Maximizing Your Chargeback Protection With A Blacklist
Table of Contents
- What Is a Fraud Blacklist?
- How Do Fraud Blacklists Work?
- What Are Some Potential Problems with Fraud Blacklists?
- Is There a Good Way to Use Fraud Blacklists?
- What About Whitelists?
- Should You Use a Fraud Blacklist?
- What Does "Card Blacklisted" Mean?
Getting the upper hand in the fight against chargebacks means using every tool at your disposal. The right tools, correctly applied, can make a dramatic difference to your chargeback rate, but using the wrong tool for the wrong job can actually make things worse.
Straightforward and easy to implement, fraud blacklists are used by many merchants who want a simple way to screen out likely fraud. Targeted blacklists may be able to stop repeat offenders, but cast too wide a net and you filter out legitimate customers. Are fraud blacklists really an effective tool to prevent chargebacks?
What Is a Fraud Blacklist?
A fraud blacklist is a set of attributes associated with known fraudsters. If any incoming orders contain identifying information that matches the attributes on the blacklist, the transaction is rejected and the customer account is blocked from placing further orders.
In theory, fraud blacklists are an obvious solution. Why accept an order from a customer who is likely to be a fraudster? In practice, however, it’s difficult to create a blacklist that can be shared among different merchants that successfully blocks fraudsters without mistakenly blocking a large number of your real customers.
How Do Fraud Blacklists Work?
Fraud blacklists are built by analyzing cases of known fraud and identifying elements of customer data that can be reliably linked to fraud. This can include specific individual details, such as a fraudster’s name and aliases, or it can include whole blocks of network addresses or even entire countries.
These are the most commonly-used identifiers for fraud blacklists:
- IP address
- Email address
- Device fingerprint
- Customer location data
- Delivery location
There are various ways to implement a fraud blacklist, from manually checking orders against it to automating the process with your CRM.
However it functions, it’s important to remember that the blacklist has two important jobs to do. It has to block fraudulent orders, but it also has to let orders from legitimate customers through.
Creating a blacklist that balances these two tasks can be more challenging than it seems at first glance.
What Are Some Potential Problems with Fraud Blacklists?
The first problem with fraud blacklists is that fraudsters know exactly how they work and have all kinds of ways to get around them. A VPN can hide a user's IP address and location data, and signing up for a new email address is trivial. Device fingerprinting was difficult to bypass until recently, but now certain privacy-focused web browsers have options available for automatically stopping device fingerprinting scripts from running.
Shipping address can be helpful identifier for blocking a repeat fraudster, but many experienced fraudsters will have multiple shipping addresses they know they can send packages to safely. In a pinch, they may even enter a neighbor's address and use the advanced tracking that's now commonly available to snatch it off their porch the moment it arrives.
In addition, shipping address is one of the identifiers most likely to block legitimate transactions, as people do tend to move from time to time. Blocking a shipping address may stop a particular fraudster, but as soon as they find a new apartment, you'll be blocking a potential customer instead.
As with many anti-fraud tools, blacklists are good at stopping the lazy, low-effort fraudsters cold. The dedicated cyber criminals aren’t likely to be thwarted.
The other problem with fraud blacklists can be even more dangerous to merchants. If you start using a fraud blacklist, you’ll start seeing orders getting blocked in real time—that’s proof that the blacklist is doing something. However, unless you closely examine each blocked transaction, you won’t know for sure if they were fraudsters or legitimate customers.
False positives are a huge drawback to fraud blacklists. Fraudsters use the same internet service providers as the rest of us, which makes IP blocking terribly inaccurate, since providers may shift the same IP address from one customer to another from time to time.
The increasing popularity of VPNs also creates problems for blacklisting IPs. Not only do VPNs give fraudsters an easy way to hide their IP address, any customer using a VPN connected to a given server will show the same IP address on your end. If you blacklist the IP of a fraudster who's using a popular VPN, you may also be blocking potentially hundreds of legitimate customers who use that same VPN.
Some countries and regions really do carry higher rates of fraud, but blocking those regions wholesale means cutting yourself off from all of the honest, good customers in those markets. That could be a lot of potential sales to sacrifice in the service of fraud prevention.
You might think that shipping addresses are specific enough to block safely, at least in the short term, but fraudsters often request delivery to the same re-shippers, office blocks, and apartment buildings as your regular customers.
Before implementing any fraud blacklist, you have to look at its filtering criteria and consider the potential impact it might have on your existing customer base.
Is There a Good Way to Use Fraud Blacklists?
The best use case for blacklists is when merchants create them based on experience with specific customers. Customers who hit you with friendly fraud chargebacks, for example, are great candidates for an internal blacklist.
Friendly fraudsters who get away with it once are likely to keep trying to get away with it, but they don’t tend to be as relentless as the fraudsters who commit card theft or account takeover attacks. Blocking these customers is usually the best way to get rid of them and avoid getting taken advantage of a second time.
Shared blacklists are much less reliable and far more likely to result in false positives that cause you to miss out on revenue and alienate shoppers who could have become loyal customers. You don't know what other merchants' criteria are for adding customers to the blacklist, and some customers may be added to the list because of legitimate chargeback claims.
What About Whitelists?
If blacklists aren’t the ideal solution, what about taking the opposite tack—creating a list of known legitimate customer accounts and exempting them from your usual fraud screening and order review processes?
The advantage of this is that it creates a faster, smoother checkout experience for returning customers and reduces the workload on the staff and systems that review orders for fraud indicators. Manual reviews in particular take time, and the fewer of those you have to do, the better.
The big problem with this is that many of the most common forms of fraud—card theft and account takeover—will easily fool most whitelists. While they can indeed provide a more pleasant customer experience, this comes at the cost of making the merchant more vulnerable to fraud, not safer.
Should You Use a Fraud Blacklist?
Merchants should always be on the lookout for tools, software solutions, and practices that will help them prevent disputes, reduce chargebacks, and keep their customers happy. We always advocate a multi-pronged approach to chargeback management, as it is a complex challenge that can come at you from many different directions and for a wide range of reasons. That means identifying the root causes of your chargebacks, tracing them to the specific vulnerabilities in your business operations, and addressing them with effective, targeted solutions.
Fraud blacklists are often the equivalent of using a ten-pound mallet where a precision instrument is needed. You might squash the fraud, but you’re going to have a negative impact on a lot of your real customers at the same time. With the right analytics, you can develop a chargeback management strategy that brings down your fraud and chargeback rates without causing collateral damage to legitimate orders.
What Does "Card Blacklisted" Mean?
Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: email@example.com