Check-In Cheating: Shopkick Retail Mobile System Easily Faked

Written by Evan Schuman
February 24th, 2011

Mobile retail check-in company Shopkick, which argued to retailers that only its mobile system could make sure that customers “are actually present within their store,” is getting hit by fraudsters. The result: Anyone is able to get points for visiting retailers, whether or not they actually did.

Shopkick systems sit in some of retail’s largest chains, including Best Buy, Target, Macy’s, Crate & Barrel, Sports Authority, American Eagle Outfitters and Wet Seal. That’s one reason why this issue is so potentially disruptive. The second reason is that this fraud effort is so extremely easy for consumers to do. It requires no jailbreaking of phones, no scripting or anything else. All consumers have to do is go to the fraudster’s Web site and play an MP3 file while their phones are nearby. The barrier to entry for this fraud is frighteningly low.

The bigger issue here, for retailers experimenting with various mobile strategies, is that this proves what pretty much everyone already knew: All of these mobile approaches have key security weaknesses, and the only way those weaknesses can be fully identified is to launch the services and let cyberthieves do their stuff.

In Shopkick’s case, faking a check-in is far easier than actually checking in. Each store has its own unique “Shopkick sound,” and some fraudsters have digitally recorded those sounds in the stores and then posted the collection on their Web sites, labeled by retailer and city. All a consumer has to do is choose a sound file in the appropriate city, click to play it and wait until the Shopkick app registers the sound and awards points.

Editor’s Note:

  • Page 1 of this Special Report covers The Fake And How It Works.
  • Page 2 covers GPS Problems
  • Page 3 covers Putting It Into Fraud Context
  • Page 4 covers Shopkick Defenses

    The fact that the sounds are unique to each location was supposed to be Shopkick’s key advantage. A key Shopkick marketing message has been that its approach is different from others who use a GPS approach to determining location. The problems with GPS approaches are twofold. First, it can’t get inside buildings, with very few exceptions. So this is a huge issue for malls and other indoor shopping locations. Second, the precision can be problematic, depending on where the store is.

    Michael Sajor, the chief technology officer at Ann Taylor who happens to be based in Manhattan, said New York City is a good example where the lack of GPS precision can be a big issue.

  • advertisement

    10 Comments | Read Check-In Cheating: Shopkick Retail Mobile System Easily Faked

    1. Aaron Emigh Says:

      I’m the CTO of shopkick and am quoted in this article. We were happy to provide our support and input to the editor while the story was prepared, but there seems to be a disconnect about what the key points are for retailers. From our point of view, the key question is: does it work?

      The shopkick Signal technology was created for retailers because if you’re a retailer, you want to know that your promotions are really driving foot traffic. Traditional marketing can’t tell you that, because it is not measurable. Simple check-ins can’t do that either because, as stated in the article, 95 of incented check-ins are fake and GPS isn’t accurate enough to detect it. The shopkick Signal, on the other hand, demonstrably drives foot traffic and actual transactions. In short, it works.

      While had a very small number of fraudsters try to exploit us early on, as any platform does, the good news is that shopkick’s fraud levels are exceedingly low – much lower than other models. This is due to a sophisticated multilayer detection system that automatically give users one warning, then permanently ban the user and their smartphone from shopkick. Simply put, nobody can engage in systematic fraud of a known type in our system today.

      The “barrier to entry” for fraud, referred to in the article, is actually quite high. It’s one thing to be able to play a single recording and get a few points (not nearly enough to cash out with). The key point is that if you attempt to engage in fraud at a level that is economically worthwhile at all, you will run afoul of the many mechanisms that are in place to detect anomalous activity, and you will be banned. It’s highly misleading to emphasize the ability to play a single recording. Such activity poses no threat to the economic integrity of the shopkick ecosystem for anyone involved. (And as mentioned in the article, very few users even do that.)

      The amount of fraud we experience is not absolutely zero – any model that claims that is not credible – but it is very close to that. In successful models, fraud is kept to a negligible level that does not interfere with the economic utility being provided. We have achieved that with shopkick, just as banks have achieved it with credit cards, as the best ad networks have achieved it online, as retailers have achieved it with coupons, and as governments have achieved it with currency. All of these systems have some fraud, and they all provide enormous value.

