Fraud BlacklistsFraud Blacklisting & Whitelisting: Is Either Approach Right for Your Business?

The term “blacklist” sounds ominous. However, it actually refers to a standard tool that many merchants use to prevent fraud.

In theory, banning sales to a list of accounts you believe to be invalid should lower the risk posed to you by fraudulent transactions. The reality isn’t quite that simple, though. Merchants often experience uneven results if they’re not very careful when employing blacklists to prevent fraud.

So, how can a fraud blacklist become an integral piece of your overall anti-fraud strategy? Let’s find out.

What is a Fraud Blacklist?

Fraud Blacklist

[noun]/frôd blakˌ• list/

A fraud blacklist is an archived data list containing personal information and transaction histories of accounts linked to confirmed fraudulent activity. All future transactions are compared to this list, and orders with matching information are declined.

A fraud blacklist is a database built to predict fraud based on previous interactions. Any time fraudulent activity is identified, pertinent details from that transaction are recorded on a blacklist. All future transactions are compared to that list, and if another order is placed using those details, the transaction is automatically declined.

As fraud prevention technology becomes increasingly precise, the way in which you collect and attribute user data also needs to change. Blacklisting makes it easier for you to spot and respond to potential fraudsters before they can act.

How Does a Fraud Blacklist Work?

A customer blacklist works in a couple of different ways. Depending on the parameters you set, automatic addition to the blacklist can be based on IP address, email address, physical address, credit card number, and more. You can even block orders from an entire country or region if too many fraudulent orders were received from the same area.

In some cases, different merchants may share lists with each other. The idea is to create a “hard stop” for cards used in fraudulent transactions. To a lesser extent, blacklists can also stop repeated incidents of chargeback abuse (known as friendly fraud).

The four main attributes used to create a blacklist are:

It’s important to note that none of these methods, on their own, are sufficient to paint an accurate picture of the user in question. Blacklists need to be based on multiple factors, with verdicts being based on informed, reasoned decisioning.

For instance, email addresses are the easiest form of identification to fake or misread. IP addresses are not static and can be shared by multiple users at once. Additionally, device fingerprinting is easily complicated by mobile network sharing and dynamic operating systems. Without considering all these (and other) variables, you could end up blocking valid users.

Are Fraud Blacklists Effective?

One reason blacklists are so popular is that they are so simple to use. Generally speaking, the platform’s job is straightforward: identify threats according to preprogrammed criteria, and deny access. Sounds simple, right?

At first glance, it would appear so. Indeed, many merchants prefer this method because blacklisting is offered as a built-in feature for most security services and software. You aren’t required to compile and manage lists on your own. In the long term, though, you may discover this approach is problematic.

Ultimately, fraud blacklists are effective and popular. But, if the question is whether they work, the answer is not so clear.

Blacklists can block orders, yes…but it will cost you. Blacklists may filter out fraudsters, but may also lead to increased false declines. You may end up blocking legitimate orders that contain similar or mistyped information.

Worse, these accounts will stay blocked until they are manually removed from the list. And, since internal blacklists tend to be static and have no process in place to regularly update the information over time, you won’t only be missing out on one-off orders. You’ll likely be cutting out customers for life.

The Downsides of Fraud Blacklisting

The main problem with blacklists is the way they’re built. Blocking certain accounts based on orders that were declined due to fraud sounds logical, but the strategy is problematic in many ways:

• It assumes all those declined orders were fraudulent. Statistically speaking, that probably isn’t true.
• It assumes that every element of the account is equally fraudulent. This is also unlikely.
• Because the data only moves in one direction, accounts added to the list stay on the list, even if the account was added by mistake.
• Since accounts aren’t added to the list until after the fraudulent event, blacklists can’t anticipate initial instances of fraud.
• These lists are seldom updated and quickly become inaccurate.

Without the most current and accurate information on your customer blacklist, legitimate transactions can easily be flagged as fraud. Good buyers will get falsely declined and added to the list for future rejection. This is a serious concern; merchant losses caused by false declines are nearly 70 times higher than those resulting from actual fraud attacks.

One false decline is bad enough, but keep in mind you’re also talking about blacklisting future sales based on legitimate orders that were simply mislabeled. The problem feeds on itself, and soon your chargeback abuse database is costing you more than it’s saving.

This problem is compounded by the fact that fraud is typically discovered (and in the case of friendly fraud, actually happens) after the transaction. Fraud blacklists are reactive; to build an internal fraud blacklist essentially requires you to be victimized by a fraudster at least once in order to identify them as a threat.

Internal Blacklists vs. Shared Blacklists: What's the Difference?

The most obvious weakness of an internal blacklist is, like we mentioned above, the fact that you can’t identify fraudsters and add them to an internal blacklist without first getting hit by them. Beyond that, internal blacklists also contain static programming with limited ability to update and diversify information streams.

By using an internal blacklisting solution, you ostensibly restrict yourself to manual review of every flagged user and situation that triggers a decline. Since an internal blacklist lacks the framework to connect to outside sources for additional information, human oversight is mandatory.

