Keep in mind that this is about chargeback risk, not implementing some secret government policy. "Anonymizing VPNs" are a high risk service -- the people signing up for them are more often "bad guys" than tech professionals looking for privacy -- and they're signing up with stolen payment information. There are far more hackers, crackers, carders, "script kiddies", spammers and other people that need to hide their location or appear to be connecting from a different country than there are IT professionals interested in paying for extra privacy.
Adult sites, online pharmacies, ticket brokers are treated the same way, and that has nothing to do with evading the NSA. MasterCard added all internet services (the MCC -- merchant category code -- that covers ISPs) to a high risk tier earlier in the year; I got the letter from First Data in the mail myself.
> Keep in mind that this is about chargeback risk,
First, I do not think this is about chargebacks, at all. I don't know what it is about, but it's not chargebacks. This looks like a blanket revocation of anonymizing/VPN services. That isn't how fraud/risk engines work (note: I wrote several fraud/risk engines for ecommerce/banking/travel industry as well as passive device fingerprinting).
Sure, make this a riskier transaction, flag it for review. Uh oh, CC info is from Ohio, but IP is from Russia? Up the risk. Same device that is trying to conduct this transaction also tried 30 others in the past two days? Flag for review, up the risk (several hundred more etc etc).
Second, I can't think of a single thing that is legal to buy that is blanket revoked by some company like this.
Third, adult sites, online pharmacies, ticket brokers and the others are NOT treated the same way. They are treated as higher risk transactions that A. need more/closer review B. have a more comprehensive/exhaustive/deeper risk rules engine run on them. and/or C. have a special set of rules that apply specifically to that domain. The CC companies don't just turn off buying an entire domain of goods (adult, online pharmacies, ticket brokers....or VPNs), that isn't how they work.
Not blanket revoked. You can still purchase VPN services other than IPREDator.[0]
I'm surprised people here are taking TorrentFreak as an actual journalistic entity and not a website devoted to enticing a knee-jerk and vehement subset of tech users into clicking their articles.
I checked with Simplify (the MC Stripe clone), and they're cool with firearms and accessories sold online, and firearms sold in-person with card swiped. They're going to get back to me on whether an FFL could sell online MOTO -- I'm pushing them to allow it IFF the FFL ships to another FFL, which is federal law anyway.)
I'm pretty dismayed to read this. If you regularly connect to random wireless networks in cafes and hotels, you're a moron if you don't connect through a VPN. If you're not connecting through a VPN all your non-SSL/TLS traffic is available for reading for whatever bored cracker has found his way onto the router. Plus, not all sensitive sites implement SSL/TLS and those that do often implement it poorly[1]. .
Not to even speak of the whole NSA spying thing.
Not all of us are corporate drones with the mother ship VPN to connect to, so we have to pay for ours.
I can't believe the number of people here on HN who think that no one but criminals use VPNs.
I don't think anyone thinks that. You only need more than 1% of the customers of a service to be paying with fraudulent instruments to be unable to accept credit cards, practically. 1% of your volume coming back in chargebacks consistently is the cutoff with most MAPs.
Because the cost isn't limited to a single merchant, transaction, or customer. Every incident of credit card fraud increases the inconvenience of using credit cards.
That's exactly the opposite of what credit card companies want. They want to make the process of using your credit card as simple and painless as possible.
Ironically, this is also why they've taken none of the obvious technological steps that could virtually eradicate credit card fraud.
Picture, for example, a card which has a small OLED display which displays an amount and a merchant name. You press a little button on the card, and an authorization is generated, cryptographically signed with an embedded key, and sent to the card reader (which also provides the power for the card).
Such a reader can be built into laptops, keyboards, smartphones, available as small stand-alone USB devices, etc.. Web browsers, POS systems, etc. can send a request to the reader and tell the user to place their card on it and check the card's display.
Transactions without a valid signature can simply be discarded.
If the system is implemented properly, the only way to commit fraud should be to physically steal the card.
(A more paranoid version could include buttons on the card for entering a passcode, so that even if the card is stolen, it would be difficult to use, at least before being reported stolen.)
I have a bank card that can be attached to a device, and transactions (internet banking) can be signed with it.
The device is not connected to the computer, rather, you have to type some info (like value of the transaction) and it generates a code you type back in the website
For this device to work you need to type the card pin
Of course this wouldn't work in the US since they're still stuck with the magstripe
Well, I can see why they haven't implemented that - its a huge undertaking to build specialized hardware like that into so much varied equipment. For all intents and purposes rolling out a system like that is impossible.
I don't believe it is materially more difficult than the NFC rollout. In fact, I believe it would be far easier than NFC if the financial industry would actually get behind it enthusiastically.
I'm curious, what other undertakings do you think are impossible? WiFi? Bluetooth? GSM?
