Check-In Cheating: Shopkick Retail Mobile System Easily FakedWritten by Evan Schuman
Mobile retail check-in company Shopkick, which argued to retailers that only its mobile system could make sure that customers “are actually present within their store,” is getting hit by fraudsters. The result: Anyone is able to get points for visiting retailers, whether or not they actually did.
Shopkick systems sit in some of retail’s largest chains, including Best Buy, Target, Macy’s, Crate & Barrel, Sports Authority, American Eagle Outfitters and Wet Seal. That’s one reason why this issue is so potentially disruptive. The second reason is that this fraud effort is so extremely easy for consumers to do. It requires no jailbreaking of phones, no scripting or anything else. All consumers have to do is go to the fraudster’s Web site and play an MP3 file while their phones are nearby. The barrier to entry for this fraud is frighteningly low.
The bigger issue here, for retailers experimenting with various mobile strategies, is that this proves what pretty much everyone already knew: All of these mobile approaches have key security weaknesses, and the only way those weaknesses can be fully identified is to launch the services and let cyberthieves do their stuff.
In Shopkick’s case, faking a check-in is far easier than actually checking in. Each store has its own unique “Shopkick sound,” and some fraudsters have digitally recorded those sounds in the stores and then posted the collection on their Web sites, labeled by retailer and city. All a consumer has to do is choose a sound file in the appropriate city, click to play it and wait until the Shopkick app registers the sound and awards points.
The fact that the sounds are unique to each location was supposed to be Shopkick’s key advantage. A key Shopkick marketing message has been that its approach is different from others who use a GPS approach to determining location. The problems with GPS approaches are twofold. First, it can’t get inside buildings, with very few exceptions. So this is a huge issue for malls and other indoor shopping locations. Second, the precision can be problematic, depending on where the store is.
Michael Sajor, the chief technology officer at Ann Taylor who happens to be based in Manhattan, said New York City is a good example where the lack of GPS precision can be a big issue.