Blacklisting, greylisting or whitelisting
Blacklisting is an access control that blocks anything included on the list.
Greylisting is a temporary block for anything included on the list until an additional step is performed.
Whitelisting is the opposite of a blacklist. A whitelist blocks anything not included on the list, e.g. only a list of registered providers can selected.
Some examples of this type of countermeasure include:
- Blacklisted bank accounts cannot be recorded on a recipient's record.
- Providers listed on the greylist require additional suitability checks before being registered.
- Applicants can only choose from an approved list of providers.
Purpose of this countermeasure
Someone can use distrustful information, such as compromised identities and dubious bank accounts to commit fraud.
Providing false or misleading information or forged documents to commit fraud are offences under the Criminal Code Act 1995.
Allowing someone to use distrustful or compromised information can lead to:
- fraudulent requests or claims
- fraudsters using the information to hijack payments.
This type of control is supported by:
- Collaboration with strategic partners
- Legislation and Policy
- Procedural instructions or guidance
- A specific form, process or system must be used
- Evidence must be provided to confirm identity
- Identity is authenticated for each interaction
- Mandatory information is required to complete the request or claim
- Prompts and alerts
- Internal escalation procedures
- Data matching
- Data protected from manipulation or misuse
- System testing
- Exception reporting
- Automatic notification of high-risk activities and transactions
- Fraud detection programs
- Coordinated disruption activity
How do I know if my countermeasures are effective?
You can apply the following methods to measure the effectiveness of these types of countermeasures:
- Conduct vulnerability testing to confirm that the list work as intended.
- Consult subject matter experts about the lists.
- Review policies or other documentation related to the lists.
- Process walk through - sit with a staff member while they show you how the controls work.
- Undertake analysis of data related to the lists; e.g. how many blocks are reported? How often?
- Confirm the lists are 'always on' and automatically applied.
- Confirm that the systems/processes underlying the lists are adequate and reliable.
- Confirm that attempts to use blacklisted information is flagged and reviewed.
- Confirm that blacklisted information is not widely known or accessible.
- Confirm that someone cannot manipulate the lists even when pressure or coercion is applied. Test this if required.
- Confirm that access to the lists is monitored and reviewed.