NFC isn't even close to completion, who knows when, if it ever will, get there. What you are missing is the massive infrastructure investment in retail terminals. There are millions of these things out there and they just work. The cost-benefit ratio of a scheme like yours just falls apart in the face of all that inertia.
And yet it is progressing. See Europe. This despite lackluster support from big banks.
> What you are missing is the massive infrastructure investment in retail terminals.
No, I'm not. Not at all. I'm well aware of it. I'm also well aware that they get replaced quite frequently. And virtually every retail terminal I've seen in the last few years is new enough that if the banks had started the push for a smartcard technology when it initially became viable, terminal compatibility would be near 100%.
Did you think there had to be some magic cutover date? There doesn't. Hybrid cards can be used for 5, 10, even 20 years if necessary, with gradual pressure applied to retailers to adopt new equipment they haven't already replaced (or received new, stores come and go) through a reduction in fees for transactions completed via smartcard.
The point is to make actual progress and eventually arrive at a reasonable destination. Right now, we're just sitting on our hands.
> the people signing up for them are more often "bad guys" than tech professionals looking for privacy
Thank you. All we hear about is how the government is trying to silence us and there's some vast payment processor conspiracy trying to stop us from using credit cards, as if they would want to stop us from giving them money. No, HN, the majority of VPN traffic is not innocent nerds accessing Facebook on a public wifi.
I say this as someone who does rely on a VPN quite a lot. There's sticking up for righteous ideals and then there's ignoring the fact that a ton of your traffic is nefarious. We can't sit around doing nothing as bad guys use our tech for criminal activities and then get outraged when someone brings it up.
> the people signing up for them are more often "bad guys" than tech professionals looking for privacy -- and they're signing up with stolen payment information
That's a bold claim. Do you have any evidence of that?
I suspect that most people who commit copyright infringement are not credit card thieves.
However, I don't like drawing conclusions without evidence, and I don't think it should be considered naive to ask for evidence before making up one's mind. In fact, I'd consider it extremely foolish to do otherwise.
I don't have any evidence I can point to. However, I can reference the hundreds of millions of dollars processed through various payment systems I oversaw to state that if you were trying to pay through a VPN, it would classified as extremely high risk, and outside of a few extenuating circumstances, we'd simply deny the transaction.
When researching the various scoring mechanisms, we generally find that the VPN was generally just used for masking purposes, so we'd see multiple attempts go through using multiple names and addresses.
Also, the chances of getting a stolen card response back from the bank was much higher.
This isn't to say that a VPN means you are a thief. What it does mean, however, is that the risk far outweighs the potential benefits.
Isn't paying through a VPN a rather different matter to paying for a VPN? I mean, there's no point to using a privacy VPN to hide your identity only to then give out your credit card details, so it sounds like an inherently biased scenario.
If you are going to use a VPN to charge stolen credit cards, you sure aren't going to use a real credit card to purchase the VPN service, which could then be linked back to you.
I agree that some users use VPNs for credit card fraud. What I find hard to believe is that the majority of VPN users are committing credit card fraud. If nothing else, it would be difficult for VPNs to make a profit if they had that many chargebacks.
> What I find hard to believe is that the majority of VPN users are committing credit card fraud.
The problem isn't the majority. The problem is just a significant amount. Keep in mind how low the chargeback rates need to be to avoid serious penalties. Also, keep in mind the number of people isn't the issue, but it's the number of fraudulent transactions that occur. One person can attempt many.
It's an attack vector, and one person can cause problem for many, many customers.
Additionally, while a legitimate VPN user most likely will only need one VPN, someone interested in committing fraud may want many. The relevant metric is not the number of users, but the number of accounts.
You seem to be reading more into my comment than I put into it. I'm not saying anything more than I find the original assertion that the majority of VPN users use stolen credit cards to be unlikely.
Claiming that VPNs have more people signing up with stolen credit cards than their own credit cards rather unlikely to me. The penalty fees on the resulting chargeback would make it difficult to make a profit, particularly on a service that competes on price in an increasingly crowded marketplace.
As I see it there are three main customer groups for VPNs; people using it to circumvent copyright protections (either location based or outright theft), tech savvy people who want privacy, and bad guys.
The original said more bad guys than tech savvy people, I assumed that excluded copyright circumventors (the largest group) and you assumed they were included.
I would say that any claim is bold if it is surprising or apparently important, and is not covered by multiple mainstream sources.
Examples are claims of majority (A majority of people are suffering from sickness A, B, or C), Or claims of superiority (My car is the fastest in the world).
The problem is that the only people with data are the Credit Card companies and the VPN providers, and they both have dogs in this fight. We wouldn't believe the numbers they released, if they released numbers, which they probably won't...
So we're left with anecdote and personal opinions to base our decisions on. There's plenty of opinion in this thread - a few anecdotes won't hurt.
