Ban me at the IP level if you don't like me

Why stop there? Just block all non-US IPs!

If it works for my health insurance company, essentially all streaming services (including not even being able to cancel service from abroad), and many banks, it’ll work for you as well.

Surely bad actors wouldn’t use VPNs or botnets, and your customers never travel abroad?

Don't care, works fine for us.

And across the water, my wife has banned US IP addresses from her online shop once or twice. She runs a small business making products that don't travel well, and would cost a lot to ship to the US. It's a huge country with many people. Answering pointless queries, saying "No, I can't do that" in 50 different ways and eventually dealing with negative reviews from people you've never sold to and possibly even never talked to... Much easier to mass block. I call it network segmentation. She's also blocked all of Asia, Africa, Australia and half of Europe.

The blocks don't stay in place forever, just a few months.

I'm not precisely sure the point you're trying to make.

In my experience running rather lowish traffic(thousands hits a day) sites, doing just that brought every single annoyance from thousands per day to zero.

Yes, people -can- easily get around it via various listed methods, but don't seem to actually do that unless you're a high value target.

Google Shopping might be to blame here, and I don't at all blame the response.

I say that because I can't count how many times Google has taken me to a foreign site that either doesn't even ship to the US, or doesn't say one way or another and treat me like a crazy person for asking.

And that's perfectly fine. Nothing is completely bulletproof anyway. If you manage to get rid of 90% of the problem then that's a good thing.

As long as your customer base never travels and needs support, sure, I guess.

The only way of communicating with such companies are chargebacks through my bank (which always at least has a phone number reachable from abroad), so I’d make sure to account for these.

The percentage of US trips abroad which are to China must be minuscule, and I bet nobody in the US regularly uses a VPN to get a Chinese IP address. So blocking Chinese IP addresses is probably going to have a small impact on US customers. Blocking all abroad IP addresses, on the other hand, would impact people who just travel abroad or use VPNs. Not sure what your point is or why you're comparing these two things.

And if your competitor manages to do so without annoying the part of their customer base that occasionally leaves the country, everybody wins!

If you are traveling without a vpn then you are asking for trouble

You think all streaming services have banned non US IPs? What world do you live in?

It definitely works, since you’re externalizing your annoyance to people you literally won’t ever hear from because you blanket banned them based. Most of them will just think your site is broken.

Yes, and I’m arguing that that’s due to companies engaging in silly pseudo-security. I wish that would stop.

Chargebacks aren't the panacea you're used to outside the US, so that's a non-issue.

This is based on personal experience. At least two did not let me unsubscribe from abroad in the past.

It is not silly pseudo-security, it is economics. Ban Chinese, lower your costs while not losing any revenue. It is capitalism working as intended.

Not letting you unsubscribe and blocking your IP are very different things.

There are some that do not provide services in most countries but Netflix, Disney, paramount are pretty much global operations.

HBO and peacock might not be available in Europe but I am guessing they are in Canada.

Fair point, that's something to consider.

In Europe we have all of them, with only few movies unavailable or additionally paid occasionally. Netflix, Disney, HBO, Prime and others work fine.

Funny to see how narrow perspective some people have…

It seems to be a choice they’re making with their eyes open. If folks running a storefront don’t want to associate with you, it’s not personal in that context. It’s business.

I think a lot of services end up sending you to a sort of generic "not in your country yet!" landing page in an awkward way that can make it hard to "just" get to your account page to do this kind of stuff.

Netflix doesn't have this issue but I've seen services that seem to make it tough. Though sometimes that's just a phone call away.

Though OTOH whining about this and knowing about VPNs and then complaining about the theoretical non-VPN-knower-but-having-subscriptions-to-cancel-and-is-allergic-to-phone-calls-or-calling-their-bank persona... like sure they exist but are we talking about any significant number of people here?

Okay, but this causes me about 90% of my major annoyances. Seriously. It’s almost always these stupid country restrictions.

I was in UK. I wanted to buy a movie ticket there. Fuck me, because I have an Austrian ip address, because modern mobile backends pass your traffic through your home mobile operator. So I tried to use a VPN. Fuck me, VPN endpoints are blocked also.

I wanted to buy a Belgian train ticket still from home. Cloudflare fuck me, because I’m too suspicious as a foreigner. It broke their whole API access, which was used by their site.

I wanted to order something while I was in America at my friend’s place. Fuck me of course. Not just my IP was problematic, but my phone number too. And of course my bank card… and I just wanted to order a pizza.

