Ask HN: How to provide a free trial without being abused?

35 points by js4ever ↗ HN
I've launched a few weeks ago Elest.io (fully managed open source) and we are struggling with free trials.

If we don't ask for a valid CC people from all around the world abuse the free trial and use the services to do DDOS, port scanning, and a lot of other illegal things!

When we do ask for CC legit users are turned away ... we tried to explain that we don't charge anything and it's only for fraud prevention ... but not effect.

We also tried to ask for a public social network profile to verify the identity instead of a CC but again it was not well perceived.

Is there any solution to this?

75 comments

[ 2.9 ms ] story [ 140 ms ] thread
I think you should collect CC.
credit card numbers tend to require proper PCI compliance and audit. Storing credit cards is quite the liability, and unless I know I can trust the company entirely, they won't be getting any credit cards.
(comment deleted)
Most companies shouldn't be storing CC numbers in this day and age but using tokenized cards instead. Let Stripe worry about PCI compliance, and OP can simply advertise which processor they're using so customers feel secure.
Indeed, this is exactly what we are doing with Stripe
We don't collect CC directly, we redirect users to Stripe Checkout page (so not on our website anymore) and we get a webhook from stripe with a token of the CC and no details about the real CC number... It's pretty safe and that way we dont need to be PCI compliant
Okay - would be useful to mention, you don't process the credit cards on your own. But in that case - ask for minimal payment and possibly offer a refund. You can honor 2 weeks refund,

Personally I will be much more ok to pay a trivial sum to try out something than just have my credit card.

how many legit users are turned away when asking for CC vs how high is the abuse ratio? maybe try to find out when the legit users turn away. maybe they are not satisfied with checkout process?
- trigger warning -

Allow the whole onboarding process to be done without a CC, don't even mention that.

But when a user is doing their first deploy, tell them they need a CC to complete this step.

Thanks to the sunken cost fallacy, users will be more likely to proceed.

This is a dark pattern and will infuriate both your abusers and legitimate users.
Not really.

All the big SAAS offerings utilize this pattern.

It’s one of the best ways to get a nice core group of dedicated users that will help you iterate.

Yes they do. They use the dark patterns. That doesn't make them good.
(comment deleted)
I think I’d only consider it dark if my card was going to be charged. If the app admitted it was just to verify that I’m a real person, for security reasons, I’d be fine with it.
The problem is you don't know if your card is going to be charged. It's too easy for companies to hide things in long terms of service click-throughs, or for users to misunderstand new services, or for companies to charge cards "by accident". I'm certainly pretty doubtful that I completely understand what I'm agreeing to with a new company. The simplest safest solution is to not give them your card.
Sounds like a great way to make me sign up with your competitor
Makes sense to me, but I believe you should A/B test that (not just against signups, but MRR).
That would make me not only tell everyone I know what a bag of dicks your company is, like people I haven't seen in years would get a hand written letter telling them about this, my techno-illiterate grandma, every. one. I. know. I'd hand out free T-shirts printed with an account of my experience. After this I would then sign up for your competitor's most expensive offering out of sheer spite.
>- trigger warning -

FYI the idea is to specify the nature of the trigger upfront. e.g. Self harm or whatever. That way people can judge whether they want to read the rest of the comment or not.

It was a joke. However, I legit didn't know that, thank you.
UX-wise, as other said, I think it makes sense to ask for the CC as late in the process as possible: you will make your most valuable user understand how great your platform is.

Also, I think that for a platform such as yours, credit cards are absolutely a must. The risk in opening it to scammers (mining, torrent seeds, etc) is just to high; I remember reading this from fly.io [0] that explains the pain in reducing fraud.

0: https://community.fly.io/t/new-prepaid-credits-and-a-bonus-s...

Limit their outgoing connections until they provide a CC number. Most software can be initially tested without needing to connect to the wider internet. Throw in plenty of /examples directories for the different applications you offer.

You could provide some approved outgoing connections to trusted plugin/package repos.

If you want to get stricter only allow incoming connections from the trial user's IP to stop them hosting scam landing pages.

> If you want to get stricter only allow incoming connections from the trial user's IP to stop them hosting scam landing pages.

This could actually be the easiest way to deal with it. You can technically remove the block via system firewall, but I guess the abuse is only for cloud VMs that Elest.io provides and not the BYOVM ones, so you can use provider firewall rules to enforce the limit.

