I’m forced to upload a picture of my credit card to create an account to verify yet, you’ve already charged my credit card? That doesn’t seem right. Why force a user to upload an image of their credit card to a random support request form and not a secure system protecting this sensitive data at rest? Why so 1999? Did I possibly get scammed or tricked somehow into uploading my CC?
You hit the nail on the head when you said “Why so 1999?”
You are not the first to come to this forum questioning this policy/procedure. I certainly hope that you ARE THE LAST.
This is a Dreamhost policy that I simply would not be able to comply with if they asked me to follow this proceedure. If that meant my account got cancelled then I would need to find another company to give my money.
Granted I don’t process GLOBAL credit card payments, nor do I pretend to know what Banks/Credit Card companies from countries other than the USA ask for during dispute resolution. I can tell you this tho, NONE of the major Credit Card companies in the USA (Chase, Citi, Discover, AMEX, etc) would ever ask the Internet/Mail order Vendor (Dreamhost) for a copy of the customers card. Further, if you called Customer Service at any of those credit card companies and asked if you should comply with Dreamhosts photo/scan request they would likely tell you no. This is too far outside the box in 2017.
Additionally, regarding my current most often used account, the card itself is unconventional in appearance and doesn’t resemble a traditional credit card. A picture or scan of that card would likely be called a forgery.
In 1999, this procedure may have been a valid confirmation method. The world has moved onward tho, and in 2017 it’s a security risk.
Is the average consumer (even those paying for web hosting services) capable of determining whether an upload form is Secure? And causes the image to be uploaded in a secure manner?
Once the image has arrived at Dreamhost, who has access? How is it stored? Is it, or can it be, printed at anytime? Are employee’s, contractors, agents etc that are NOT supposed to have access really able to see or access the information anyway? If it were printed at any point can we be assured that it was shredded, or will it be stored in a file and later just thrown out with 1000’s of others.
Yes I do feel differently about information that is submitted on a secure form and stored in secure format in a database. Why? Those accesses are logged in some form. Also software today is generally constructed in a manner that even customer service personal may not be able to retrieve ‘all’ the information. In any case, the information is more likely not to be treated in an unlogged and unsecure manner (such left in plain view on someone desk when they leave to use the restroom, or tossed in the trash can for the janitor at the end of the day).
Regarding a related matter, in 1999 I understood how and why Dreamhost would go to such extremes regarding flagging registrations for manual verification and approval. In those days neither the credit card companies nor consumers were prepared for 100% automated processing of an online transaction. We’ve come a long way since then. Consumers are far more savvy and credit card companies approval algorithms are capable logic that doesn’t cause a misplaced capital letter to bounce the transaction.
Some recent examples of how other companies might handle:
I recently had to phone a company regarding an order I was having trouble placing via that companies website. The agent that assisted me figured out quickly where I had gone astray, I almost said “Thank You I can take it from here” to avoid having to read a credit card number out loud on a phone call that might be written down on scratch paper. However when we got to the payment portion of the call, the agent instead said “Please check your email for a payment link.” Once I confirmed I had the link the agent said “I’ll check your order later in the day, if it’s not completed may I call you?”
In another case, I called a company that had a rather archaic online order form. It consisted of print the PDF, fill it out and Mail/fax/scan-email etc. I wasn’t as concerned in this case because the card I would be using was less used, had a low limit and was issued in a company name. However even tho that companies online form may have been out of date there call in procedure was much better. My initial question was “If I want to place an order to be delivered to 14 different hotel rooms do I need to send the order form in 14 times or can I somehow do that on one form?” He in fact told me it was 14 orders. He also advised me it would be faster more and more efficient to do “that” as a phone order, but added that he wouldn’t be able to write down my credit card number so I would need to give him that 14 times. To make a long story shorter, he did make notes on his end regarding the common elements, he was very quick and efficient getting the orders placed, I did read CC info to him 14 times. By the end of the call I did find out he was anxious to enter the orders (rather than have me send in a pdf) because of productivity metrics and commission. It stuck out tho that this call center employee was prohibited from “writing down” my card number even temporarily.
What does Dreamhost need to do? Stop automatically bouncing users to a manual approval queue. Manual approval is a second topic, but it’s related. Instead the customer should be declined and given a chance at that point to edit information and re-submit ONCE, If declined the second time they should be given the opportunity to join a customer service queue. They should be given the clear expectation at that point that the manual queue is only serviced during GMT-8 business hours Monday thru Friday.
In 2017 there should be no need for a customer to come to this forum with either of the following complaints:
When will my manual approval be approved? (regardless of workflow, that expectation should be correctly set at the time the customer is placed in a human queue.)
Why do I have to send you a picture of my credit card? (No, just no.)
Hi there, unfortunately sometimes it happens that a new account gets flagged as suspect and needs to be investigated manually. The email message asks you to send a picture of your credit card with the central numbers obfuscated. You can send that to the email address firstname.lastname@example.org, with that obfuscation. The charges you have received are part of the verification process: you should see a charge and a refund, too of about $1 each.
