18F · MrNagoo · Sep 25, 2025 · Sep 9, 2025 · Sep 18, 2025 · Sep 18, 2025
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -292,7 +292,7 @@ specs:
     - cp -a keys.example keys
     - cp -a certs.example certs
     - cp pwned_passwords/pwned_passwords.txt.sample pwned_passwords/pwned_passwords.txt
-    - "echo -e \"test:\n  redis_url: 'redis://db-redis:6379/0'\n  redis_throttle_url: 'redis://db-redis:6379/1'\n  redis_attempts_api_url: 'redis://db-redis:6379/2'\" > config/application.yml"
+    - "echo -e \"test:\n  redis_url: 'redis://db-redis:6379/0'\n  redis_throttle_url: 'redis://db-redis:6379/1'\n  redis_attempts_api_url: 'redis://db-redis:6379/2'\n  redis_fraud_ops_url: 'redis://db-redis:6379/3'\" > config/application.yml"
     - bundle exec rake db:create db:migrate --trace
     - bundle exec rake db:seed
     - bundle exec rake knapsack:rspec["--format documentation --format RspecJunitFormatter --out rspec.xml --format json --out rspec_json/${CI_NODE_INDEX}.json"]

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -91,6 +91,15 @@ def attempts_api_tracker
     )
   end
 
+  def fraud_ops_tracker
+    @fraud_ops_tracker ||= FraudOps::Tracker.new(
+      request:,
+      user: analytics_user,
+      sp: current_sp,
+      cookie_device_uuid: cookies[:device],
+    )
+  end
+
   def user_event_creator
     @user_event_creator ||= UserEventCreator.new(request: request, current_user: current_user)
   end

diff --git a/app/controllers/concerns/idv/phone_otp_rate_limitable.rb b/app/controllers/concerns/idv/phone_otp_rate_limitable.rb
@@ -31,6 +31,9 @@ def handle_too_many_otp_sends
       attempts_api_tracker.idv_rate_limited(
         limiter_type: :phone_otp,
       )
+      fraud_ops_tracker.idv_rate_limited(
+        limiter_type: :phone_otp,
+      )
       handle_max_attempts('otp_requests')
     end
 
@@ -40,6 +43,9 @@ def handle_too_many_otp_attempts
       attempts_api_tracker.idv_rate_limited(
         limiter_type: :phone_otp,
       )
+      fraud_ops_tracker.idv_rate_limited(
+        limiter_type: :phone_otp,
+      )
       handle_max_attempts('otp_login_attempts')
     end
 

diff --git a/app/controllers/concerns/idv/verify_by_mail_concern.rb b/app/controllers/concerns/idv/verify_by_mail_concern.rb
@@ -18,6 +18,7 @@ def log_letter_requested_analytics(resend:)
         **ab_test_analytics_buckets,
       )
       attempts_api_tracker.idv_verify_by_mail_letter_requested(resend:)
+      fraud_ops_tracker.idv_verify_by_mail_letter_requested(resend:)
     end
 
     def log_letter_enqueued_analytics(resend:)

diff --git a/app/controllers/concerns/idv/verify_info_concern.rb b/app/controllers/concerns/idv/verify_info_concern.rb
@@ -352,6 +352,12 @@ def create_fraud_review_request_if_needed(result)
         failure_reason: device_risk_failure_reason(success, threatmetrix_result),
       )
 
+      fraud_ops_tracker.idv_device_risk_assessment(
+        device_fingerprint: threatmetrix_result.dig(:device_fingerprint),
+        success:,
+        failure_reason: device_risk_failure_reason(success, threatmetrix_result),
+      )
+
       return if success
 
       FraudReviewRequest.create(
@@ -414,6 +420,24 @@ def log_verification_attempt(success:, failure_reason: nil)
         zip: pii_from_doc[:zip],
         failure_reason:,
       )
+
+      fraud_ops_tracker.idv_verification_submitted(
+        success: success,
+        document_state: pii_from_doc[:state],
+        document_number: pii_from_doc[:state_id_number],
+        document_issued: pii_from_doc[:state_id_issued],
+        document_expiration: pii_from_doc[:state_id_expiration],
+        first_name: pii_from_doc[:first_name],
+        last_name: pii_from_doc[:last_name],
+        date_of_birth: pii_from_doc[:dob],
+        address1: pii_from_doc[:address1],
+        address2: pii_from_doc[:address2],
+        ssn: idv_session.ssn,
+        city: pii_from_doc[:city],
+        state: pii_from_doc[:state],
+        zip: pii_from_doc[:zip],
+        failure_reason:,
+      )
     end
 