Chargebacks are bad for the VPN company. They cost $15 each.
Even if they cost nothing, a high ratio of chargebacks is not in the best interest of the credit card companies, who are at the top of the value chain. So chargebacks are bad for anybody along the chain.
Some anecdotal support: I use a US VPN provider when outside the US to access geo-restricted sites. I've had the account for two years with monthly auto-payment via Visa and never had an issue.
The fraud detection team at my bank called me last week to confirm the renewal payment was genuine. The same payment has been occurring every month for two years without issue, so it seems likely something has been tweaked within their detection algorthm.
"the people signing up for them are more often "bad guys" than tech professionals looking for privacy"
I think this is always a bad argument to make. By that same logic they'd be banning all torrent sites, too, and a lot of other stuff, possibly even Bitcoin.
I think these VPN's should sue Mastercard and Visa, just like Wikileaks did, and won. They can't just decide "who is the bad guy" and ban them.
If torrent sites and bitcoin accepted credit card payments, and a significant fraction of those payments involved stolen credit/debit cards (significantly harming the true owners of those cards even with liability protection), merchant account providers should have the right to not do business with them either.
While I don't doubt that there are bad guys who are paying for anonymizing VPNs, I wonder to what extent this is a majority.
I know around ten people, who are technically-adept (but not techies), who are using VPNs for Netflix, BBC iPlayer, Hulu, sporting events, etc... In many cases they are "paying to pay" for these services.
Hackers, crackers, carders, and script kiddies can pretty easily get access by compromising insecure hosting accounts or remote windows machines in the desired location.
Usually they have lower chargeback cutout rate and higher fines. If the provider keeps customers within provided limits why not keep the service running?
It's easy – all you need is a standard webserver (any VPS will do, check out Low End Box [1] or just use Digital Ocean [2]) and that's it. No need to install or maintain any kind of VPN or proxy software. Just use the following command to connect to your fresh server:
ssh -D 8080 username@ipaddress
That will establish a local SOCKS proxy which you can configure your browser (or any other application that supports proxies) to use, with localhost as the address and 8080 as the port.
The biggest difference to a VPN is that you need to separately configure every application to use the local proxy – otherwise, everything sent over the local proxy is encrypted and securely transferred (thanks to the SSH protocol) just like with a VPN.
Of course, you can also install a VPN server if you want, but that's probably a bit more complicated.
Run squid on a VPS outside of China and use ssh port forwarding to access it. In my experience this works better than VPNs while in China, since the latter somewhat recently began to be targeted by the GFW.
Really, we've all been spoiled by credit cards. Checks, money orders, wire transfers, and even cash, all still work.
And while I'm not aware of a properly turn-key solution for a VPN server, it should hardly be an epic undertaking to create one. Setting up a Linode account and running a StackScript is simple enough even for mostly-clueless people.
You could always connect to a Lahana[1] node for emergency situations. It's not as quick as a normal VPN and you shouldn't run a torrent client through it, but it works.
> As there is nothing remotely illegal or even nefarious about using a VPN
There's a reason every risk scoring tool for e-commerce highly weighs whether the connection is from a VPN or other type of proxy. Using a VPN is not illegal or nefarious, but public anonymizing VPNs (as opposed to private VPN-into-the-company-network VPNs) are used for illegal and nefarious purposes to a huge degree. The volume of fraud occurring through them is measured in billions of dollars a year.
(Responding because I saw you were instantly downvoted, even though you provided factual information.)
Absolutely correct. Fraud scoring systems are heuristic. Your fraud score is positively and negatively correlated with a large number of behaviors, almost all of which are benign by themselves, but in aggregate can be used to predict fraudulent behavior.
And this sudden change in the state of affairs would explain why Payson "was complying with an urgent requirement from Visa and Mastercard to stop accepting payments for VPN services" with a two day window?
It sounds to me like you're confusing two very different things - paying for a VPN for the sake of privacy confused with using a vpn to make purchases.
And this is why technical solutions on their own are not enough. They'll just keep restricting and banning technologies they feel are too dangerous to their interests, whether by the legislature or the courts or by hitting up the payment processors themselves. Whether it's ITAR or SOPA or PIPA or ACTA or TPP, the net effect is the same.
Political action must be taken. All of the forward secrecy and TLS and onion routing and steganography and PGP and AES in the world counts for nothing if they'll just declare such technologies illegal and harass the users.
This is why the key is to make these types of services ubiquitous..... if everyone is using them for everything, then it becomes more difficult to infer anything from their use.
As someone who used to live in a place where using a pay VPN service was the simplest solution to access sites like wikipedia or even gmail (this one was not blocked all the time though), this news does not feel really good.
This said, most of my friends there have moved on to using some VPSs for that long ago, and so do I, when I go there to see them.