Check the headers of the email with the instructions you received to make sure it was sent from the dreamhost.com domain.
I agree with you that this process is scary and may give wrong impressions. Let’s clear a couple of doubts and move on to finding solutions.
The whole process is managed by a close set of people in the Abuse team. They’re trained specifically to deal with delicate issues, from credit card frauds to legal issues, law enforcement investigations, privacy, etc. They have tools and queues that cannot be accessed by the rest of the support team, their processes isolate them from others in the company. For example, this team handles the requests from the DOJ that you saw in the news recently. They’re professionals. When a new account or a credit card gets flagged, this team handles the issue.
The partial-images of credit cards are handled by this team with the highest level of confidentiality, with the same tools and processes that handle the requests from DOJ, police officials, etc. Access to those tools is restricted to a small set of highly trained employees and logged.
This manual verification of credit cards is required to prevent a scenario where someone registers with a stolen credit card, starts thousands of virtual machines on DreamCompute to launch a DDoS or some spam operation. Or someone could register hundreds of domain names with a stolen card: DreamHost has to pay for the names to be registered when they’re ordered and if the card payment bounces, we’re stuck with that bill.
Think about it: it takes 5 seconds to start a VM in DreamCompute and the accounts are charged at the end of the month. If the card reveals to be invalid, DreamHost is left with the bill and the damaged reputation of spam/DDoS from its network.
This is not just part of the cost of doing business: for hosting providers abuses are more damaging than in the real world. Internet thieves are rarely punished, there is a lot of scum every second trying to do illegal stuff and they rarely get caught. Lots of crime, almost no punishment.
Not sure this would help. There are many reasons for an account to be flagged: the system works a little like a bayesian filter, with points assigned to things that seem suspect. Like an country of residence different from the country of the credit card, the use of VPN or TOR exit to connect… Things like these add points and when a threshold is reached, the account gets flagged for manual check.
Agreed. This is a simple and fair request. I’ll create a ticket.
This is something I tend to agree with you but every time I bring this up with the colleagues of the Abuse team reply saying that first, it’s not the whole credit card that they request but the middle numbers obfuscated. Plus they add all the things that I said above (the tools are secure, the image is not seen by anybody, it’s encrypted in transit and at rest, etc). I still think that’s too much work and annoying but I don’t have a better option to suggest.
Do you? If you can think of another way to quickly get a guarantee that a credit card really exists in the hands of the customer, and it’s not a stolen number I’ll gladly restart the conversation with my colleagues.
I admit, I had forgotten the request instructed the user to obfuscate the middle digits. However, submitting via insecure email is ridiculous again, if the email is stolen,intercepted,misdirected,copied etc it might for example result in the user receiving a phishing type email reply from an official looking address, “Thanks for your submission, This is the happy Dreamhost verification bot emailing to complete your transaction instantly. Please reply to this email, sending the middle digits of the card number on the first line of the email with no other information and the system will approval instantly, Thanks, The Happy Dreamhost Verifications bot” of course the email is not from anybody or anybot at dreamhost but the emails might appear to be from something like email@example.com Far Fetched? maybe, maybe not… we don’t know what the hackers of the world specialize in, they certainly like to phish, maybe they know how to sniffout emails to verifications@ dreamhost.com
A better solution for submission of course would be a secure upload page. Perhaps within the dreamhost panel and only visible for a certain account status. This give dreamhost the chance to brag about security and transparency, and make the statement that the image will be uploaded and stored in secure form in a database with only logged access and available only to the abuse team and will be destroyed after _____ (or retained until_____).
Domain name registrations of course shouldn’t be processed for ANY account until payment has cleared. If a new user can really register hundreds of domain names then stop that, after a threshold is reached make the account age before they can register more, [or more workflow options, I’ll omit for now for brevity but I have extensions to this idea.]
As far as the DreamCompute scenario goes it might be solved with a New Customer Promotion:
Basic Account, Billed monthly for actual usage. Setup fee today $15.00.
New Customers can also choose:
Pay $10.00 today, Setup fee waived, receive a $25.00 account credit that will be applied to any DreamCompute usage balances. A $40.00 Value!
Pay 25.00 today, Setup fee waived, receive a $50.00 account credit that will be applied to any DreamCompute usage balances.
Note: Domain Registration balances must be paid separately at the time of registration, and are not included in this promotion.
Don’t offer bigger options for new accounts. This leaves the opportunity to offer later, “Thank you for being a continued customer” Pre-paid Discount later. I.E. Give the customer a customized anniversary offer… after 6 months, "Hi over the past 6 months your dreamcompute charges averaged $XX, Pre-pay $YY Today (or within the next 10 days), and we will credit your account $ZZ in DreamCompute dollars.
And then on the annual anniversary entice the customer to pay a year in advance based on past usage with another pre-paid discount.
I confused my explanation by including a poor exception. The point I was trying to make: payment decline becomes a hard stop point in the workflow. Your Payment was Declined by your card issuer." No Automatic appeal process/manual approval queue.