The most annoying is when your fucking app is restricted to your stupid country, and I should use it because your app is a public transport app. Lovely.

And of course, there was that time when I moved to an other country… pointless country restrictions everywhere… they really helped.

I remember the times when the saying was that the checkout process should be as frictionless as possible. That sentiment is long gone.

Won't help: I get scans and script kiddy hack attempts from digital ocean, microsoft cloud (azure, stretchoid.com), google cloud, aws, and lately "hostpapa" via its 'IP colocation service'. Ofc it is instant fail-to-ban (it is not that hard to perform a basic email delivery to an existing account...).

Traffic should be "privatize" as much as possible between IPv6 addresses (because you still have 'scanners' doing the whole internet all the time... "the nice guys scanning the whole internet for your protection... never to sell any scan data ofc).

Public IP services are done for: going to be hell whatever you do.

The right answer seems significantly big 'security and availability teams' with open and super simple internet standards. Yep the javascript internet has to go away and the app private protocols have too. No more whatng cartel web engine, or the worst: closed network protocols for "apps".

And the most important: hardcore protocol simplicity, but doing a good enough job. It is common sense, but the planned obsolescence and kludgy bloat lovers won't let you...

Only if your bank isn't competent in using them.

Visa/Mastercard chargeback rules largely apply worldwide (with some regional exceptions, but much less than many banks would make you believe).

> Not letting you unsubscribe and blocking your IP are very different things.

How so? They did not let me unsubscribe via blocking my IP.

Instead of being able to access at least my account (if not the streaming service itself, which I get – copyright and all), I'd just see a full screen notice along the lines of "we are not available in your market, stay tuned".

Obligatory side note of "Europe is not a country".

In several European countries, there is no HBO since Sky has some kind of exclusive contract for their content there, and that's where I was accordingly unable to unsubscribe from an US HBO plan.

Not sure I'd call dumping externalities on a minority of your customer base without recourse "capitalism working as intended".

Capitalism is a means to an end, and allowable business practices are a two-way street between corporations and consumers, mediated by regulatory bodies and consumer protection agencies, at least in most functioning democracies.

No, outside the US, both Visa and Mastercard regularly side with the retailer/supplier. If you process a chargeback simply because a UK company blocks your IP, you will be denied.

> Why stop there? Just block all non-US IPs!

This is a perfectly good solution to many problems, if you are absolutely certain there is no conceivable way your service will be used from some regions.

> Surely bad actors wouldn’t use VPNs or botnets, and your customers never travel abroad?

Not a problem. Bad actors which are motivated enough to use VPNd or botnets are a different class of attacks that have different types of solutions. If you eliminate 95% of your problems with a single IP filter them you have no good argument to make against it.

The vpn is probably your problem there mate.

This. If someone wants to target you, they will target you. What this does is remove the noise and 90%+ of crap.

Basically the same thing as changing the ssh port on a public facing server, reduce the automated crap attacks.

In other words, a smart business practice.

One of requirements of Visa/Mastercard is for the customer to be able to contact merchant post-purchase.

Only via the original method of commerce. An online retailer who geoblocks users does not have to open the geoblock for users who move into the geoblocked regions.

I have first-hand experience, as I ran a company that geoblocked US users for legal reasons and successfully defended chargebacks by users who made transactions in the EU and disputed them from the US.

Chargebacks outside the US are a true arbitration process, not the rubberstamped refunds they are there.

Visa and Mastercard aren't even involved in most disputes. Almost all disputes are settled between issuing and acquiring bank, and the networks only step in after some back and forth if the two really can't figure out liability.

I've seen some European issuing banks completely misinterpret the dispute rules and as a result deny cardholder claims that other issuers won without any discussion.

> I wanted to order something while I was in America at my friend’s place. Fuck me of course. Not just my IP was problematic, but my phone number too.

Your mobile provider was routing you through Austria while in the US?

This isn't coming from nowhere though. China and Russia don't just randomly happen to have been assigned more bad actors online.

Due to frosty diplomatic relations, there is a deliberate policy to do fuck all to enforce complaints when they come from the west, and at least with Russia, this is used as a means of gray zone cyberwarfare.

China and Russia are being antisocial neighbors. Just like in real life, this does have ramifications for how you are treated.

Not OP, but as far as I know that's how it works, yeah.

When I was in China, using a Chinese SIM had half the internet inaccessible (because China). As I was flying out I swapped my SIM back to my North American one... and even within China I had fully unrestricted (though expensive) access to the entire internet.