     VerificationFailures = Struct.new(

diff --git a/app/controllers/concerns/rate_limit_concern.rb b/app/controllers/concerns/rate_limit_concern.rb
@@ -47,13 +47,15 @@ def confirm_not_rate_limited_for_phone_and_letter_address_verification
       return true
     elsif idv_attempter_rate_limited?(:proof_address) || gpo_verify_by_mail_policy.rate_limited?
       attempts_api_tracker.idv_rate_limited(limiter_type: :proof_address)
+      fraud_ops_tracker.idv_rate_limited(limiter_type: :proof_address)
     end
   end
 
   def rate_limit_redirect!(rate_limit_type, step_name: nil)
     if idv_attempter_rate_limited?(rate_limit_type)
       analytics.rate_limit_reached(limiter_type: rate_limit_type, step_name:)
       attempts_api_tracker.idv_rate_limited(limiter_type: rate_limit_type)
+      fraud_ops_tracker.idv_rate_limited(limiter_type: rate_limit_type)
       rate_limited_redirect(rate_limit_type)
       return true
     end

diff --git a/app/controllers/idv/address_controller.rb b/app/controllers/idv/address_controller.rb
@@ -103,6 +103,16 @@ def track_submit_event(form_result)
         zip: @address_form.zipcode,
         failure_reason: attempts_api_tracker.parse_failure_reason(form_result),
       )
+      fraud_ops_tracker.idv_address_submitted(
+        success: form_result.success?,
+        address1: @address_form.address1,
+        address2: @address_form.address2,
+        address_edited: address_edited?,
+        city: @address_form.city,
+        state: @address_form.state,
+        zip: @address_form.zipcode,
+        failure_reason: fraud_ops_tracker.parse_failure_reason(form_result),
+      )
     end
 
     def address_update_request?

diff --git a/app/controllers/idv/agreement_controller.rb b/app/controllers/idv/agreement_controller.rb
@@ -37,6 +37,7 @@ def update
 
       if current_user.has_proofed_before?
         attempts_api_tracker.idv_reproof
+        fraud_ops_tracker.idv_reproof
       end
 
       if result.success?

diff --git a/app/controllers/idv/by_mail/enter_code_controller.rb b/app/controllers/idv/by_mail/enter_code_controller.rb
@@ -30,6 +30,7 @@ def index
         prefilled_code = session[:last_gpo_confirmation_code] if FeatureManagement.reveal_gpo_code?
         @gpo_verify_form = GpoVerifyForm.new(
           attempts_api_tracker:,
+          fraud_ops_tracker:,
           user: current_user,
           pii: pii,
           resolved_authn_context_result: resolved_authn_context_result,
@@ -61,6 +62,11 @@ def create
           failure_reason: attempts_api_tracker.parse_failure_reason(result),
         )
 
+        fraud_ops_tracker.idv_verify_by_mail_enter_code_submitted(
+          success: result.success?,
+          failure_reason: fraud_ops_tracker.parse_failure_reason(result),
+        )
+
         send_please_call_email_if_necessary(result:)
 
         if !result.success?
@@ -144,6 +150,7 @@ def send_please_call_email_if_necessary(result:)
       def build_gpo_verify_form
         GpoVerifyForm.new(
           attempts_api_tracker:,
+          fraud_ops_tracker:,
           user: current_user,
           pii: pii,
           resolved_authn_context_result: resolved_authn_context_result,

diff --git a/app/controllers/idv/by_mail/enter_code_rate_limited_controller.rb b/app/controllers/idv/by_mail/enter_code_rate_limited_controller.rb
@@ -17,6 +17,9 @@ def index
         attempts_api_tracker.idv_rate_limited(
           limiter_type: :verify_gpo_key,
         )
+        fraud_ops_tracker.idv_rate_limited(
+          limiter_type: :verify_gpo_key,
+        )
 
         @expires_at = rate_limiter.expires_at
       end

diff --git a/app/controllers/idv/enter_password_controller.rb b/app/controllers/idv/enter_password_controller.rb
@@ -149,6 +149,7 @@ def init_profile
           profile: idv_session.profile,
         )
         attempts_api_tracker.idv_enrollment_complete(reproof:)
+        fraud_ops_tracker.idv_enrollment_complete(reproof:)
       end
     end
 

diff --git a/app/controllers/idv/hybrid_handoff_controller.rb b/app/controllers/idv/hybrid_handoff_controller.rb
@@ -226,6 +226,9 @@ def rate_limited_failure
       attempts_api_tracker.idv_rate_limited(
         limiter_type: :idv_send_link,
       )
+      fraud_ops_tracker.idv_rate_limited(
+        limiter_type: :idv_send_link,
+      )
       message = I18n.t(
         'doc_auth.errors.send_link_limited',
         timeout: distance_of_time_in_words(

