This is page 3 of:

Check-In Cheating: Shopkick Retail Mobile System Easily Faked

February 24th, 2011

It’s important, though, to put this hack into context. Any application is going to have some level of fraudulent activity. In this instance, what is Shopkick doing to deal with this fraud, to minimize it?

Most of the defenses appear to involve applying rules about legitimate behavior. For example, someone attempting to “enter a store” when that store is closed would activate a fraud alert. Such an alert would also be triggered if someone “walked into” a store in Boston and then, one minute later, did the same for a store in Los Angeles.

Other defense techniques involve pattern recognition analysis, where Shopkick software analyzes its six months or so of usage data and then looks for anything that appears to break the typical pattern, said Shopkick Chief Technology Officer Aaron Emigh. That could include how many different stores a typical consumer visits in a day and in a week, along with how many different products are typically scanned. (Some sites have also posted the barcodes associated with specific stores, to allow a consumer to get points for those, too, without being in the store.)

What about regularly changing the sounds for each store, so fraudulent recorded sounds would quickly become outdated and easy to spot? That could be done by rotating frequencies used or by adding a timestamp or other changing identifier to the signal. Emigh said: “We do have some capabilities that we haven’t rolled out yet.” Asked if rotating sounds was one of those capabilities, Emigh said he’d rather not say.

Like all of security, these defenses are mostly aimed at reducing the fraud to a small enough level where it’s not disruptive to retailers and doesn’t dilute the marketing value. Shopkick doesn’t know how much fraud it’s currently experiencing, which is logical enough, given that a successful fraud will look to the company like a legitimate store visit.

“If you attempt to engage in fraud at a level that is economically worthwhile at all, you will run afoul of the many mechanisms that are in place to detect anomalous activity, and you will be banned,” Emigh said.

That’s a fair point, in that this type of fraud is not going to make any meaningful money for the fraudsters. That’s partially because of the low levels of incentives offered by the retailers. But some consumers will do it, simply because they can. Will it be huge numbers? Probably not.

But—and this is critical–will it impact enough check-in users to make the numbers unreliable? This is primarily a marketing program. If GPS customer numbers are unreliable and audio issues raise questions about Shopkick, what does that mean for mobile and retail check-in efforts?

Shopkick’s focus on its prevention techniques is legitimate. But those defenses will not flag someone who visits—or who appears to visit—local stores perhaps a few times a week. Therefore, retailers can’t tell whether the Shopkick system’s user activity is real or if it’s the exact kind of fraud the system can’t detect. Just because users don’t have a financial reason to game a system, that doesn’t mean that they won’t.

Editor’s Note:

  • Page 1 of this Special Report covers The Fake And How It Works.
  • Page 2 covers GPS Problems
  • Page 3 covers Putting It Into Fraud Context
  • Page 4 covers Shopkick Defenses

    When a customer is found to have tried to make a false entry—at least one that the system figures out is false—that user is given a warning, Emigh said. If further bad activity is detected, that user is banned. Some users are banned the first time, he said, if the offense is significant enough.

    The only figure Shopkick would release is that “the total number of people who have been banned for fraudulent activity amounts to a small fraction of one percent of the Shopkick user population.” That’s two steps removed from actual fraudulent activity. First, there’s the universe of all Shopkick’s interactions. Then we have an unknown number of frauds perpetrated. Some percentage of that population gets warnings. And then some percentage of those people get banned.

    And without knowing what that “small fraction” is, it’s hard to even evaluate that. One cynical interpretation of that small percentage is that Shopkick isn’t catching many people. But without knowing how many of the contacts are fraudulent, few conclusions can be reached.

    Part of the strategy behind Shopkick’s defenses is simple minimization.

  • advertisement

    Comments are closed.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.