We just had an order come in for a large/heavy object, with the shipping service selected as "USPS Express Mail International Flat Rate Envelope."
The specifics: We're using a variation on the "Free Shipping on orders over 199.00" code to jquery hide/show different shipping options based on different criteria. It is stable code that works extremely well; it hides and shows different options and allows us to offer (amongst other things) free shipping under certain circumstances.
I have checked the cart contents on this order (all OK) and tried to replicate the situation. It only offers me the correct shipping choices-- the ones that are supposed to be hidden are hidden. So, when jquery .hide() and .show() operations are used, is this something that the user can just override? Apparently the answer is yes. But if/when this happens, is it something that happens accidentally, or is it something that requires a user to willfully manipulate? If it can happen here, I must assume that it's possible for anyone to select free shipping on any order.
Related: I'm curious what browser was being used for the transaction. A pity that there's so little data available for a successful transaction as compared to one where there's an error.