Indeed, no issues at all with BYOVM, and for other VM we have full control on the firewall from the cloud providers and we can block outgoing traffic and limit incoming traffic to the tester IP, I will definitely investigate this!
How often do one change IP when on cellular? I have no idea, but seems like it might become a problem. Probably worth the trade-off though.
(comment deleted)
What do you think about offering locking up some minimum amount of cryptocurrency (say, Bitcoin), which would withdrawable at the end of the trial but also being usable as payment for continued service?

One could utilize HTLCs so that the coins are locked for a predefined amount of time - so you wouldn't need to take custody of the coins during the trial but still be able to <take/claim/freeze> them if you decide there was abuse. If you do nothing after the initial lock-up, once the HTLC expires the user can claim the coins back again. That way there is less risk and impact of losing funds due to errors or compromise on your side, compared to just requiring a deposit going into a wallet.

As a complement and alternative for CC. I would think that the people either unable to, or not willing to provide CC out of principle, and the people comfortable with Bitcoin have a decent overlap.

So instead of supplying a credit card, which already causes people to bounce, ask them to learn and use crypto?

At that point just factor being abused into your prices honestly

> As a complement and alternative for CC

That is, allow either. As an alternative to credit card, not instead of.

Again, I'm pretty sure that a majority of legitimate users who can't or won't link a credit card will already be familiar with, or at least open to, cryptocurrencies.

Just make the minimum amount large enough that abusers would have better payoff from directly using it as payment for compute/IP elsewhere. I'd guess that even 10$ equivalent would suffice for that - there is no shortage of places that will rent you a month of decent resources for less than that.

Consider also that more and more SaaSes require an increasing amount of PII for new sign-ups (no doubt related to solving for abuse, fraud, and spam) while an increasing number of individuals either reject surveillance capitalism and won't participate, or simply can't due to being flagged as false positives by the arbitrary ML and rules at payment providers. Solving for them will give you goodwill and leads from an underserved market segment.

I missed the quoted line, sorry!
It's not about the money, it's about KYC! Paying with Crypto is not solving anything for bad actors trying to do DDOS, send spam or host child porn on our servers ...
Part of my point is, demanding a lock up of funds should raise the barrier high enough that you won't need KYC - legitimate users will get their funds back (or use them to continue service) while it will be cost-prohibitive for abusers.

If you want to play it safer, increase the minimum required amount and/or lock-up time accordingly.

If you had a way to get this integrated easily, would it be interesting?

The thing is some abusers will be happy to pay $10 in crypto (or even $100) to be able to ddos/spam/abuse under our name ... So I'm not sure it would be enough to prevent hackers
Hmm, it sounds like there is some part of your offering that I was overlooking as I failed to see how that would happen.

Perhaps that is something that should be addressed, regardless of what you decide on KYC/credit cards/cryptocurrencies/etc?

Random thoughts after a little closer look, may or may not be relevant:

I see now that you host mailu/mailcow. If you give customers an e-mail address under a (sub-) domain of yours - stop that. Make customers bring their own domain, even for a trial. Or keep outgoing public SMTP out of the trial; even they do not use your domain, you probably don't want to risk polluting IP space reputation. If you still really want to let them try it and want to spend some time on it, you could spend some time restricting outgoing mail to a whitelisted email address (not domain) per account.

If you're also referring to hosting scam websites and you don't want to require trials to bring their own domain, consider making the subdomain you provide autogenerated, long, unattractive, and verbose.

If you haven't addressed all of the above, it should hopefully improve things.

For ddos/hosting illegal content, there is no shortage of places where people can get VMs and VPSes with connectivity, storage and compute for reasonable prices in various jurisdiction anonymously just a quick web search away - so even for those who don't know where they can get it for way cheaper underground, I'd assume that criminals wouldn't have a reason to burn even close to that much money for such things?

Judging by downvotes and other comments, people seem to not believe the issue is practical. Anecdotally, a good friend of mine has an Iranian passport and name, and despite otherwise clean records and 15+y living and working elsewhere, he has a legitimate hard time being rejected by banks as well as payment processors (even through his non-Iranian company) when signing up for services. He did manage to sign up for GCP by using a friends' card. Smaller providers often bounce in the sign-up process when using his own credit card and he just won't bother trying to resolve that anymore.

