known issue Commerce Fraud Rules

[Callum MacGregor]

Hello

I think commerce fraud rules are broken. I had a transaction that came back with a 99% risk score from maxmind, but was approved anyway, despite the second rule in my anti-fraud rule set being to refuse any transaction with a score greater than 55%.

[Marc Stridgen]

Is that user a reseller? I ask as they are processed in order. If they are, it will be approved

[Callum MacGregor]

No, the user is not a reseller.

[Marc Stridgen]

Please provide information on the user there so we can take a look for you. Just the user ID will do

[Callum MacGregor]

User ID: 105995

The user is banned now, for obvious reasons, but wasn't at the time.

EDIT: I actually think I might know why. 

Maybe Maxmind changed their API results format, because in the code within Rule.php, the expected syntax is 'riskScore'. But in the maxmind API response, its 'risk_score'.

Rule.php:

			/* Score */
			if ( $this->maxmind )
			{				
				if ( !$this->_checkCondition( $maxMind->riskScore !== NULL ? $maxMind->riskScore : round( $maxMind->score * 10 ), $this->maxmind, $this->maxmind_unit ) )
				{
					return FALSE;
				}
			}

Maxmind API response for this particular transaction (redacted):

risk_score	:	99

 

Edited November 30, 2023 by Callum MacGregor

[Marc Stridgen]

I have reported this as a bug, as you do appear to be on a later version than when the updates were done for their API. However please do ensure you update to the latest release when you can, to ensure you have the latest bug fixes

[Callum MacGregor]

Thanks for reporting it as a bug. I'll await the fix as it does appear to still be an issue even in the latest update.