Why would a US retail chain be so vigilant about blocking access?
January 30, 2020 11:54 PM Subscribe
Why would a US based retail site be so vigilant about blocking access to its site from outside the United States? There is a store that I frequently shop at both in person and on the web. I moved out of the United States a few months ago but continued to shop on the site using a VPN (because I noticed that without the VPN the site was blocked) and having orders shipped to my mom's house in the US where I was going to collect them when visiting.
Now it seems the retailer has caught on to the VPN service I was using because all of their US based servers are also blocked.
I understand when media streaming services do this type of thing because of licensing and whatnot, but why would a retail site block people from even browsing? This is the most minor inconvenience to me, I'm more interested to know why they would do this, if there is some legal reason or maybe some requirements they are trying to meet for some sort of certification, status, expansion into new territories, etc
For reference the company is Ulta (the cosmetics retailer). I'm 99.999% certain that there is no issue with my account as I can still access the site when in the US and make purchases. I also have only ever requested 1 refund for a $5> item that was missing from a shipment and I am not a super couponer / discount stacker or elsewise maximizing any sort of rewards or discounts. Trying to access the site gives this message:
Your request has been blocked.
If you feel you have been blocked in error, please contact Ulta Guest Service at 866-983-8582 with a screenshot of this page.
Thank you.
Event ID :
18.65392b17.1580456700.8451390d
Source IP Address :
xx.xx.xxx.xx
Time Stamp :
Fri Jan 31 2020 02:45:01 GMT-0500 (Eastern Standard Time)
I understand when media streaming services do this type of thing because of licensing and whatnot, but why would a retail site block people from even browsing? This is the most minor inconvenience to me, I'm more interested to know why they would do this, if there is some legal reason or maybe some requirements they are trying to meet for some sort of certification, status, expansion into new territories, etc
For reference the company is Ulta (the cosmetics retailer). I'm 99.999% certain that there is no issue with my account as I can still access the site when in the US and make purchases. I also have only ever requested 1 refund for a $5> item that was missing from a shipment and I am not a super couponer / discount stacker or elsewise maximizing any sort of rewards or discounts. Trying to access the site gives this message:
Your request has been blocked.
If you feel you have been blocked in error, please contact Ulta Guest Service at 866-983-8582 with a screenshot of this page.
Thank you.
Event ID :
18.65392b17.1580456700.8451390d
Source IP Address :
xx.xx.xxx.xx
Time Stamp :
Fri Jan 31 2020 02:45:01 GMT-0500 (Eastern Standard Time)
My guess, would be that the Website doesn't meet GPDR regulations and they just decided to block it instead.
posted by AlexiaSky at 12:07 AM on January 31, 2020 [34 favorites]
posted by AlexiaSky at 12:07 AM on January 31, 2020 [34 favorites]
Ulta seems to be using Akamai, so they probably have access to a simple on/off switch for blocking particular geolocations perhaps based on a standard database that includes VPNs. I haven't used Akamai for this purpose, but typically there would just be, like, a list of countries to check off and an extra checkbox for anonymous IPs (Tor proxies, VPNs, etc.). So I'm not sure anyone is being exceptionally vigilant. A lot of people block large countries with very low relevance to their business as a first pass at limiting random web attacks, and using a service for the job, blocking VPNs probably isn't harder. It's conceivable they've subscribed to the database themselves, but I'd be surprised if they were singling out different VPN providers on their own.
posted by Wobbuffet at 12:32 AM on January 31, 2020 [4 favorites]
posted by Wobbuffet at 12:32 AM on January 31, 2020 [4 favorites]
Not sure if this is helpful at all, but I am in NZ and I can definitely browse the Ulta website. So it may be more about the country you are in, not necessarily just outside of the US.
posted by BeeJiddy at 12:58 AM on January 31, 2020
posted by BeeJiddy at 12:58 AM on January 31, 2020
Response by poster: Interesting.
I was using my VPN service to connect through US based servers all of which were blocked, but i just selected an NZ based server and that one is not on the block list so far. I'm in Russia, when i first moved here, the US VPN servers weren't blocked. They were blocked beginning about a month ago so they (or the database they subscribe to) are continually adding. Anyway I guess i can "shop from New Zealand" now.
Still curious as to why? IT is just very strange as it's the only retailer I've come across doing this.
posted by WeekendJen at 1:19 AM on January 31, 2020 [1 favorite]
I was using my VPN service to connect through US based servers all of which were blocked, but i just selected an NZ based server and that one is not on the block list so far. I'm in Russia, when i first moved here, the US VPN servers weren't blocked. They were blocked beginning about a month ago so they (or the database they subscribe to) are continually adding. Anyway I guess i can "shop from New Zealand" now.
