Check-In Cheating: Shopkick Retail Mobile System Easily Faked
Mobile retail check-in company Shopkick, which argued to retailers that only its mobile system could make sure that customers "are actually present within their store," is getting hit by fraudsters. The result: Anyone is able to get points for visiting retailers, whether or not they actually did.
Shopkick systems sit in some of retail's largest chains, including Best Buy, Target, Macy's, Crate & Barrel, Sports Authority, American Eagle Outfitters and Wet Seal. That's one reason why this issue is so potentially disruptive. The second reason is that this fraud effort is so extremely easy for consumers to do. It requires no jailbreaking of phones, no scripting or anything else. All consumers have to do is go to the fraudster's Web site and play an MP3 file while their phones are nearby. The barrier to entry for this fraud is frighteningly low.
The bigger issue here, for retailers experimenting with various mobile strategies, is that this proves what pretty much everyone already knew: All of these mobile approaches have key security weaknesses, and the only way those weaknesses can be fully identified is to launch the services and let cyberthieves do their stuff.
In Shopkick's case, faking a check-in is far easier than actually checking in. Each store has its own unique "Shopkick sound," and some fraudsters have digitally recorded those sounds in the stores and then posted the collection on their Web sites, labeled by retailer and city. All a consumer has to do is choose a sound file in the appropriate city, click to play it and wait until the Shopkick app registers the sound and awards points.
The fact that the sounds are unique to each location was supposed to be Shopkick's key advantage. A key Shopkick marketing message has been that its approach is different from others who use a GPS approach to determining location. The problems with GPS approaches are twofold. First, it can't get inside buildings, with very few exceptions. So this is a huge issue for malls and other indoor shopping locations. Second, the precision can be problematic, depending on where the store is.
Michael Sajor, the chief technology officer at Ann Taylor who happens to be based in Manhattan, said New York City is a good example where the lack of GPS precision can be a big issue.Michael Sajor, the chief technology officer at Ann Taylor who happens to be based in Manhattan, said New York City is a good example where the lack of GPS precision can be a big issue.
"You get to the question of 'What degree of granularity do you need to enable the application that you'd like to deploy?' For example, if I walk down the street in New York, and I'm using GPS, the best you're going to get is maybe 30 meter radius accuracy. Maybe," Sajor said. "If I'm down to 30 meter accuracy and I'm on 5th Avenue in New York, I'm hitting 35 retailers, maybe 40. So what good is that level of location if I'm a retailer trying to leverage that to say something about where I am so that I can do something with the client?"
Sajor added that those GPS limits "drive me to other technologies that the client may or may not be willing to adopt. Will he or she be willing to adopt Wi-Fi when she walks into the store? Probably not unless you compel them with something interesting." (Sajor's comments on mobile strategies were part of a series of StorefrontBacktalk podcasts. These GPS comments were part of a larger discussion of the challenges of in-store mobile that included senior IT execs from Home Depot, Pizza Hut and HSN.)
Shopkick tried to counter those GPS shortcomings by deploying a system that uses a small speaker at the entrance of each store. Those speakers transmit audio blasts that are at too high a frequency to be heard by humans, but can be detected by iPhones and Android mobile units that have the Shopkick app loaded. Each store (not just the chain as a whole, but the individual stores where the devices are housed) is given its own special sound. That way, when the application "hears" that sound, it knows exactly where that consumer is at that moment. At least that was how it was supposed to work.
The problem is that the audio can be easily recorded (if the iPhone can hear it, the iPhone can obviously record it). When StorefrontBacktalk was trying to determine if this fraud would actually work, our concern was that many speakers wouldn't have the frequency range to reproduce the sound sufficiently for the application to recognize it. After all, why make a consumer speaker that can reproduce sounds that no consumer can hear?
But those fears were unwarranted. The first speaker we tested was the cheapest one we could find, namely the built-in speaker on a Dell laptop. And, sure enough, the Shopkick app immediately detected the sound and awarded us the points for visiting a store we had never visited.It's important, though, to put this hack into context. Any application is going to have some level of fraudulent activity. In this instance, what is Shopkick doing to deal with this fraud, to minimize it?
Most of the defenses appear to involve applying rules about legitimate behavior. For example, someone attempting to "enter a store" when that store is closed would activate a fraud alert. Such an alert would also be triggered if someone "walked into" a store in Boston and then, one minute later, did the same for a store in Los Angeles.
