Skip to content

Require high-risk ID verification when telesign risk is high

Ian Anderson requested to merge cc-validation-telesign-high-risk into master

What does this MR do and why?

Related to: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/work_items/569

This MR leverages the telesign intelligence API and requires CC validation before pohne validation if the user is high risk.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Configure SaaS mode in GDK but setting the environment variable GITLAB_SIMULATE_SAAS=1
  2. Configure the following settings. Development credentials for telesign and arkose are available in 1Password.
::Gitlab::CurrentSettings.update(email_confirmation_setting: 'hard')
::Gitlab::CurrentSettings.update(require_admin_approval_after_user_signup: false)
::Gitlab::CurrentSettings.update(arkose_labs_public_api_key: '****', arkose_labs_private_api_key: '****', arkose_labs_namespace: 'client')
::Gitlab::CurrentSettings.update(telesign_customer_xid: CUSTOMER_ID, telesign_api_key: API_KEY)
  1. Enable the following feature flags.
Feature.enable(:arkose_labs_signup_challenge)
Feature.enable(:identity_verification)
Feature.enable(:identity_verification_phone_number)
Feature.enable(:identity_verification_credit_card)
Feature.enable(:telesign_high_risk_cc_validation)
  1. Manually patch the telesign intelligence API to return a high risk score by adding the following snippet to a file and running git apply /path/to/file.
--- a/ee/app/services/phone_verification/telesign_client/risk_score_service.rb
+++ b/ee/app/services/phone_verification/telesign_client/risk_score_service.rb
@@ -14,6 +14,7 @@ def initialize(phone_number:, user:)
       end

       def execute
+        return risk_success(750)
         return success unless Feature.enabled?(:telesign_intelligence, type: :ops)

         phoneid_client = TelesignEnterprise::PhoneIdClient.new(customer_id, api_key)
--
2.34.1
  1. From the GDK home screen attempt to register as a new user. When prompted for email verification, enter the following in the rails console.
u = User.last
risk_band = u.custom_attributes.by_key('arkose_risk_band').first
risk_band.update(value: 'Medium')
u.confirm
  1. Refresh the page. Your email should now be confirmed and you should be prompted to validate your phone number.
  2. Enter a phone number and submit. Since telesign intelligence has been patched to return a high-risk score, the page should refresh and you should be required to validate your credit card.
  3. Enter the following in the rails console to validate your credit card.
v = u.build_credit_card_validation
v.last_digits_hash = 'aaa'
v.holder_name_hash = 'aaa'
v.expiration_date_hash = 'aaa'
v.network_hash = 'aaa'
v.credit_card_validated_at = Time.now
v.save
  1. Refresh the page. Your credit card should be verified and again prompted to submit a phone validation.
  2. Enter a phone number to validate. Upon successful validation you should be authorized to create an account.
Edited by Ian Anderson

Merge request reports