but i hate free trials actually, especially for bootstrapped companies, because you never get the money back. most people that sign up with a credit card will stay. if that's not true, by the way, something is incredibly poisonous, fix that part [...]. but if that's true, most of the time they give you their credit card, you're giving them 15 or 30 days for nothing and you're never going to charge them, so you just lost the money, and that sucks. so i don't like trials. you have to give them something.
> so we switched to a 60 day money back guarantee instead of a 15 day free trial. but in both cases we take the credit card. originally in one case we say we won't charge you until the trial is over, in the other one we just charge them anyway. but we'll give you a refund and much more time.
> and sales went up. and people would email us and say "you know, 15 days didn't seem like enough time, now that i have 60 days, i decided to sign up".
> but i'm charging you more, don't you understand?
https://www.youtube.com/watch?v=otbnC2zE2rw
My reply would be: Thanks but no thanks.
The only way to prevent this is to identify the users in some way. Every way of identification is a tradeoff between convenience and security.
CC card info is very secure (it's really hard to fake a CC), but it's extremely inconvenient. Personally, if a service requires me to put in my CC info before even trying it, I am not using it.
Phone number is fairly secure (can be faked, but faker must spend money to buy phone cards, so their costs scale linearly), and it's kinda inconvenient, but not really, since every website and its grandmother ask for 2FA nowdays. It's more inconvenient for you, actually, since you have to find a way to send an SMS to any phone, anywhere in the world.
Email addresses can be secure (but only because most email providers require email confirmation over phone number), but they are the most convenient option I can think of. Ngrok does something like that, they require an email for an account, and provide you with a key you can use to use their service. Free option only gets you like 4 tunnels and 40 connections/minute, which I assume is negligible, given their total traffic.
That seems unlikely. I am going to go out on a limb and guess that you’ve signed up for at least one service in the past year that required a credit card up front.
That being said, I just don't like the concept of services altogether. If I can setup a system myself to do the thing I want, then I set it up. If I cannot, I try to find a way to live without it. I am somewhat of a Free Software idealist, so this text has really resonated with me a few years back:
https://www.gnu.org/philosophy/who-does-that-server-really-s...
So perhaps I could've left out the "Personally,..." sentence, since I'm am probably not the OP's target audience :)
Can you explain in more detail the way people are misusing your service? Aren't you running within someone else's infrastructure? At least that's how I understood your site.
We have an extended free trial for our SaaS platform (the only part that isn't open source) without a cc and have seen a lot of usage but nothing we'd flag as abuse. (Lots of fake accounts, but those don't hurt us.) Different product though so obviously the potential for abuse is different.
But we had exactly zero issues with people's providing a CC
1) Offer a limited free tier
2) Ask CC before free trial, you don't need customers that are not able to pay you later
3) Make a shared demo account where customers can log in and check out the product without need to commit
As an alternative you could offer free credits if you really want to test this, but this will always be a trade off and there will be a lots of people who use the free credit and never convert.
Netherland has something like this for government services: DigID. Every citizen can get one, and you use it to handle all sorts of government-related stuff, like your taxes, etc.
We need something like that, but internationally, and useable for everything, rather than just government services. But international is hard. And who will be put in control? Different countries have different privacy standards, not to mention different standards of corruption.
-> Most companies calculate their T2P churn incorrectly because they combine both the Right_Audience and the Wrong_Audience within the Trial.
-> Get rid of the Wrong_Audience with better customer acquisition Qualification (e.g. if I sell bats to bullies people will get hurt, if I sell bats to sports teams, well... chances are lower for misuses)
-> Get better conversions with the Right_Audience with an Orchestrated Trial
Most trials are just the product but free for a while. This leads to exactly the situation you describe.
An Orchestrated Trial focuses on reducing the Anxiety of your Right_Audience, so that they can decide easier to switch to paying. Full access to the product changes nothing in conversions, people already know what the product does from your description. The point is to reduce specific uncertainties and unblock the subscription decision.
(prescriptive) To do this, the Trial has to be Orchestrated around getting the Right_Audience to say "AHA! This actually does what I want." And if they have the money, the decision is straightforward. No need to give the access to what the solution does, that's for paying users.
Let me know if I can help
Charging money tends to filter out bad actors.
Good luck.