Other defense techniques involve pattern recognition analysis, where Shopkick software analyzes its six months or so of usage data and then looks for anything that appears to break the typical pattern, said Shopkick Chief Technology Officer Aaron Emigh. That could include how many different stores a typical consumer visits in a day and in a week, along with how many different products are typically scanned. (Some sites have also posted the barcodes associated with specific stores, to allow a consumer to get points for those, too, without being in the store.)
What about regularly changing the sounds for each store, so fraudulent recorded sounds would quickly become outdated and easy to spot? That could be done by rotating frequencies used or by adding a timestamp or other changing identifier to the signal. Emigh said: "We do have some capabilities that we haven't rolled out yet." Asked if rotating sounds was one of those capabilities, Emigh said he'd rather not say.
Like all of security, these defenses are mostly aimed at reducing the fraud to a small enough level where it's not disruptive to retailers and doesn't dilute the marketing value. Shopkick doesn't know how much fraud it's currently experiencing, which is logical enough, given that a successful fraud will look to the company like a legitimate store visit.
"If you attempt to engage in fraud at a level that is economically worthwhile at all, you will run afoul of the many mechanisms that are in place to detect anomalous activity, and you will be banned," Emigh said.
That's a fair point, in that this type of fraud is not going to make any meaningful money for the fraudsters. That's partially because of the low levels of incentives offered by the retailers. But some consumers will do it, simply because they can. Will it be huge numbers? Probably not.
But—and this is critical--will it impact enough check-in users to make the numbers unreliable? This is primarily a marketing program. If GPS customer numbers are unreliable and audio issues raise questions about Shopkick, what does that mean for mobile and retail check-in efforts?
Shopkick's focus on its prevention techniques is legitimate. But those defenses will not flag someone who visits—or who appears to visit—local stores perhaps a few times a week. Therefore, retailers can't tell whether the Shopkick system's user activity is real or if it's the exact kind of fraud the system can't detect. Just because users don't have a financial reason to game a system, that doesn't mean that they won't.
When a customer is found to have tried to make a false entry—at least one that the system figures out is false—that user is given a warning, Emigh said. If further bad activity is detected, that user is banned. Some users are banned the first time, he said, if the offense is significant enough.
The only figure Shopkick would release is that "the total number of people who have been banned for fraudulent activity amounts to a small fraction of one percent of the Shopkick user population." That's two steps removed from actual fraudulent activity. First, there's the universe of all Shopkick's interactions. Then we have an unknown number of frauds perpetrated. Some percentage of that population gets warnings. And then some percentage of those people get banned.
And without knowing what that "small fraction" is, it's hard to even evaluate that. One cynical interpretation of that small percentage is that Shopkick isn't catching many people. But without knowing how many of the contacts are fraudulent, few conclusions can be reached.
Part of the strategy behind Shopkick's defenses is simple minimization.Part of the strategy behind Shopkick's defenses is simple minimization. How many fraudsters will bother to do this? With the anti-fraud provisions in place, even a dedicated thief can't trick the app too often or alarms will go off. Shopkick is also watching for consumers who are using multiple accounts. With only one account, it would take a long time to generate sufficient incentives to make it worthwhile for a consumer.
Given how very low the barrier to entry for the fraud is, the incentives for the fraudsters don't need to be very substantial to make it worth their while. From the fraudsters' perspective, that's a good thing, because the incentives are indeed quite low. One of the knocks on the way some of these check-in systems—Foursquare is another good example—have been implemented by retailers is that the incentives given to consumers to use this unfamiliar application, to engage in a very new behavior, are so low as to barely incent many.
The type of incentives Target chose, for example, include small discounts on higher priced products, the same type of incentives the chain would typically offer to consumers for free.
The concern over this fraud is not that consumers will falsely ring up millions of dollars in unearned discounts. The incentives are too low for that to happen. The concern is simply that it makes it almost impossible for a retailer to trust that the numbers seen are legitimate.
Today, vendor incentives of various forms mean that the major chains are likely not paying much—and, most likely, nothing at all—for participating in these mobile trials. That means that even if it yields just a few new customers, it's worth it. What about months from now, though, when retailers will be expected to pay for every customer who checks in? Does this undermine the faith in the accuracy of these first-generation mobile systems?
Analyst Nick Holland said he prefers NFC tags for location systems. "It becomes cost-prohibitive to fake NFC tags, as opposed to a sonic frequency," which is what Shopkick uses, he said.
Emigh said that the Shopkick team knew of the potential for the sound-recording fraud before they launched. When asked if Shopkick mentioned that possibility to any of the retailers—when they were pitching them to use the system—Emigh said that the details of the specific conversations they had with retailers were confidential.