Skip to content

Apply a daily limit for duplicate credit card validations

Ian Anderson requested to merge ia-handle-credit-card-reuse into master

What does this MR do and why?

Related to: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/742

This MR implements a limit of 5 daily credit card validations, preventing malicious users from creating and validating many users with the same credit card information. There is a corresponding MR for customers-dot that is needed to make this feature fully functional.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

image

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Note: In order to verify this locally your GDK needs to be configured to interact with customers-dot

  1. Run customers-dot from the MR branch.
  2. Apply the following patch to lower the daily credit card transaction limit to 1 instead of 5. 
    diff --git a/app/models/users/credit_card_validation.rb b/app/models/users/credit_card_validation.rb
index 15fd1684abea..0a2fbecfecfd 100644
--- a/app/models/users/credit_card_validation.rb
+++ b/app/models/users/credit_card_validation.rb
@@ -5,7 +5,7 @@ class CreditCardValidation < MainClusterwide::ApplicationRecord
     include IgnorableColumns

     RELEASE_DAY = Date.new(2021, 5, 17)
-    DAILY_VERIFICATION_LIMIT = 5
+    DAILY_VERIFICATION_LIMIT = 1

     self.table_name = 'user_credit_card_validations'
  3. Ensure GDK is running in SaaS mode. 
    export GITLAB_SIMULATE_SAAS=1
  4. Update relevant application settings. Credentials are available in 1Password in the ArkoseLabs API keys vault. You should use the development credentials. 
    ::Gitlab::CurrentSettings.update(email_confirmation_setting: 'hard')
::Gitlab::CurrentSettings.update(require_admin_approval_after_user_signup: false)
::Gitlab::CurrentSettings.update(arkose_labs_public_api_key: 'SECRET', arkose_labs_private_api_key: 'SECRET', arkose_labs_namespace: 'client')
::Gitlab::CurrentSettings..update(arkose_labs_data_exchange_key: 'SECRET')
::Gitlab::CurrentSettings.update(telesign_customer_xid: 'SECRET', telesign_api_key: 'SECRET')
  5. Enable the following feature flags. 
    Feature.enable(:identity_verification_phone_number)
Feature.enable(:identity_verification_credit_card)
Feature.enable(:opt_in_identity_verification)
Feature.enable(:ci_requires_identity_verification_on_free_plan)
Feature.enable(:credit_card_validation_daily_limit)
  6. With a new user complete identity verification by navigating to http://gdk.test:3000/-/identity_verification
  7. Verify the user's identity using the following test credit card. Identity verification should be successful. 
    Number: 4242 4242 4242 4242
Expiration: Any future date
CVC: Any three digits
  8. Create another user and attempt to verify their identity with the same credit card. You should see an error that the verification limit has been reached.
Edited by Ian Anderson

Merge request reports