“Normally we would advise you to contact your card issuer and ask them why they declined this transaction, if however you believe our assistance is needed please fill out this form below and tell us why. Our Security and Abuse team will get back to you during normal office hours. Monday Thru Friday xx:AM to yy:PM PST (GMT-8)”
Request whatever on the form and give them a nice big freeform box to explain the problem. Then give them a Case number and an estimation when the ticket will reach the top of the queue. “Thanks for your submission this will be forwarded to our Security and Abuse team, based on the number of tickets currently ahead of yours in the queue for that team we estimate your ticket should be reviewed no later than ____ on ___day.”
Show the ticket and it’s status in the panel.
If it’s submitted via email, it’s not encrypted in transit.
It should be included as a file upload box box a page in the panel visible to accounts in a particular status. (including a file upload option, or a pic selection tool from a mobile device.)
Pre-pay discounts. There is no ambiguity that there will be a charge collected today. No need for the $1.00 that might fail because the new customer doesn’t think they owe anything today.
Also I’ve argued this point before on this topic: Give me photoshop, a scanner, and 10 minutes I can make a fake card for this scenario. If I’m a scammer, this isn’t my first rodeo with dreamhost, so I might have a whole photoshop library of card images and digits ready to cut and paste.
A structure such as identified above should severally cut down on the number of appeals filed (that function is currently called “mnaual approval”). If a scammer knows it’s a stolen card they aren’t going to bother to submit the appeal, then dreamhost can track what they do next (or try to do next). etc
I used to work at a bank and occasionally got this question—should I send a copy of my debit/credit card? And the answer was always no, even with the central numbers obfuscated.
To be fair, I did the math. If you obfuscated the central 8 digits, and then tried to guess what they were, assuming you were guessing a combination a second, it would only take 11.57 days to guess every single combination. Now try a computer that can guess several thousand a second, and it wouldn’t take long to figure out what the entire debit/credit card number was. (Remember, we are only working with digits, not the full set of ASCII characters we could use in a password.)
I’ve done some research and a lot of people point out that most banks provide some sort of fraud protection, but it’s worth reading the fine print. I doubt that most of them will not cover any kind of fraud that arises from your emailing pictures of your plastic to unknown entities. As LakeRat pointed out, email is inherently insecure.
That, in and of itself, means it’s a bad business practice. If I asked for a seat in a restaurant, and the waiter casually mentioned that they may or may not have had issues with a salmonella outbreak, I would quickly leave, without eating and without explanation.
I get that DH is trying to protect itself. I also get that it’s not going to reveal too many details of how this filter works. But I’m not going to expose myself to risk just so that DH can protect itself.
Does it oversimplify matters to suggest that DreamHost do what other online retailers do? I’ve ordered from companies both in the United States and abroad, and have never been asked for a scan of my debit/credit card. Is there an industry association of hosting providers that DH belongs to that could provide guidance or insight into this matter? Does the company that handles DH’s processing of debit/credit cards have any suggestions for ways to make the system more secure without asking for this information?
Also, given the scenarios mentioned above, would it not make sense to simply limit the number of domains that can be registered at once? I can’t think of any reason why someone would need to register dozens, much less hundreds, of domains at a time. Most new customers would want to start by registering a single domain anyway.
I know some crafty teenagers that only need an iPhone and 60 seconds.
Again, email is inherently insecure. Even assuming we can trust everyone who works on the abuse teams (and that there are no disgruntled employees in the making—hey, it happens), emailing scans of your debit/credit card is little better than posting pictures of them on Twitter.
I am in complete agreement with LakeRat here.
I will be moving soon, and so my address will be changing. I certainly hope I don’t get caught up in this procedure.
I gotta throw my hat into the ring on this as well, since I just opened a fastcomet account without any of the drama a few minutes after dreamhost popped this ‘bizarre picture of your card’ request on me, too. (Cheaper too but that is besides the point)
First point, my charge went right through. So the card was fine. I have had zero chargebacks or fraud of any kind on any of my cards.
Second point, and perhaps most importantly, Dreamhost uses some BS excuse that potential fraudulent use happening very quickly. Neither AWS nor Heroku nor Sendgrid have ever asked me for a picture of my card, and the threshold for abuse by a bad actor at ANY one of those online services is at least as great. That’s pretty solid proof a priori that Dreamhost is doing it wrong. And. Just. Doesn’t. Care.
Third, the “trust us your card picture is safe” is exactly what that nice Nigerian prince we’ve all gotten those emails from would say. It’s just words, with zero evidence or third party verification to back them up.
If Dreamhost actually gave a toot, they would a) active the account, b) place some limits on what you can do until N days elapse. If they limited instances to 2 and domains to 1, and PERHAPS asked for more verification IF you needed more in less than 60 days, poof! Problem solved for the average user who just wants to get a first wordpress site up and running.
But they obviously don’t care about making such a bizarre imposition on people because they have not implemented the pretty obvious solution (above) after at least 11 years of complaints.