Heard similar anecdotes from of other Iranians and Syrians I've talked to. But not everyone - it does seem arbitrary.

Anyone who won’t give you a credit card for the free trial isn’t likely to give you a credit card later to become a customer*. In this space, giving a credit card seems perfectly normal and serves as a vetting function of seriousness for you.

* I can concoct exceptions of course: worker who wants to try it for work but doesn’t have their own company card being one. But if you’re targeting cloud users, “doing whatever AWS does to gate accounts” is perfectly reasonable.

(comment deleted)
>Anyone who won’t give you a credit card for the free trial isn’t likely to give you a credit card later to become a customer

This is extremely weird. It's a B2B - I won't ever use my own credit card just to try some service, heck - I won't provide my credit card to an unknown entity that may lack PIC compliance, either. Asking for the company/budget/contract review/etc. for trial, etc. is a massive hassle as well.

>doing whatever AWS does to gate accounts” is perfectly reasonable.

Not really, Amazon is beyond well known and massive, and it has all the policies in place. This a small unknown startup.

Yes, but the people who don’t trust them with their CC are much more difficult (non-)customers to reach. Filtering the set of prospects to the easiest ones to convert, providing that set is still large, seems like a good 80/20 use of a startup’s limited time.

If you were a really hot prospect, super-interested in using elest.io for a big project but didn’t want to give a CC because <reasons>, I’m sure you’d find a way to contact them by email and try to work something out. And they’d find a way to vet you or just turn on a free account for you.* The casual “no way I’m giving my CC” people aren’t high-likelihood future paying customers.

Gate with a CC, make sure there’s a way to send an email/free text form and move on with building the company.

* “no way I’m sending an email either for a free trial just because I won’t give a CC.” “OK, you’re not a prospective customer. It’s a numbers game.”

I would even prefer a cheap first payment on a credit card or paypal than to give my credit card details to a company that claims not to want to use it. That just looks suspicious to me.

I refuse to give my credit card details to google because I suspect I know what they will use it for, tracking, sneakily taking payments by dark patterns in apps or if my phone gets stolen.

Your concocted exception is actually a very plausible scenario in my opinion. In the past 2 years or so I convinced my workplace (well, a previous workplace) to spend some money on two freemium products: one is buying a few licenses for PyCharm Professional, and the other was a platform for doing coding interviews. The free version was the only reason I even considered these products. As an employee in a big corp, this is my only reasonable route.
I can't say I agree with this. AWS has the size, reputation, and sheer near-unavoidability to find themselves with significantly more leeway in this kind of thing.

Just because AWS can get away with something doesn't mean you can.

Can you limit resource use after some reasonable amount? Seems like you've got the tools for that already. "Network Firewall [...] + Web Application Firewall", "IP Rate Limiter", "Alerts to detect abnormal activity", etc.

I can see why people don't want to give their credit card to someone they haven't made a deliberate decision to give money to, or to mix their social life with business. Edit: there's also the problem of trusting a company to hold onto your card data securely - I let almost no companies I do business with save the card details, and prefer to just type it in every time. Storing credit card details makes you a target, and I'm doubtful many smaller companies have the security skills to defend themselves.

BTW, "software" is not a countable word. Instead of "softwares" you mean "software services" or something.

Limiting resources seems also the best way to go about this in my mind.
Just something that occurred to me:

You could make a link allowing them to explain by email their need for a no-CC-required trial.

That way you make a little speedbump and get a an email you know they use to market to (with opt-in).

In reality though, I suspect that most of the users who won't put in a card for a trial won't put in a card to pay either.

> In reality though, I suspect that most of the users who won't put in a card for a trial won't put in a card to pay either.

I suspect this is true; however, they may mention the service to other people who will.

I think this is a great idea. You don't even have to market it like that: just have a very simple sign up form for requesting a trial. The only "requirement" would be a short discussion with a representative from your end where the customer explains why they want the trail.

Market it as a positive (free trial!) and not a negative (if you don't want to give us your CC info...) and you'll have human psychology in your favor. You also get insight into your users' use cases for free.

