Fraud Check Can By Bypassed

[Jonathan]

Blesta's fraud checks/reviews can be bypassed by the following process:

1. Place order.  Client account created.  Blesta properly flags this order for review per fraud check settings.

2 .Place another order.  Since client account existed, no fraud checks are run and the order is provisioned.

 

This is a pretty major bug.  People seem smart enough to do this and get fraudulent orders through the system

[Michael]

Blesta's fraud checks/reviews can be bypassed by the following process:

1. Place order.  Client account created.  Blesta properly flags this order for review per fraud check settings.

2 .Place another order.  Since client account existed, no fraud checks are run and the order is provisioned.

 

This is a pretty major bug.  People seem smart enough to do this and get fraudulent orders through the system

 

You can mark them as fraud accounts or do you mean only the first order is fraud checked so they order twice one get's pending other gets accepted?

[Jonathan]

Obviously, but that's no solution to keeping someone from bypassing it to start with.  Lets say I'm asleep and can't mark them as fraud (or better yet, just letting Blesta "do it's thing") and they order, fail fraud.  Order again, lets say 5 times, get setup, and setup spam bots.

 

Now what?  Blesta let someone circumvent the fraud system by taking advantage of a flaw in the logic.

 

EDIT - your second assumption is the correct scenario.

[Paul]

I'm pretty certain this functionality was intentional, though the work-around is certainly undesirable. Instead, I think, if fraud checks can be skipped for existing customers, it should only be possible if the customer has active services, or previously approved orders.

 

A setting in the order plugin along the lines of:

 

[x] Run fraud checks for all orders [ ] Run fraud checks for new customers only

 

Might work... and if you opt to run checks for new customers only, then they would have to meet criteria mentioned above (existing approved orders, active services)

 

Thoughts?

[Nelsa]

I think it shoud be checked and skiped for existing customers with active service or second option to check and skip customers with at least one approved transaction.

[Michael]

I'm pretty certain this functionality was intentional, though the work-around is certainly undesirable. Instead, I think, if fraud checks can be skipped for existing customers, it should only be possible if the customer has active services, or previously approved orders.

 

A setting in the order plugin along the lines of:

 

[x] Run fraud checks for all orders [ ] Run fraud checks for new customers only

 

Might work... and if you opt to run checks for new customers only, then they would have to meet criteria mentioned above (existing approved orders, active services)

 

Thoughts?

 

+1

[Jonathan]

I think the option of requiring a previously accepted order would be the best approach, unless you make an interim "in review" client status they'd be kept in if their first order gets flagged, which the system would remove them from upon acceptance of an order.

[zmjwong]

[x] Run fraud checks for all orders [ ] Run fraud checks for new customers only

 

having both is the best option in my mind.

[Paul]

Please see CORE-2056

[Jonathan]

Excellent!

[Jonathan]

Bump.  Still causing issues almost daily

[timnboys]

2 hours ago, Jonathan said:

Bump.  Still causing issues almost daily

I fixed this in my fraudrecord anti fraud module by modifying v3 cart.php controller to make blesta v3 always run fraud checks regardless.

so you could use my fraudrecord anti fraud module and use the cart.php modification and then never worry about this again. 

[Paul]

Are you all happy with what's described in CORE-2056? I'm going to bump it into consideration for 4.1. While it's assigned to that version, there's no guarantee anything in that version will be included.

Speaking of fraud checks though, we also need to modularize this so it's easy for people to build others and drop them in. I'd love to be able to run fraud checks through multiple different APIs at once too. More advanced options like text or phone verifications would be great. Someday.  

[timnboys]

1 hour ago, Paul said:

Are you all happy with what's described in CORE-2056? I'm going to bump it into consideration for 4.1. While it's assigned to that version, there's no guarantee anything in that version will be included.

Speaking of fraud checks though, we also need to modularize this so it's easy for people to build others and drop them in. I'd love to be able to run fraud checks through multiple different APIs at once too. More advanced options like text or phone verifications would be great. Someday.  

yep working on my next project for blesta eg fraudrecord anti fraud module v2 codename which is just my fraudrecord anti fraud module with added support for text/sms or phone verification using like twilio or someone

I might have broke forth wall by letting that out way too early  but it is in development

[Paul]

13 minutes ago, timnboys said:

yep working on my next project for blesta eg fraudrecord anti fraud module v2 codename which is just my fraudrecord anti fraud module with added support for text/sms or phone verification using like twilio or someone

I might have broke forth wall by letting that out way too early  but it is in development lol

All that means is now you have to do it.  

[austenite]

8 hours ago, Jonathan said:

Bump.  Still causing issues almost daily

Hi, nice to see one of the big boys supporting Blesta! 

3 hours ago, Paul said:

Are you all happy with what's described in CORE-2056? I'm going to bump it into consideration for 4.1. While it's assigned to that version, there's no guarantee anything in that version will be included.

Speaking of fraud checks though, we also need to modularize this so it's easy for people to build others and drop them in. I'd love to be able to run fraud checks through multiple different APIs at once too. More advanced options like text or phone verifications would be great. Someday.  

Loving the direction of this and looking forward to seeing it implemented. 

[Jonathan]

4 hours ago, Paul said:

Speaking of fraud checks though, we also need to modularize this so it's easy for people to build others and drop them in. I'd love to be able to run fraud checks through multiple different APIs at once too. More advanced options like text or phone verifications would be great. Someday.  

+10000000

[nahanil]

After tinkering with a custom fraud-busting module I noticed the issue Jonathan pointed out as well.
Guessing it never made it into 3.6.x and short of modifying the core/cart module it's not possible to work around it for now?

Not a *huge* issue at this end as the initial plan is to only manage/bill existing clients accounts with Blesta, but moving forward into publicly offering services once more it's a fairly terrifying thought 

[timnboys]

8 hours ago, texh said:

After tinkering with a custom fraud-busting module I noticed the issue Jonathan pointed out as well.
Guessing it never made it into 3.6.x and short of modifying the core/cart module it's not possible to work around it for now?

Not a *huge* issue at this end as the initial plan is to only manage/bill existing clients accounts with Blesta, but moving forward into publicly offering services once more it's a fairly terrifying thought 

I have already built a core cart modification into my fraudrecord anti fraud module which is given with the module to allow you to replace the core cart php file with the one I have which does force fraud verification on each checkout existing or not on v3.6 though v4 might need to be modified as well to the core cart php file to do the same as well