Page 4 covers Shopkick Defenses
The problem is that the audio can be easily recorded (if the iPhone can hear it, the iPhone can obviously record it). When StorefrontBacktalk was trying to determine if this fraud would actually work, our concern was that many speakers wouldn't have the frequency range to reproduce the sound sufficiently for the application to recognize it. After all, why make a consumer speaker that can reproduce sounds that no consumer can hear?
But those fears were unwarranted. The first speaker we tested was the cheapest one we could find, namely the built-in speaker on a Dell laptop. And, sure enough, the Shopkick app immediately detected the sound and awarded us the points for visiting a store we had never visited.It's important, though, to put this hack into context. Any application is going to have some level of fraudulent activity. In this instance, what is Shopkick doing to deal with this fraud, to minimize it?
Most of the defenses appear to involve applying rules about legitimate behavior. For example, someone attempting to "enter a store" when that store is closed would activate a fraud alert. Such an alert would also be triggered if someone "walked into" a store in Boston and then, one minute later, did the same for a store in Los Angeles.
Other defense techniques involve pattern recognition analysis, where Shopkick software analyzes its six months or so of usage data and then looks for anything that appears to break the typical pattern, said Shopkick Chief Technology Officer Aaron Emigh. That could include how many different stores a typical consumer visits in a day and in a week, along with how many different products are typically scanned. (Some sites have also posted the barcodes associated with specific stores, to allow a consumer to get points for those, too, without being in the store.)
What about regularly changing the sounds for each store, so fraudulent recorded sounds would quickly become outdated and easy to spot? That could be done by rotating frequencies used or by adding a timestamp or other changing identifier to the signal. Emigh said: "We do have some capabilities that we haven't rolled out yet." Asked if rotating sounds was one of those capabilities, Emigh said he'd rather not say.
Like all of security, these defenses are mostly aimed at reducing the fraud to a small enough level where it's not disruptive to retailers and doesn't dilute the marketing value. Shopkick doesn't know how much fraud it's currently experiencing, which is logical enough, given that a successful fraud will look to the company like a legitimate store visit.
"If you attempt to engage in fraud at a level that is economically worthwhile at all, you will run afoul of the many mechanisms that are in place to detect anomalous activity, and you will be banned," Emigh said.
That's a fair point, in that this type of fraud is not going to make any meaningful money for the fraudsters. That's partially because of the low levels of incentives offered by the retailers. But some consumers will do it, simply because they can. Will it be huge numbers? Probably not.
But—and this is critical--will it impact enough check-in users to make the numbers unreliable? This is primarily a marketing program. If GPS customer numbers are unreliable and audio issues raise questions about Shopkick, what does that mean for mobile and retail check-in efforts?
Shopkick's focus on its prevention techniques is legitimate. But those defenses will not flag someone who visits—or who appears to visit—local stores perhaps a few times a week. Therefore, retailers can't tell whether the Shopkick system's user activity is real or if it's the exact kind of fraud the system can't detect. Just because users don't have a financial reason to game a system, that doesn't mean that they won't.
Editor's Note: Page 1 of this Special Report covers The Fake And How It Works. Page 2 covers GPS ProblemsPage 3 covers Putting It Into Fraud Context Page 4 covers Shopkick Defenses
When a customer is found to have tried to make a false entry—at least one that the system figures out is false—that user is given a warning, Emigh said. If further bad activity is detected, that user is banned. Some users are banned the first time, he said, if the offense is significant enough.
The only figure Shopkick would release is that "the total number of people who have been banned for fraudulent activity amounts to a small fraction of one percent of the Shopkick user population." That's two steps removed from actual fraudulent activity. First, there's the universe of all Shopkick's interactions. Then we have an unknown number of frauds perpetrated. Some percentage of that population gets warnings. And then some percentage of those people get banned.
And without knowing what that "small fraction" is, it's hard to even evaluate that. One cynical interpretation of that small percentage is that Shopkick isn't catching many people. But without knowing how many of the contacts are fraudulent, few conclusions can be reached.
Part of the strategy behind Shopkick's defenses is simple minimization.Part of the strategy behind Shopkick's defenses is simple minimization. How many fraudsters will bother to do this? With the anti-fraud provisions in place, even a dedicated thief can't trick the app too often or alarms will go off. Shopkick is also watching for consumers who are using multiple accounts. With only one account, it would take a long time to generate sufficient incentives to make it worthwhile for a consumer.
Given how very low the barrier to entry for the fraud is, the incentives for the fraudsters don't need to be very substantial to make it worth their while. From the fraudsters' perspective, that's a good thing, because the incentives are indeed quite low. One of the knocks on the way some of these check-in systems—Foursquare is another good example—have been implemented by retailers is that the incentives given to consumers to use this unfamiliar application, to engage in a very new behavior, are so low as to barely incent many.
The type of incentives Target chose, for example, include small discounts on higher priced products, the same type of incentives the chain would typically offer to consumers for free.
The concern over this fraud is not that consumers will falsely ring up millions of dollars in unearned discounts. The incentives are too low for that to happen. The concern is simply that it makes it almost impossible for a retailer to trust that the numbers seen are legitimate.
Today, vendor incentives of various forms mean that the major chains are likely not paying much—and, most likely, nothing at all—for participating in these mobile trials. That means that even if it yields just a few new customers, it's worth it. What about months from now, though, when retailers will be expected to pay for every customer who checks in? Does this undermine the faith in the accuracy of these first-generation mobile systems?
Editor's Note: Page 1 of this Special Report covers The Fake And How It Works. Page 2 covers GPS ProblemsPage 3 covers Putting It Into Fraud Context Page 4 covers Shopkick Defenses
Analyst Nick Holland said he prefers NFC tags for location systems. "It becomes cost-prohibitive to fake NFC tags, as opposed to a sonic frequency," which is what Shopkick uses, he said.
Emigh said that the Shopkick team knew of the potential for the sound-recording fraud before they launched. When asked if Shopkick mentioned that possibility to any of the retailers—when they were pitching them to use the system—Emigh said that the details of the specific conversations they had with retailers were confidential.