You could limit the free trial in some way (number of connections, ability to connect to other services) that makes it less appealing for abuse, however you may just end up playing a cat and mouse game on that front

Personally I'd be okay providing a CC for verification/fraud prevention, but what puts me off doing it most of the time is it'll then automatically start being charged if I forget to cancel within a certain time. If there was a manual step of moving from free trial -> paid subscription I'd be less hesitant

We had this problems a lot. You have to make it painful enough that scammers do not want to bother.

Put Cloudflare in front of your IP. Everytime someone abuses you then block their IP at CF. If you can automate this even better.

Reduce the service for a free trial in someway that hurts hackers but not real customers. You will have to think about this it might tricky or not possible.

Add software to your stack to watch for port scans and cut the users off instantly. Or watch for DDOS. There is some number of packets that come out of a valid session vs the number that comes out of DDOS.

And then finally the trials that abuse you are junk trials they will never convert. The CC definitely will keep your trials low it just will I have seen that first hand but your conversion rate will be through the roof.

Great advice, consider different free tiers as well (anonymous users get x free uses, registered get y more, registered w/CC get z more free uses etc).

Once you have your CC subscribers really work on retaining them and reducing churn, if they try to cancel show then messaging that reminds them of the value of the service or offer them a discount, as examples.

one alternative idea to free trials from Jason Cohen's ancient 2013 microconf talk, 21:00 minute mark

> another hack: lotta people have free trials. 15 day free trial, 30 day free trial. makes sense. customers want to test us out first, no one trusts anyone, that's fine. but i hate free trials actually, especially for bootstrapped companies, because you never get the money back. most people that sign up with a credit card will stay. if that's not true, by the way, something is incredibly poisonous, fix that part [...]. but if that's true, most of the time they give you their credit card, you're giving them 15 or 30 days for nothing and you're never going to charge them, so you just lost the money, and that sucks. so i don't like trials. you have to give them something.

> so we switched to a 60 day money back guarantee instead of a 15 day free trial. but in both cases we take the credit card. originally in one case we say we won't charge you until the trial is over, in the other one we just charge them anyway. but we'll give you a refund and much more time.

> and sales went up. and people would email us and say "you know, 15 days didn't seem like enough time, now that i have 60 days, i decided to sign up".

> but i'm charging you more, don't you understand?

https://www.youtube.com/watch?v=otbnC2zE2rw

I heartily disagree. Maybe its just my privacy conscious european-ness but seeing how companies keep leaking data I do not went to give my data, much less my CC, to a service I'm not actually sure i will end up using.
I'd be happy with the money-back guarantee from a trustworthy company, but in practice I'd be worried about them increasing the friction of cancelling/claiming the refund. Most founders are probably well-intentioned here but a few bad apples make it difficult to trust anyone.
agree. there was a post here about someone talking about how they were sick of sending support requests into a blackhole.

My reply would be: Thanks but no thanks.

Instead of a trial you could offer a sandboxed demo account with limited functionality and network access only to a demo LAN and not the outside world. Just enough to show your orchestration and control panel features in a realistic way.
Your basic problem is that a single person can pretend to be many persons, and therefore use up much more resources than expected.

The only way to prevent this is to identify the users in some way. Every way of identification is a tradeoff between convenience and security.

CC card info is very secure (it's really hard to fake a CC), but it's extremely inconvenient. Personally, if a service requires me to put in my CC info before even trying it, I am not using it.

Phone number is fairly secure (can be faked, but faker must spend money to buy phone cards, so their costs scale linearly), and it's kinda inconvenient, but not really, since every website and its grandmother ask for 2FA nowdays. It's more inconvenient for you, actually, since you have to find a way to send an SMS to any phone, anywhere in the world.

Email addresses can be secure (but only because most email providers require email confirmation over phone number), but they are the most convenient option I can think of. Ngrok does something like that, they require an email for an account, and provide you with a key you can use to use their service. Free option only gets you like 4 tunnels and 40 connections/minute, which I assume is negligible, given their total traffic.

> Personally, if a service requires me to put in my CC info before even trying it, I am not using it.

That seems unlikely. I am going to go out on a limb and guess that you’ve signed up for at least one service in the past year that required a credit card up front.

Nope, I haven't. In fact, I don't recall using any paid services lately, except the ones my employer provides me in order to do my job.