Still curious as to why? IT is just very strange as it's the only retailer I've come across doing this.
posted by WeekendJen at 1:19 AM on January 31, 2020 [1 favorite]
A whole bunch of US sites just blocked EU countries rather than try and adhere to GDPR - including news sites who you'd think would be more interested in a wider readership.
posted by EndsOfInvention at 1:48 AM on January 31, 2020 [5 favorites]
posted by EndsOfInvention at 1:48 AM on January 31, 2020 [5 favorites]
I'm in Ireland (EU) and can access the site no problem.
posted by Samarium at 2:25 AM on January 31, 2020
posted by Samarium at 2:25 AM on January 31, 2020
I don't think GDPR is relevant in this case, as several of us from the EU can access it no problem, and the OP is in Russia, which isn't covered by GDPR.
If it matters, I can access it fine from the UK, but if I turn on Nord VPN, I can't access it no matter what country I select for my server (I tried US, UK, France, and Iceland).
posted by cilantro at 3:01 AM on January 31, 2020 [1 favorite]
If it matters, I can access it fine from the UK, but if I turn on Nord VPN, I can't access it no matter what country I select for my server (I tried US, UK, France, and Iceland).
posted by cilantro at 3:01 AM on January 31, 2020 [1 favorite]
AFAIK Ulta was blocking traffic from the Netherlands (and I presume other countries) before GDPR was passed or implemented, since I've been unable to access it here since before then. Maybe they've had problems with DDOS attacks, credit card fraud, or issues with people ordering from countries they don't ship to or who knows, so they decided the easiest way to fix it was to just block whole countries.
posted by wakannai at 3:08 AM on January 31, 2020 [3 favorites]
posted by wakannai at 3:08 AM on January 31, 2020 [3 favorites]
Russia is a major source of malicious internet traffic. Its a inelegant solution but I wouldn't be surprised if they've blocked the whole of Russia, from their point of view, they probably don't consider that anyone in Russia could have a legitimate reason to access their site. So see no harm in taking the nuclear option rather than more sophisticated traffic filtering methods
Why they'd block traffic from France, I can't imagine. I can see it fine from the UK
posted by missmagenta at 3:08 AM on January 31, 2020 [12 favorites]
Why they'd block traffic from France, I can't imagine. I can see it fine from the UK
posted by missmagenta at 3:08 AM on January 31, 2020 [12 favorites]
It's also accessible from Australia.
posted by kitten magic at 3:45 AM on January 31, 2020
posted by kitten magic at 3:45 AM on January 31, 2020
Accessible from Poland. I wonder if it doesn't relate to exclusive distributors/pricing for certain territories and brands. I occasionally buy from the US with a freight forwarding service, and US Sephora and Urban Decay won't ship to non-residential US addresses for that reason - the US pricing is sometimes half the EU price.
posted by I claim sanctuary at 4:10 AM on January 31, 2020 [1 favorite]
posted by I claim sanctuary at 4:10 AM on January 31, 2020 [1 favorite]
It's not GRPR for Russia; it's fraud. Many online retailers will choose to automatically deny cards for purchases to Nigeria and Russia; closing access to the site reduces customer complaints and can be done on the merchant's end.
posted by DarlingBri at 4:26 AM on January 31, 2020 [5 favorites]
posted by DarlingBri at 4:26 AM on January 31, 2020 [5 favorites]
> I claim sanctuary: I wonder if it doesn't relate to exclusive distributors/pricing for certain territories and brands.
This was my thought as well. They may only be permitted to sell certain brands because they agreed to not compete with those brands' distributors in certain countries or territories.
posted by Rock Steady at 4:40 AM on January 31, 2020 [1 favorite]
This was my thought as well. They may only be permitted to sell certain brands because they agreed to not compete with those brands' distributors in certain countries or territories.
posted by Rock Steady at 4:40 AM on January 31, 2020 [1 favorite]
I'm going to go with fraud protection. I just tried hitting it from the Tor browser and it was immediately blocked. (But I can hit it fine from my system.) The tor node IP address it showed as blocked traces to Bulgaria. Changing circuits it blocked me again, this time the IP for the exit node was in Oslo.