diff --git a/app/controllers/idv/image_uploads_controller.rb b/app/controllers/idv/image_uploads_controller.rb
@@ -23,6 +23,7 @@ def image_upload_form
         acuant_sdk_upgrade_ab_test_bucket: ab_test_bucket(:ACUANT_SDK),
         analytics:,
         attempts_api_tracker:,
+        fraud_ops_tracker:,
         liveness_checking_required: resolved_authn_context_result.facial_match?,
         service_provider: current_sp,
         uuid_prefix: current_sp&.app_id,

diff --git a/app/controllers/idv/in_person/ready_to_verify_controller.rb b/app/controllers/idv/in_person/ready_to_verify_controller.rb
@@ -20,6 +20,7 @@ def show
         @is_enhanced_ipp = resolved_authn_context_result.enhanced_ipp?
         analytics.idv_in_person_ready_to_verify_visit(**opt_in_analytics_properties)
         attempts_api_tracker.idv_ipp_ready_to_verify_visit
+        fraud_ops_tracker.idv_ipp_ready_to_verify_visit
         @presenter = ReadyToVerifyPresenter.new(
           enrollment: enrollment,
         )

diff --git a/app/controllers/idv/in_person/ssn_controller.rb b/app/controllers/idv/in_person/ssn_controller.rb
@@ -52,6 +52,12 @@ def update
           failure_reason: attempts_api_tracker.parse_failure_reason(form_response),
         )
 
+        fraud_ops_tracker.idv_ssn_submitted(
+          success: form_response.success?,
+          ssn: ssn_params[:ssn],
+          failure_reason: fraud_ops_tracker.parse_failure_reason(form_response),
+        )
+
         if form_response.success?
           idv_session.previous_ssn = idv_session.ssn
           idv_session.ssn = SsnFormatter.normalize(ssn_params[:ssn])

diff --git a/app/controllers/idv/otp_verification_controller.rb b/app/controllers/idv/otp_verification_controller.rb
@@ -30,6 +30,12 @@ def update
         failure_reason: result.success? ? nil : failure_reason(result.to_h),
       )
 
+      fraud_ops_tracker.idv_phone_otp_submitted(
+        phone_number: Phonelib.parse(idv_session.user_phone_confirmation_session.phone).e164,
+        success: result.success?,
+        failure_reason: result.success? ? nil : failure_reason(result.to_h),
+      )
+
       if result.success?
         idv_session.mark_phone_step_complete!
         save_in_person_notification_phone

diff --git a/app/controllers/idv/phone_controller.rb b/app/controllers/idv/phone_controller.rb
@@ -63,6 +63,12 @@ def create
         failure_reason: attempts_api_tracker.parse_failure_reason(result),
       )
 
+      fraud_ops_tracker.idv_phone_submitted(
+        phone_number: Phonelib.parse(step_params[:phone]).e164,
+        success: result.success?,
+        failure_reason: fraud_ops_tracker.parse_failure_reason(result),
+      )
+
       if result.success?
         submit_proofing_attempt
         redirect_to idv_phone_path
@@ -129,6 +135,13 @@ def send_phone_confirmation_otp_and_handle_result
         failure_reason: result.success? ? nil : otp_sent_tracker_error(result),
       )
 
+      fraud_ops_tracker.idv_phone_otp_sent(
+        phone_number: Phonelib.parse(idv_session.user_phone_confirmation_session.phone).e164,
+        success: result.success?,
+        otp_delivery_method: result.extra[:otp_delivery_preference],
+        failure_reason: result.success? ? nil : otp_sent_tracker_error(result),
+      )
+
       if result.success?
         redirect_to idv_otp_verification_url
       else
@@ -154,6 +167,7 @@ def step
         trace_id: amzn_trace_id,
         analytics:,
         attempts_api_tracker:,
+        fraud_ops_tracker:,
       )
     end
 

diff --git a/app/controllers/idv/ssn_controller.rb b/app/controllers/idv/ssn_controller.rb
@@ -52,6 +52,12 @@ def update
         failure_reason: attempts_api_tracker.parse_failure_reason(form_response),
       )
 
+      fraud_ops_tracker.idv_ssn_submitted(
+        success: form_response.success?,
+        ssn: ssn_params[:ssn],
+        failure_reason: fraud_ops_tracker.parse_failure_reason(form_response),
+      )
+
       if form_response.success?
         idv_session.previous_ssn = idv_session.ssn
         idv_session.ssn = SsnFormatter.normalize(ssn_params[:ssn])

diff --git a/app/controllers/sign_up/registrations_controller.rb b/app/controllers/sign_up/registrations_controller.rb
@@ -11,12 +11,16 @@ class RegistrationsController < ApplicationController
     CREATE_ACCOUNT = 'create_account'
 
     def new
-      @register_user_email_form = RegisterUserEmailForm.new(analytics:, attempts_api_tracker:)
+      @register_user_email_form = RegisterUserEmailForm.new(
+        analytics:, attempts_api_tracker:,
+      )
       analytics.user_registration_enter_email_visit
     end
 