Bitcoin sounds helpful for the ones not willing to use those methods, but for how long?
I know many services block or negatively rate connections coming from hosting providers. Personally we see that most of the spam attempts are via cheap VPSs. I'm not sure if they actually hack these or simply just purchase a $9/month host, install VPN, and go to work on spam.
Our system keeps track of all netblocks and the companies they belong to and we classify those so our site can take action accordingly. Normally we just alert mods if a new user is created or a new first post is placed by a user originating from one of these hosting companies so it can be checked. Banning access totally from these would leviate some work.
My personal experience has been that access to my site via VPN services or ips belonging to hosting providers, are mostly spammers.
I think that eventually everything will go anonymous and that will make it much harder to detect and filter spam/fraud. It's going to take smarter tools and changes on sites to detect spam/fraud by usage patterns instead of source.
The sad part is that these changes will effect all legit users negatively in order to try to prevent the few bad apples.
This is exactly the problem with monopolised payment systems.
There is absolutely no due process in these decision. These large corporations can change their so called 'policies' to financially cripple entities that they do not agree with. And it seems the burden of proof falls to the party that has been banned, which is absolutely ridiculous.
Or they got burned on charge back rates the same way porn sites did in the 90's. In which case, any payment system that offers charge backs likely would make the same call. Now digital currencies(which don't have charge backs typically), would solve that problem, but the lack of a main stream one of those is not clearly the result of a monopoly.
It makes little sense that the US gov had these guys banned because they were anonymous since they aren't. Mounting trafic coloration attacks against a VPN is trivial if you see everything going in and out ( same for Tor). Maybe the RIAA and MPAA had enough clout to do it, but why not usenet providers as well?
Using a random Wifi hotspot when traveling is an act of insanity without a VPN. There are some bad guys that use VPNs, but so do many affluent, tech-savvy business travelers. This group, which is highly coveted by Visa/MC, will now be introduced to and eventually become comfortable with Bitcoin. It's like Visa had an all-hands meeting to come up with the best way to drive their target customers to alternative payment methods.
Well, I agree with your first point, but I think you're overstating both the carrot and the stick of the alternative. The corporate users have company VPNs; the solo road warriors / lean startups can (already do) rent a cheap VPS for tunnel egress. And whatever your personal view, Bitcoin still sounds like snake oil to most people.
VPN's are unique in providing translation from a dynamic IPv4, to multiple static IPv4. Since most ISP's won't give out enough static IPv4 addresses, if you want to run private servers at home then a VPN is more or less the only way.
Dynamic DNS can be used for a singular server, through how reliable depend on the TTL and how accepting other DNS resolvers are in accepting low TTL's (which in practice some aren't). However, if you are behind NAT, VPN is truly the only option for home servers.
Does anyone have a list of VPNs banned thusfar? I run a proxy provider right now, and am branching into VPNs in the coming months. But I will be actively filtering against torrent traffic since it seems to be such an attractor of negative attention. I wonder if these bans apply mostly to torrent-marketed providers?
Also, is it possible they were banned for other reasons? Eg high chargeback ratios? I can tell you from experience that chargeback ratios in the anonymization industry are very high, for obvious reasons.
I spoke to a friend that owns and operates a VPN service and he says it is only iPredator at the moment, and that is conveniently left out of the torrentfreak article. To me it looks like MasterCard is just targeting the pirate bay peeps.
Well it was only a matter of time. They don't give a damn about the actual law (also looking at the Wikileaks case), they are just better off when nobody is anonymous. More Tor exit relays, anyone?
I think this is a bit weird. I can understand the credit card providers not accepting payments coming from a known vpn, but stopping people from signing up for a vpn is a bit nefarious.
Somewhat OT. What is good way to use a vpn (not the sort of vpn connecting two networks which I have done before). Can I configure my router (or buy a router that supports this) so that all traffic leaving my house appears as though it is coming from the vpn?
I realise I can just search for VPN providers, but I am interested in what is considered the best/easiest/cheapest solution.
We covered this a couple weeks ago (https://news.ycombinator.com/item?id=5914402), its generally a lost cause to do all your VPNing on your home router due to low CPU power on those devices.
Having a VPN configured and available on all of your devices makes it easy to use on a whim, probably the best thing for your privacy.
Well no shit, the credit card companies are controlled by the banking cartels. These are the same companies in charge of the US Federal Reserve and various global private central banks. VPN's and crypto-currency are a huge threat to these institutions.
If a larger percentage of (normal) people used VPNs then this would change; VPNs would be scored as a closer to normal factor in calculating fraud risk.
Adult sites, online pharmacies, ticket brokers are treated the same way, and that has nothing to do with evading the NSA. MasterCard added all internet services (the MCC -- merchant category code -- that covers ISPs) to a high risk tier earlier in the year; I got the letter from First Data in the mail myself.