It may be a mix of blocking by geography and trying to block VPNs/TOR. It might be a thing about pricing/territory, but I'm betting on fraud protection. If a retailer is focused on a single territory and gets a slew of fraudulent attempts in a short period, it's perfectly logical to just say "eff this" and just say no to traffic that comes from network blocks that have been a source of trouble.
posted by jzb at 5:03 AM on January 31, 2020 [1 favorite]
It may be a mix of blocking by geography and trying to block VPNs/TOR. It might be a thing about pricing/territory, but I'm betting on fraud protection. If a retailer is focused on a single territory and gets a slew of fraudulent attempts in a short period, it's perfectly logical to just say "eff this" and just say no to traffic that comes from network blocks that have been a source of trouble.
posted by jzb at 5:03 AM on January 31, 2020 [1 favorite]
Response by poster: Might be on to something as part of the reason I still shopped there was for certain brands being way cheaper.
And to be clear, Russia is not the only country blocked and they are also blocking known (to them) access from servers in the US that belong to VPN services.
posted by WeekendJen at 5:04 AM on January 31, 2020
And to be clear, Russia is not the only country blocked and they are also blocking known (to them) access from servers in the US that belong to VPN services.
posted by WeekendJen at 5:04 AM on January 31, 2020
Ulta appears to have a USA concession and separate international concessions. They are probably blocking access for purely commercial reasons in your country.
posted by parmanparman at 5:12 AM on January 31, 2020 [3 favorites]
posted by parmanparman at 5:12 AM on January 31, 2020 [3 favorites]
They may only be permitted to sell certain brands because they agreed to not compete with those brands' distributors in certain countries or territories.
They also may sell the same products for drastically different prices in different territories and don’t want to compete with themselves.
posted by Tell Me No Lies at 5:42 AM on January 31, 2020 [1 favorite]
They also may sell the same products for drastically different prices in different territories and don’t want to compete with themselves.
posted by Tell Me No Lies at 5:42 AM on January 31, 2020 [1 favorite]
Blackholing entire countries to prevent spam and so on is unfortunately pretty common. The idea is that 99.99% of the traffic from Russia is not useful to the business, because they don't sell there. Any effort at all in serving those requests is a waste of resources. So they subscribe to a list and press a button and hey presto, a bunch of valueless (to them) traffic just evaporates and they never have to deal with it again.
posted by BungaDunga at 6:27 AM on January 31, 2020 [6 favorites]
posted by BungaDunga at 6:27 AM on January 31, 2020 [6 favorites]
I was once tangentially involved with an e-commerce system and IIRC there were whole new tax issues that you have to deal with when operating internationally. Unless you are actively pursuing that market, it's not worth the trouble to deal with all of the red tape.
posted by sjswitzer at 8:22 AM on January 31, 2020
posted by sjswitzer at 8:22 AM on January 31, 2020
they could also be banning certain countries and proxies to avoid fraudulent charges/orders.
posted by noloveforned at 8:46 AM on January 31, 2020
posted by noloveforned at 8:46 AM on January 31, 2020
Best answer: I know with Ulta in particular there's a lot of fraud activity related to their points rewards, and I have heard of Ulta customers having their accounts (with accumulated points) stolen by someone outside of the US.
posted by stowaway at 9:44 AM on January 31, 2020 [2 favorites]
posted by stowaway at 9:44 AM on January 31, 2020 [2 favorites]
Another reason cross-border sales are complicated: trademarks. See the SparkFun v Fluke incident -- SparkFun had some multimeters made in a certain shade of yellow. Unfortunately "yellow multimeter" seems to be trademarked by Fluke, and SparkFun were not allowed to import the meters.
posted by phliar at 3:14 PM on January 31, 2020
posted by phliar at 3:14 PM on January 31, 2020
please contact Ulta Guest Service at 866-983-8582 with a screenshot of this page
Not an answer, but now I'm wondering how their technology can receive a screenshot at a telephone number.
posted by JimN2TAW at 6:14 AM on February 1, 2020 [1 favorite]
Not an answer, but now I'm wondering how their technology can receive a screenshot at a telephone number.
posted by JimN2TAW at 6:14 AM on February 1, 2020 [1 favorite]
I wondered this and realised that it’s just clunky language. They want you to take a screenshot when you call so you can give them the relevant details like the event id and IP address.
posted by like_neon at 9:12 AM on February 1, 2020
posted by like_neon at 9:12 AM on February 1, 2020
This thread is closed to new comments.
posted by wakannai at 12:06 AM on January 31, 2020 [1 favorite]