Create and use blacklists, whitelists and greylists
Summary
Create lists to quickly compare information to automate or require further actions. For example:
- A blacklist automatically blocks anything included on the list.
- A whitelist automatically blocks anything not included on the list. This is the opposite of a blacklist.
- A greylisting temporary blocks or places limits on anything included on the list until an additional step is performed, such as a manual check.
Why this countermeasure matters
Not using blacklists, whitelists or greylists can lead to:
- fraudsters operating across different government programs without detection
- fraudsters moving from one government program to another without detection
- fraudsters reusing methods such as compromised identities to access accounts
- fraudsters using the same bank account to hijack multiple payments.
How to put this countermeasure in place
Some ways to implement this countermeasure include:
- blacklisting suspect bank accounts so they cannot be used for a client, provider or vendor
- making greylisted providers go through additional suitability checks before being registered
- requiring someone to choose from only an approved list of providers or vendors (white listing).
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure by using the following methods:
- Conduct pressure testing to confirm that the list works as intended.
- Consult subject matter experts about the lists.
- Review policies or other documentation related to the lists.
- Conduct a process walk through to observe how the lists work.
- Review reports to see how many blocks are reported and how often.
- Confirm the lists are 'always on' and automatically applied.
- Confirm that the systems/processes underlying the lists are adequate and reliable.
- Confirm that attempts to use blacklisted information is flagged and reviewed.
- Confirm that blacklisted information is not widely known or accessible.
- Confirm that someone cannot manipulate the lists even when pressure or coercion is applied.
- Confirm that access to the lists is monitored and reviewed.
- Confirm that the lists are kept up-to-date.
Related countermeasures
This type of countermeasure is supported by:
Collaborate with strategic partners such as other government entities, committees, working groups and taskforces. This allows you to share capability, information and intelligence and to prevent and disrupt fraud.
Legislation and policy can help prevent, detect and respond to fraud, such as by outlining clear rules, regulations and criteria, allowing entities to collect, use and disclose information and allowing entities to enforce penalties and recover fraud losses.
Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.
Make sure requests or claims use a specific form, process or system for consistency.
Make sure to confirm the identity (an attribute or set of attributes that uniquely describe a subject within a given context) of the person making the request or claim using evidence.
Authenticate client or third party identities during each interaction to confirm the person owns the record they are trying to access.
Make sure forms or system controls require mandatory information to support claims or requests.
Set up system prompts and alerts to warn users when information is inconsistent or irregular, which either requires acceptance or denies further actions.
Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.
Automatically match data with another internal or external source to obtain or verify relevant details or supporting evidence. This countermeasure is supported by the Office of the Australian Information Commissioner's Guidelines on data matching in Australian government administration.
Put protections in place to prevent data from being manipulated or misused.
Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.
Establish exception reports to identify activities that are different from the standard, normal, or expected process and should be further investigated.
Automatically notify clients or staff about high-risk events or transactions. This can alert them to potential fraud and avoid delays in investigating and responding to fraud.
Fraud detection software programs automatically analyse data to detect what is different from what is standard, normal or expected and may indicate fraud or corruption.
Coordinate disruption activities across multiple programs or entities to strengthen processes and identify serious and organised criminals targeting multiple programs. It can also include referrals to law enforcement agencies for those groups that reach the threshold for complex criminal investigations.