Shared blacklists (also called common blacklists), on the other hand, are databases shared between merchants across a greater network or information pool. Using a “strength in numbers” approach, you can collect and share information from other merchants’ fraud prevention networks. This lets you identify and respond to undesirable users more swiftly.

Although the latter approach seems a reasonable solution to the issues inherent to internal blacklists, using a shared fraud blacklist can also be problematic. Remember that the internal processes for attributing users to blacklists are already imperfect. So, it stands to reason that sharing this flawed data with a network of merchants only compounds the problem. If the data was erroneous before it was shared, passing it around won’t improve the situation.

Aside from this, shared blacklists also raise serious questions about data privacy and security. In short, there’s no easy answer to the question of which is best. It really depends on your specific needs.

Fraud Blacklisting vs. Whitelisting

A blacklist is much like blocking a number on your phone. You block specific users associated with fraudulent activity. You can also flip the blacklist idea on its head, though, and set up a fraud whitelist.

A  fraud whitelist is basically the same idea, only reversed. Rather than ban certain people, a whitelist blocks everyone except those matching select criteria. For example, you can ban everyone except customers in the US and Canada, if you wish. The idea here is to reject orders from regions or countries that are associated with a higher fraud risk.

As you might suspect, whitelists are problematic, too. Obviously, a whitelist blocks many good accounts that might want to make a purchase. It can also provide a false sense of security.

In the end, a fraud whitelist is probably too expansive and vast to be effective. It can lead you to reject a lot of good orders, while fraudsters operating from your target customer region go undetected.

What is Fraud Graylisting?

Graylisting is another antifraud tactic that is less widely discussed, but is perhaps more useful than blacklisting or whitelisting alone.

Graylists can be set up as a security tool, sending the network administrator or CRM a notification that a particular user meets the predetermined criteria for either blacklisting or whitelisting. When users get placed on a graylist, they are temporarily banned until you can review them and determine if their transactions are fraudulent or not.

For example, to utilize graylisting for email, a spam filter might temporarily block an email it is unsure if it should accept. If a sender resends the email relatively soon afterward, the message will be approved. The reason for this is that the majority of spam is bot-driven, and won’t try to resend emails once it's been notified that the message was blocked. A real user, however, would.

Fraud graylists combine the benefits of the two methods without many of their downsides. When used in tandem with either of the aforementioned tactics, a graylist can provide a necessary buffer between the two.

Which Approach is Best for Fraud Detection?

Time for the million-dollar question: which approach is right for your business? To determine this, let’s break down when each method has the most utility.

As mentioned above, blacklists are lower-maintenance on the front end and often easiest to access and implement.
If minimizing administrative effort and making it easy for your customers to buy from you is more valuable to you than stopping the occasional fraudulent or blocked transaction, then blacklisting is the way to go. Blacklisting offers:

• Wide public access
• Minimal administrative effort
• Less restriction

Whitelisting works best on a private system and generally operates more efficiently when you require stricter access control. Aside from these, whitelists are better at restricting or approving certain behaviors such as access to computers, POS systems, etc.

Whitelisting is less versatile than blacklisting, but it’s more predictable for specific uses, and offers a broader range of customizable actions. Benefits of whitelisting include:

• Limited public access
• Administrative effort isn’t a problem
• A controlled environment

Implementing a graylist in combination with a blacklist or whitelist, or using multiple tools at different administrative levels in your organization, may be the best possible solution.

For instance, an ideal practice might be to use blacklisting for detecting and blocking spam or fraudulent transactions while using a whitelist for approved application members. Another way to do this might be to blacklist malicious IP addresses while whitelisting expected application behaviors. In either scenario, a graylist could round out the equation by shifting potentially risky users into temporary holding patterns until you can determine which list (if any) the user belongs in.

• Flexibility
• Best balance of security and openness to buyers
• Blocks most obvious attacks without impacting legitimate users

Multi-Tiered Fraud Solutions are Key

On the surface, fraud blacklists (and whitelists) might seem like simple, straightforward, fraud-prevention tools. However, we’ve learned that they’re far less effective than they appear and can lead you to reject legitimate transactions.

Reacting to fraud by creating broader blacklist parameters is not the solution. Effectively preventing fraud means proactively identifying and resolving as many issues as possible before they manifest. But getting out in front of the problem is tricky—that’s why, in most cases, you’re better off bringing in professional help.

Among merchants, blacklists are popular because they’re simple and easy to understand. However, the tools and methods that work best are not simple: they’re necessarily complex because the problem of identifying fraud is also complex. The most effective fraud detection and chargeback prevention approach will always rely on multiple automated processes and human involvement.

At Chargebacks911®, we combine expert human analysis with our own proprietary technologies to create the most powerful chargeback and fraud management solutions available. Plus, all our solutions are backed by the industry’s only performance-based ROI guarantee. Continue below to learn more.