     def create
-      @register_user_email_form = RegisterUserEmailForm.new(analytics:, attempts_api_tracker:)
+      @register_user_email_form = RegisterUserEmailForm.new(
+        analytics:, attempts_api_tracker:,
+      )
 
       result = @register_user_email_form.submit(permitted_params.merge(request_id:))
 

diff --git a/app/forms/gpo_verify_form.rb b/app/forms/gpo_verify_form.rb
@@ -9,14 +9,16 @@ class GpoVerifyForm
   validate :validate_pending_profile
 
   attr_accessor :otp, :pii, :pii_attributes
-  attr_reader :attempts_api_tracker, :user, :resolved_authn_context_result
+  attr_reader :attempts_api_tracker, :user, :resolved_authn_context_result, :fraud_ops_tracker
 
-  def initialize(attempts_api_tracker:, user:, pii:, resolved_authn_context_result:, otp: nil)
+  def initialize(attempts_api_tracker:, user:, pii:, resolved_authn_context_result:,
+                 fraud_ops_tracker:, otp: nil)
     @attempts_api_tracker = attempts_api_tracker
     @user = user
     @pii = pii
     @resolved_authn_context_result = resolved_authn_context_result
     @otp = otp
+    @fraud_ops_tracker = fraud_ops_tracker
   end
 
   def submit
@@ -40,6 +42,7 @@ def submit
 
     if pending_profile&.active?
       attempts_api_tracker.idv_enrollment_complete(reproof:)
+      fraud_ops_tracker.idv_enrollment_complete(reproof:)
     end
 
     FormResponse.new(

diff --git a/app/forms/idv/api_image_upload_form.rb b/app/forms/idv/api_image_upload_form.rb
@@ -16,6 +16,7 @@ def initialize(
       params,
       acuant_sdk_upgrade_ab_test_bucket:,
       attempts_api_tracker:,
+      fraud_ops_tracker:,
       service_provider:,
       analytics: nil,
       liveness_checking_required: false,
@@ -25,6 +26,7 @@ def initialize(
       @acuant_sdk_upgrade_ab_test_bucket = acuant_sdk_upgrade_ab_test_bucket
       @analytics = analytics
       @attempts_api_tracker = attempts_api_tracker
+      @fraud_ops_tracker = fraud_ops_tracker
       @readable = {}
       @service_provider = service_provider
       @uuid_prefix = uuid_prefix
@@ -89,6 +91,24 @@ def submit
           zip: pii_from_doc[:zip],
           failure_reason: failure_reason(response),
         )
+
+        fraud_ops_tracker.idv_document_upload_submitted(
+          **doc_escrow_images,
+          success: response.success?,
+          document_state: pii_from_doc[:state],
+          document_number: pii_from_doc[:state_id_number],
+          document_issued: pii_from_doc[:state_id_issued],
+          document_expiration: pii_from_doc[:state_id_expiration],
+          first_name: pii_from_doc[:first_name],
+          last_name: pii_from_doc[:last_name],
+          date_of_birth: pii_from_doc[:dob],
+          address1: pii_from_doc[:address1],
+          address2: pii_from_doc[:address2],
+          city: pii_from_doc[:city],
+          state: pii_from_doc[:state],
+          zip: pii_from_doc[:zip],
+          failure_reason: failure_reason(response),
+        )
       end
 
       abandon_any_ipp_progress
@@ -100,6 +120,7 @@ def submit
     attr_reader :acuant_sdk_upgrade_ab_test_bucket,
                 :analytics,
                 :attempts_api_tracker,
+                :fraud_ops_tracker,
                 :form_response,
                 :liveness_checking_required,
                 :params,
@@ -147,6 +168,11 @@ def track_upload_attempt(response)
         success: response.success?,
         failure_reason: attempts_api_tracker.parse_failure_reason(response),
       )
+      fraud_ops_tracker.idv_document_uploaded(
+        **doc_escrow_images,
+        success: response.success?,
+        failure_reason: fraud_ops_tracker.parse_failure_reason(response),
+      )
     end
 
     def doc_escrow_enabled?
@@ -404,6 +430,7 @@ def track_rate_limited
         user_id: user_uuid,
       )
       attempts_api_tracker.idv_rate_limited(limiter_type: :idv_doc_auth)
+      fraud_ops_tracker.idv_rate_limited(limiter_type: :idv_doc_auth)
     end
 
     def document_capture_session_uuid
-Original file line number
+Diff line change
@@ Expand Up / @@ -149,6 +149,7 @@ def init_profile @@
               profile: idv_session.profile,
             )
             attempts_api_tracker.idv_enrollment_complete(reproof:)
+            fraud_ops_tracker.idv_enrollment_complete(reproof:)
           end
         end
@@ Expand Down @@