I looked into it at the time (now that I had access to non-Chinese internet sites!) and forgot the technical details, but seems that this was how the mobile network works by design. Your provider is responsible for your traffic.

> if you are absolutely certain there is no conceivable way your service will be used from some regions.

This isn’t the bar you need to clear.

It’s “if you’re comfortable with people in some regions not being able to use your service.”

Oddly, my bank has no problem with non-US IPs, but my City's municipal payments site doesn't. I always think it's broken for a moment before realizing I have my VPN turned on.

> Visa and Mastercard aren't even involved in most disputes. Almost all disputes are settled between issuing and acquiring bank, and the networks only step in after some back and forth if the two really can't figure out liability.

Yes, the issuing and acquiring banks perform an arbitration process, and it's generally a very fair process.

We disputed every chargeback and post PSD2 SCA, we won almost all and had a 90%+ net recovery rate. Similar US businesses were lucky to hit 10% and were terrified of chargeback limits.

> I've seen some European issuing banks completely misinterpret the dispute rules and as a result deny cardholder claims that other issuers won without any discussion.

Are you sure? More likely, the vendor didn't dispute the successful chargebacks.

Maybe, but it doesn't change the fact, that no one is going to forbid me to ban IPs. Therefore I will ban IPs and IPs ranges because it is the cheapest solution.

Usually CC companies require email records (another way of communicating with a company) showing you attempted to resolve the problem but could not. I don’t think “I tried to visit the website that I bought X item from while in Africa and couldn’t get to it” is sufficient.

Worked great for us, but I had to turn it off. Why? Because the IP databases that the two services I was using are not accurate enough and some people in the US were being blocked as if they had a foreign IP address. It happened regularly enough I reluctantly had to turn it off and now I have to deal the non-stop hacking attempts on the website.

For the record, my website is a front end for a local-only business. Absolutely no reason for anyone outside the US to participate.

Moving a cost outside the business and then calling it improved margin is exactly what MBA school teaches and the market rewards.

I don’t use VPN generally, only in specific cases. For example, when I want to reach Australian news. Because of course, as a non Australian, I couldn’t care about local news. Or when American pages rather ban Europe than they would tell who they sell my data to.

Yes, newer backends for 4G and 5G networks work exactly that way.

I think you might be talking about "fraudulent transaction/cardholder does not recognize" disputes. Yes, when using 3DS (which is now much more common at least in Europe, due to often being required by regulation in the EU/EEA), these are much less likely to be won by the issuer.

But "merchant does not let me cancel" isn't a fraud dispute (and in fact would probably be lost by the issuing bank if raised as such). Those "non-fraudulent disagreement with the merchant disputes" work very similarly in the US and in Europe.

> Chargebacks outside the US are a true arbitration process, not the rubberstamped refunds they are there.

What's true is that in the US, the cardholder can often just say "I've never heard of that merchant", since 3DS is not really a thing, and generally merchants are relatively unlikely to have compelling evidence to the contrary.

But for all non-fraud disputes, they follow the same process.

Even 2G and 3G data roaming used to work that way.

If anything, the opposite behavior (i.e. getting a local or regional IP instead of one from your home network) is a relatively new development.

Sure, you can keep blocking IPs, and I'll keep arguing for a ban on IP country bans (at least for existing customers) :)

No, you're just wrong here. Merchant doesn't let me cancel will almost always be won by the vendor when they demonstrate that they do allow cancellations within the bounds of the law and contracts. I've won many of these in the EU, too (we actually never lost a dispute for non-compliance with card network rules, because we were _very_ compliant).

I can only assume you are from the US and are assuming your experience will generalise, but it simply does not. Like night and day. Most EU residents who try using chargebacks for illegitimate dispute resolution learn these lessons quickly, as there are far more card cancellations for "friendly fraud" than merchant account closures for excessive chargebacks in the EU - the polar opposite of the US.

As commented elsewhere, you're just wrong. It's a significant burden of proof for a cardholder to win a dispute for non-compliance with card network rules and it very rarely happens (outside of actual merchant fraud, which is much rarer in the EU).

Again, you're not aware of the reality outside the US.

At that point, I wonder if an online shop is even necessary. Just sell in-person.

"Visiting the website" is the method. It's nonsense to say that visiting from a different location is a different method. I don't care if you won those disputes, you did a bad thing and screwed over your customers.

