Skip to content

Prevent reuse of credit cards that were previously used by banned users

Eugie Limpin requested to merge el-prevent-banned-user-cc-reuse into master

What does this MR do and why?

This MR resolves (task) Prevent credit cards associated with previously banned accounts from creating new accounts as part of CC/Phone Verification should fail for medium/high risk users that use a cc or phone number that has previously been banned.

It updates the credit card verification step of identity verification to add a check ensuring the credit card provided by the user has not been previously used by a banned user. If the provided credit card details are reused the step fails and the user is prompted to try a different credit card.

The check is done by searching for Users::CreditCardValidation records associated with a Users::BannedUser that matches the following details of the provided credit card:

  • Card expiration date
  • Last four digits of the card
  • Card network (Visa, Mastercard, etc.)
  • Cardholder name

Database changes

Queries for Users::CreditCardValidation#similar_records and Users::CreditCardValidation#similar_holder_names_count are unchanged hence their absence in this section. The methods are only refactored to extract scopes that can be reused for Users::CreditCardValidation#used_by_banned_user?.

Users::CreditCardValidation#used_by_banned_user?

Raw SQL 
SELECT
    1 AS one
FROM
    "user_credit_card_validations"
    INNER JOIN "banned_users" ON "banned_users"."user_id" = "user_credit_card_validations"."user_id"
WHERE
    "user_credit_card_validations"."expiration_date" = '2024-09-24'
    AND "user_credit_card_validations"."last_digits" = 5932
    AND "user_credit_card_validations"."network" = 'Mastercard'
    AND (lower(holder_name) = lower('EUGIE L LIMPIN'))
LIMIT 1
Query plan

https://console.postgres.ai/shared/a9701371-6b9c-4ef9-9499-b8687730f2d2

Screenshot_2023-04-24_at_2.34.05_PM

Screenshots or screen recordings

Case
User used a credit card that was already used by a banned user Screen_Recording_2023-04-18_at_4.17.31_PM
User used a "clean" credit card Screen_Recording_2023-04-18_at_4.22.41_PM

How to set up and validate locally

Set up

  1. Ensure that you have a local CustomersDot installation with Zuora setup to use Eugie CC Payment hosted page. Eugie CC Payment is configured to point to a local GDK instance running on http://localhost:3000

  2. Run GDK emulating SAAS

    $ export GITLAB_SIMULATE_SAAS=1
$ gdk start

  3. Enable feature flags

    $ rails console
> Feature.enable(:identity_verification)
> Feature.enable(:identity_verification_credit_card)

    Also,

    • Ensure arkose_labs_signup_challenge, arkose_labs_login_challenge, and identity_verification_phone_number feature flags are disabled
    • Gitlab::CurrentSettings.require_admin_approval_after_user_signup is false
    • Gitlab::CurrentSettings.email_confirmation_setting is 'hard'

  4. Create a banned user and a corresponding Users::CreditCardValidation

    $ rails console

# Let's use the second user
> banned_user = User.find(2)
> banned_user.ban!
> banned_user.banned?
=> true

> Users::CreditCardValidation.create(user: banned_user, credit_card_validated_at: 1.month.ago, expiration_date: 7.years.from_now.end_of_month, last_digits: 4242, holder_name: 'Chris McLovin', network: 'Visa')

Validate

  1. Create a new user via http://localhost:3000/users/sign_up
  2. After signing up you should see the identity verification page
    🖼 Screenshot_2023-04-18_at_4.48.31_PM
  3. Assign a High ArkoseLabs risk score to the new user 
    $ rails console

> UserCustomAttribute.create(user: User.last, key: 'arkose_risk_band', value: 'High')
  4. Refresh the identity verification page. You should now see the credit card verification step
    🖼 Screenshot_2023-04-18_at_4.47.36_PM
  5. Fill in and submit the form with the following values 
    Name on card: "Chris McLovin"
Card number: 4242 4242 4242 4242
Expiration date: 04/2030
CVC: Any 3-digit number
  6. Validate that an error is shown and the credit card form is redisplayed
    📼 Screen_Recording_2023-04-18_at_4.17.31_PM
  7. Fill in and submit the form with the following values 
    Name on card: Any as long as it's not "Chris McLovin"
Card number: 4242 4242 4242 4242
Expiration date: Any future date as long as it's not 04/2030
CVC: Any 3-digit number
  8. Validate that the verification step succeeds
    📼 Screen_Recording_2023-04-18_at_4.22.41_PM

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eugie Limpin

Merge request reports