
Ask HN: Free VPS trial, how to prevent fraud accounts? - WhiteOwlLion
I am interested in offering a free 30 days trial for Virtual Private Servers (VPS). I am wondering what security measures work best to prevent fraud or multiple accounts signing up?<p>I notice cloud providers offering various methods such as credit card verification, SMS code to mobile phone, telephone number verification, email verification (not allowing gmail or free email domains), etc.<p>Does anyone have experience in this area? What kind of verification method worked best for you? Do you have any other thoughts or advice on this business venture?
======
imhoguy
Although I don't sell VPS services, I personally lease dedicated machines and
VM/VPSes for my side-projects. I guess you want to grab some attention of
pretty saturated market by lowering the entry barrier. So what kind of
customer do you want to target?

As a serious user I don't see a problem to pay a few bucks for VPS which is
pretty much a commodity nowadays. Welcome discount or a money back guarantee
would be nice but not essential for a cheap plan. However for me the most
important is the reputation. For sure I won't handover my own or customers'
data to some unknown provider who gives away free accounts to anyone with an
email.

My previous and current reputable providers asked me for CC and ID/passport
scan upfront. And I am absolutely fine with that. I know that my hosted
neighbours are also verified and an IP address I get with the machine has low
chance to be blacklisted by previous tenant's malcious activity.

~~~
jlgaddis
I'm pretty much the same as _imhoguy_ and I'm a "legit" customer of several
VM/VPS providers. I'd likely have a dedicated box (or two) as well, but $work
is an ISP and I have a nice 2U server there for my "important" stuff.

I'm totally okay giving a credit card up front (it's how I'm gonna be paying
anyways, assuming your service isn't shitty!). If that gets hacked or stolen
or I get charged when I wasn't supposed to, well, it's really not a big deal
-- American Express will fix that for me quick, fast, and in a hurry.

I'm a little "less okay" with showing my government identification, but only
because I can't be sure they'll store it safely. Ideally, that could be
handled by doing a quick Facetime call (or similar), holding the ID up next to
my face, and them saying "okay, you're good" after verifying the information
matches up. The next best method, IMO, would be sending a photocopy via snail
mail, with the promise that they'll destroy it after verifying the
information.

I _really_ don't like giving out my personal phone number and I will avoid it
as much as possible... but I will give in if it's unavoidable -- as long as
the company is reputable and well-known.

Any one of those methods will certainly cut down on fraud, I would think,
although the latter is probably most easily "scammed" (due to the availability
of services like Twilio, Google Voice, etc.). Any one of those methods will
also likely drive away some fraction, however small, of potential "legitimate"
customers, but they'll also weed out a lot more of the unsavory folks.

I should probably also mention that I'm not really your target customer with a
30-day free trial, though. I usually avoid providers offering something like
that (I did take DigitalOcean up on their $10 credit a few years ago but they
weren't exactly some random fly-by-night VPS provider either.)

If you do end up offering a free 30-day trial, please do the Internet (and
your future customers) a favor and block 25/TCP outbound. Or, at the least,
put those IP addresses on Spamhaus' PBL.