They tried a VPN as a backup for one of those problems.

So no. It's not.

> Not letting you unsubscribe and blocking your IP are very different things.

When you posted this, what did you envision in your head for how they were prevented from unsubscribing, based on location, but not via IP blocking? I'm really curious.

> Visiting the website" is the method. It's nonsense to say that visiting from a different location is a different method.

This is a naive view of the internet that does not stand the test of legislative reality. It's perfectly reasonable (and in our case was only path to compliance) to limit access to certain geographic locations.

> I don't care if you won those disputes, you did a bad thing and screwed over your customers.

In our case, our customers were trying to commit friendly fraud by requesting a chargeback because they didn't like a geoblock, which is also what the GP was suggesting.

Using chargebacks this way is nearly unique to the US and thankfully EU banks will deny such frivolous claims.

If you don't see that your campaign is futile and want to waste you time, just go ahead, don't ask for my permission.

The ancestor post was about being unable to get support for a product, so I thought you were talking about the same situation. Refusal to support is a legitimate grievance.

Are you saying they tried a chargeback just because they were annoyed at being unable to reach your website? Something doesn't add up here, or am I giving those customers too much credit?

Were you selling them an ongoing website-based service? Then the fair thing would usually be a prorated refund when they change country. A chargeback is bad but keeping all their money while only doing half your job is also bad.

so you just raw dog hotel and conference wifi?

> Surely bad actors wouldn’t use VPNs or botnets, and your customers never travel abroad?

They usually don't bother. Plus it's easier to take action against malicious traffic within your own country or general jurisdiction.

You’re assuming wrong.

And have you won one of these cases in a scenario where the merchant website has a blanket IP ban? That seems very different from cardholders incapable of clicking an “unsubscribe” button they have access to.

> It's a significant burden of proof for a cardholder to win a dispute for non-compliance with card network rules

That's true, but "fraud" and "compliance" aren't the only dispute categories, not by far.

In this case, using Mastercard as an example (as their dispute rules are public [1]), the dispute category would be "Refund not processed".

The corresponding section explicitly lists this as a valid reason: "The merchant has not responded to the return or the cancellation of goods or services."

> Again, you're not aware of the reality outside the US.

Repeating your incorrect assumption doesn't make it true.

[1] https://www.mastercard.us/content/dam/public/mastercardcom/n...

Okay, so you're grasping at straws here, because:

a) a Refund Not Processed chargeback is for non-compliance with card network rules,

and b), When the merchant informed the cardholder of its refund policy at the time of purchase, the cardholder must abide by that policy.

We won these every time, because we had a lawful and compliant refund policy and we stuck to it. These are a complete non-issue for vendors outside the US, unless they are genuinely fraudulent.

Honestly, I think you have no experience with card processors outside the US (or maybe at all) and you just can't admit you're wrong, but anyone with experience would tell you how wrong you are in a heartbeat. The idea you can "defeat" geoblocks with chargebacks is much more likely to result in you losing access to credit than a refund.

If you read back in the thread, we're talking about the claim that adding geoblocking will result in chargebacks, which outside the US, it won't.

> Are you saying they tried a chargeback just because they were annoyed at being unable to reach your website?

In our case it was friendly fraud when users tried to use a service which we could not provide in the US (and many other countries due to compliance reasons) and had signed up in the EU, possibly via VPN.

What was inaccessible to them: The service itself, or any means to contact the merchant to cancel an ongoing subscription?

I can imagine a merchant to win a chargeback if a customer e.g. signs up for a service using a VPN that isn't actually usable over the same VPN and then wants money for their first month back.

But if cancellation of future charges is also not possible, I'd consider that an instance of a merchant not being responsive to attempts at cancellation, similar to them simply not picking up the phone or responding to emails.

Are you even trying to see things from a different perspective, or are you just dead set on winning an argument via ad hominems based on incorrect assumptions about my background?

It's quite possible that both of our experiences are real – at least I'm not trying to cast doubt on yours – but my suspicion is that the generalization you're drawing from yours (i.e. chargeback rules, or at least their practical interpretation, being very different between the US and other countries) isn't accurate.

Both in and outside the US, merchants can and do win chargebacks, but a merchant being completely unresponsive to cancellation requests of future services not yet provided (i.e. not of "buyer's remorse" for a service that's not available to them, per terms and conditions) seems like an easy win for the issuer.

> If you read back in the thread, we're talking about the claim that adding geoblocking will result in chargebacks, which outside the US, it won't.

