The Downsides of Shared Blacklists

shared-blacklisting

In the market for a fraud prevention tool? You’ll look at various options. Compare providers. And you’ll soon notice most of them proudly offer shared blacklists as a strong selling point. The problem? It’s not always something you want.

Today, we’ll have a deep look at shared blacklisting to help you decide if it’s a feature you need, or if, on the other hand, it could be detrimental to your fight against fraud.

What is Shared Blacklisting?

Imagine you own a bakery in a small village. One man comes in every day and tries to steal some bread. Soon enough, you’ll bar him for entering. And you’re probably likely to tell your friends in other shops about the repeating offender. They will also decide to stop the thief from entering their shop.

It’s exactly how fraud detection tools create their shared blacklists (also referred to as common blacklists). Companies collect data about users they refuse to serve, and fraud prevention software aggregates them together. Using a “strength in numbers” approach, the idea is simply that the more data you have, the bigger your blacklists are, and the more precise you can be at blocking unwanted users.

What Attributes Are Used for Blacklists?

As fraud prevention tools become increasingly precise in how they collect user data, a growing number of attributes can be used to “block” someone from your site. But historically there are three main ones.

IP Address

the number assigned to every device that connects to the Internet. While IP addresses were once a reliable way of identifying users, it still creates a number of problems in terms of precisions:

  • IP Addresses now rotate quicker than ever between users: mobile network users, ISPs often sell and recycle IP address ranges to satisfy the huge growth in user numbers.
  • Multiple users can share the same IP address: this is particularly true in public locations such as colleges, libraries, of networks that offer open WiFi.
  • Not a static attribute: as you can imagine, using a historical database of IP addresses for your blacklist can dramatically increase false positives.

Device fingerprint

A form of ID relating to information about the device used (Windows PC, iOS smartphone etc…). Similarly to IP addresses, the fast evolution of the mobile market has complicated things when using this attribute for blacklisting:

  • Not a permanent attribute: in the past, browsers could inject a “supercookie” or tracker that would be stored permanently on users’ device. Verizon got fined $1.35 M for employing the practice in 2016. Needless to say, supercookies are frowned upon.
  • Browser and os updates create new IDs: so once again, not a hugely precise way of tracking user info, especially when the mobile operating system cycle is so fast these days
  • Factory resets also trigger new IDs: a method fraudsters will surely be aware of. Simply factory resetting the device will give it a new ID.

shared-blacklisting

 

Email address

The most basic form of identification online, and also the easiest to fake.

  • Not efficient with ID fraud: 300 Million new email accounts are opened every year, and for criminals, it’s easier than ever to create an address that matches the name on a stolen ID.
  • No social profiling: Most fraud prevention tools don’t utilise possible social profiling methods and don’t provide any additional data about a single email address. This means there is no way of verifying the risk related to the email address and doesn’t necessarily result in appropriate blacklisting.

Other Concerns About Shared Blacklists

Merchants control their individual blacklists, but their flags could be wrong in the first place. This means information that will corrupt all of the shared blacklists used by dozens if not hundreds of other online services around the world! (And the most cautious of us will even imagine scenarios in which unscrupulous vendors could do it maliciously.)

Similarly, cybersecurity firms are not there to oversee the quality of the blacklisting. Even if the information is correct, it could become outdated. This is particularly true as we’ve seen that the fast cycle of new mobile devices complicates matters.

Finally, there is a huge data privacy issue. If your business must be GDPR compliant, for instance, who ensures the chain of information doesn’t violate the regulation’s terms? Is it the company who flagged the data? The cybersecurity firm? Or yours, the one that uses it passively?

Ensuring Shared Blacklists Work For You

There is no denying that shared blacklists can be an efficient screening tool. It could be the decisive factor if your process has entered manual review, and you find out that a certain user has been blocked by other companies before you.

Still, looking at the number of potential downsides, it’s best to remain cautious. In fact, any fraud prevention tool worth its salt should let you choose if you want shared blacklists as an option. And more importantly, you should have access to the parameters to ensure you tailor its potential to your needs.

Sign up to our newsletter