Can whitelists keep up with the changing times?

Posted on: May 28th, 2015 by Art Barger

Last week, I talked about the risks of relying on blacklists to protect your call center environment. This week, I’d like to discuss the reverse of blacklisting, a process called whitelisting.

Much in the way blacklists are designed to block specific phone numbers from entering a system, whitelists recognize devices or phone numbers that have been approved by a trusted source. For example, when a device or number is added to a whitelist, it can automatically ring through to a live telephone agent. On the flip side, any number that’s not on the list isn’t allowed into the system, period. It’s as simple as that.

However, building a whitelist and relying on it to determine which calls can or cannot be trusted is — much like blacklists — a risky proposition. Based on your experience with a phone number, you can almost be sure which numbers you can trust to allow into your system. What’s not so clear is the real-time status of those numbers, and the impact whitelist dependency can have on the security of your call center and your overall customer experience.

Here are a few areas where whitelists can fall short in protecting your customer environment:

  • Real-time status changes: In today’s 24-hour marketplace, statuses can change from good to risky at any time. If there’s one thing the fraud landscape has taught us, it’s that criminals are tenacious. They are constantly trying new things to defeat authentication processes. One of them is spoofing their Caller ID. This is one way they manage to defeat many authentication solutions. Because whitelists are only as good as the moment a new number is added, ensuring that a good number today will be a good number tomorrow is an ongoing challenge in managing a whitelist.
  • Outdated lists: In the same vain, when a good number had been stolen or used for fraud or malicious activity, then a list that recognizes a number as good or valid can potentially allow a number into their environment that’s actively being used to commit criminal activity. This is when whitelists can put customer accounts and private information at risk. Again, keeping up with your customers’ constantly changing contact information can be a daunting task.
  • False-negatives: A result of an outdated whitelist can be trusting numbers that are high risk. When a “trusted” number on a whitelist is being used by a thief to access a phone system, it can be routed to an unsuspecting phone representative, who is then vulnerable to social engineering schemes. And for the legitimate customer whose phone number now poses a risk? Their number may have to be removed from the whitelist, and be subject to another authentication method that could impact their user experience.

We know managing a call center is a daily challenge. Call centers are constantly deploying different authentication tools to validate inbound calls and help curb fraud. The bottom line is, when you rely on blacklists or whitelists to determine which calls are good or risky, you’re essentially using yesterday’s information to identify today’s callers.

The modern day call center can’t afford to put all its trust in what it knew yesterday. Criminals are too smart for that. Only passive, real-time authentication that doesn’t rely on sensitive customer data can provide up-to-the-minute caller verification on every call to deliver a more secure, seamless environment for their customers.