As a response to someone talking about customers traveling and needing support. But yeah geoblocks can occur in different situations with different appropriate resolutions.

> In our case it was friendly fraud when users tried to use a service which we could not provide in the US (and many other countries due to compliance reasons) and had signed up in the EU, possibly via VPN.

If you provided zero service at all, they should get their money back. And calling a chargeback in that situation "friendly fraud" is ridiculous.

If they weren't even asking for a refund and using a chargeback out of spite, that's bad, but that's a different problem from fraud.

For someone that did sign up via VPN, would they be able to access the cancellation page via VPN?

I really wish I could just email companies, but at least many US based ones don’t offer that way of communicating.

It’s usually phone support only, or some horrible web chat that leaves only the company with a permanent record of what was said. (I suspect that’s on purpose.)

> Are you even trying to see things from a different perspective, or are you just dead set on winning an argument via ad hominems based on incorrect assumptions about my background?

I'm very open to a different perspective if it's grounded in reality. I'm only judging you on your comments, which to date have been factually inaccurate (to the point that I wonder if you're trolling?),

> Both in and outside the US, merchants can and do win chargebacks,

At vastly different rates (~10% vs ~80%)

> but a merchant being completely unresponsive to cancellation requests of future services not yet provided (i.e. not of "buyer's remorse" for a service that's not available to them, per terms and conditions)

Geoblocking a region is not being unresponsive and will not result in a breach of network rules. Lots of precedent and completely uncontroversial but yet you believe otherwise.

> seems like an easy win for the issuer.

Seems is the operative word here, but it only seems so from your uninformed position. Even after quoting the MC terms that show that you're incorrect, you're still not open to new information.

> If you provided zero service at all, they should get their money back. And calling a chargeback in that situation "friendly fraud" is ridiculous.

No, if a company upholds their side of a contract, the customer must too, within the bounds of the law.

A chargeback in that situation is the _definition_ of "friendly fraud" and is actual criminal fraud.

> If they weren't even asking for a refund and using a chargeback out of spite, that's bad, but that's a different problem from fraud.

That's also criminal fraud.

US consumer are often shocked that "customer is always right" customer service doesn't extend beyond their borders and that they can't chargeback their way out of contracts they've signed.

> For someone that did sign up via VPN, would they be able to access the cancellation page via VPN?

It doesn't matter. If our terms prohibited VPN use to avoid geoblocking (which they did), it's irrelevant whether your VPN can or cannot access the cancellation page on a given day. You can email or write to us. All perfectly legal, lawful, and backed by merchant account providers.

> At vastly different rates (~10% vs ~80%)

Is that your observed rate or an industry-wide trend?

If it's the former, I'll stick with my theory – you're extrapolating from a pretty specific scenario to a different one. My guess would be that you're conflating geoblocking of content (what you seem to have experience with) with geoblocking of the cancellation method (what this thread is about).

If it's the latter, you're wildly off base:

> Merchants win an average of 50% of representments, though there are differences by country: U.S.: 54%, U.K.: 49.1%, AU: 46.7% and Brazil: 36.9%.

(from https://www.mastercard.com/us/en/news-and-trends/Insights/20...)

In fact, this is the opposite of what you're claiming (i.e. a higher win rate for merchants outside the US).

> You can email or write to us.

How do I find your email or postal address if you're blocking every request from a given region? My original point was about companies that do that.

If you're not, I agree that there's much less of a problem (some jurisdictions require online cancellation methods, though).

> No, if a company upholds their side of a contract, the customer must too, within the bounds of the law.

The company upholding their side by... doing nothing? Just give a refund if you're not providing service. And what is this about upholding your side if you're legally unable to provide the service in the first place?

> A chargeback in that situation is the _definition_ of "friendly fraud" and is actual criminal fraud.

They have to get the thing and then chargeback. Your definition is nonsense if it doesn't include them getting the thing.

> That's also criminal fraud.

It might be if they lie about something. But this isn't worth going on a tangent.

> It doesn't matter. If our terms prohibited VPN use to avoid geoblocking (which they did), it's irrelevant whether your VPN can or cannot access the cancellation page on a given day. You can email or write to us. All perfectly legal, lawful, and backed by merchant account providers.

Do they know who to email while the site is blocked? At least that's something.

But I'm not even asking about things fluctuating from day to day, I'm worried about a situation where a VPN can sign up but the same VPN at the same time can't be used to cancel.