That being said, I just don't like the concept of services altogether. If I can setup a system myself to do the thing I want, then I set it up. If I cannot, I try to find a way to live without it. I am somewhat of a Free Software idealist, so this text has really resonated with me a few years back:

https://www.gnu.org/philosophy/who-does-that-server-really-s...

So perhaps I could've left out the "Personally,..." sentence, since I'm am probably not the OP's target audience :)

Ask for a phone number for 2 factor authentication.
I think this is the easiest way, not sure why it's so far down on the list. Usually this is enough to prevent casual abuse. If phone number is too troublesome just use Gmail or something, they do a decent job of preventing multiply email registration. I guess the main problem is the bad actors who are determined to misuse your service will still find a way, but then you can just ip block manually
Nop, they are using VPN, so a single bad actor have hundreds of IPs with a $3/month VPN
Fellow OSS founder here (robusta.dev for Kubernetes monitoring).

Can you explain in more detail the way people are misusing your service? Aren't you running within someone else's infrastructure? At least that's how I understood your site.

We have an extended free trial for our SaaS platform (the only part that isn't open source) without a cc and have seen a lot of usage but nothing we'd flag as abuse. (Lots of fake accounts, but those don't hurt us.) Different product though so obviously the potential for abuse is different.

Indeed we deploy to 5 cloud providers, and we give full root ssh access to the VMs (even if we didn't there is always a way to get access through the web ui, think about WordPress plugin for eg) Some users used the vm to do ddos, port scanning, crypto mining, sending spam, hosting illegal stuffs, whatever you can imagine ... But worse!

But we had exactly zero issues with people's providing a CC

3 possibilities, learned the hard way:

1) Offer a limited free tier

2) Ask CC before free trial, you don't need customers that are not able to pay you later

3) Make a shared demo account where customers can log in and check out the product without need to commit

Replace #2 with: use a payment system that doesn't require them to give their credit card info to a stranger. Payment shouldn't require that.
We don't collect CC directly, we redirect users to Stripe Checkout page (so not on our website anymore) and we get a webhook from stripe with a token of the CC and no details about the real CC number... It's pretty safe and that way we dont need to be PCI compliant
Free trials are most useful / valid in my opinion when the product or service is novel and your potential customers aren't sure yet if you'll solve their problem. It makes perfect sense for a project management SaaS because everyone works in different ways. However, you're offering managed services which should already be well understood by your real customers. Managed Postgres is something they need or not - you're not in the business of selling them on Postgres itself. Thus I don't think offering a free trial does anything to attract a real willing customer.

As an alternative you could offer free credits if you really want to test this, but this will always be a trade off and there will be a lots of people who use the free credit and never convert.

I've been thinking lately that we need some sort of internet identity. Something that proves you are a real, legitimate and unique person, but shields your privacy.

Netherland has something like this for government services: DigID. Every citizen can get one, and you use it to handle all sorts of government-related stuff, like your taxes, etc.

We need something like that, but internationally, and useable for everything, rather than just government services. But international is hard. And who will be put in control? Different countries have different privacy standards, not to mention different standards of corruption.

(prescriptive input at the end) I work specifically on improving Trial-to-Paid and here are some pointers:

-> Most companies calculate their T2P churn incorrectly because they combine both the Right_Audience and the Wrong_Audience within the Trial.

-> Get rid of the Wrong_Audience with better customer acquisition Qualification (e.g. if I sell bats to bullies people will get hurt, if I sell bats to sports teams, well... chances are lower for misuses)

-> Get better conversions with the Right_Audience with an Orchestrated Trial

Most trials are just the product but free for a while. This leads to exactly the situation you describe.

An Orchestrated Trial focuses on reducing the Anxiety of your Right_Audience, so that they can decide easier to switch to paying. Full access to the product changes nothing in conversions, people already know what the product does from your description. The point is to reduce specific uncertainties and unblock the subscription decision.

(prescriptive) To do this, the Trial has to be Orchestrated around getting the Right_Audience to say "AHA! This actually does what I want." And if they have the money, the decision is straightforward. No need to give the access to what the solution does, that's for paying users.

Let me know if I can help

For the type of business you are running (online software) you will get abusers, so you migth have to bite the bullet and accept some genuine people will be turned off by credit card validation.
Don't offer a free trial.

Charging money tends to filter out bad actors.

Good luck.