      We can be sure that shopkick has achieved this level of fraud resistance not only because of our monitoring and anti-fraud technologies, but especially because we observe that our partners’ promotions on shopkick result in measurable increases in actual purchases. Our retail partners have tested shopkick intensively over the past 6 months, in dozens of experiments. A direct and measurable correlation of rewards for walking in, actual walk-ins, and real, dollar-based shopping transactions has been proven. Shopkick is a marketing vehicle that is more cost efficient than other current models by an order of magnitude.

      This is the key: shopkick does something that has never been possible before, and it works. It is a whole new way to incent foot traffic, much more measurable and more resistant to fraud than anything that has come before. We believe that it is an important innovation for the retail industry as a whole, and we are gratified that our partners have welcomed it as such.

    2. Richard Nedwich Says:

      One other security measure could be “2 factor location” rather than 2 factor authentication. What this means is, could there be more than 1 way to verify location?

      Using inaudible frequencies is 1 method. What about device connectivity to store WLAN? If the Shopkick app could use the platform/OS API to network resources, to read the local networks in range (ESS_ID in techspeak), then this is another indicator that the device and user are in range of the physical store. This, too, could be faked, but raises the bar for the ‘casual cheater.’

    3. Dave Vockell Says:

      This feels like an article written by a technologist more focused on “perfect” tech than “great” marketing programs that create value for consumers and brands.

      I suspect that if the inflammatory “95 of check-ins are by consumers not actually there” were to be adjusted to “validate” check-ins that were within 50 feet (any heavy user has done some ‘near’ check-ins) then the new number would be low single digits. If I’m a retailer, I think I don’t mind a ‘near’ check-in. If someone likes my brand enough to make that quick brand-connection-through-check-in, then I believe that experience increases brand engagement and I don’t consider it “fraud”, I consider it a great marketing moment.

      The Shopkicks and foursquares of the world are still in v1.0 of the value they deliver to consumers at point-of-sale. If the level of “bad fraud” suggested by this article were actually grounds for discontinuing testing, I imagine that the author would probably shut down almost all retail stores, since “shrinkage” and credit card fraud DWARF check-in fraud (of course, in absolute dollars, but also in of activity). There are always bored and bad people, and whether they are pointing that mal-intent at getting free KickBucks, or stuffing sweaters in their backpacks and returning them later, they are not grounds for stopping commerce.

      I have to imagine v2.0 of Shopkick and foursquare will manage gaming/cheating better (just like paid search did as you moved from 1.0 to 2.0) and also turn so-called “fraudulent” check-ins into valuable marketing moments.

      The title of the article should have been “Check-In Cheating: Shopkick Retail Mobile System Easily Faked – Here are Five Reasons You Shouldn’t Care.”

    4. Evan Schuman Says:

      Dave, appreciate the very valid comments. But I think you misinterpreted the point of the piece. Nowhere did it suggest or imply that retailers should back off the testing of efforts such as Foursquare and Shopkick. Quite the contrary: we wouldn’t have devoted so much space to a topic that we think people should abandon. The intent was to put these (as you correctly said, version 1.0) mobile efforts into the proper context.
      Retailers need to be reminded of the lack of certainty that these numbers reflect reality. That certainly doesn’t you mean you stop testing. A similar statement could have been made about Version 1.0 of any major effort, including early Web analytics (and, much worse, the early CONCLUSIONS taken from those early analytics), RFID (remember the initial accuracy of read-rates?) and just about every other key retail technology effort. We had simply seen many vendors tout accuracy and informational claims that needed some additional context and reality. That’s all that the piece was trying to do.
      I personally am quite confident that Version 3 or 4 of these mobile check-in programs will address these accuracy issues and it will be a critical piece of retail technology. (OK, maybe some applications leveraging Wi-Fi may trump check-ins by then, but we’ll be watching all of that space and reporting on it as it happens.)
      P.S. As for your nearby check-in thought, that’s fine UNLESS you’re in the middle of a city or a shopping mall or anywhere else where that “nearby checkin” is actually for a competitor.

    5. Evan Schuman Says:

      Or–and I hate to suggest an icky inter-personal effort–but how about a store associate interact with the unit in some manner to verify existence. That could also be faked, but it gets far more difficult, theoretically driving the fraud down much further. But yes, a 2-factor effort would be a really nice touch.

    6. Pat Burns Says:

      The Shopkick app is very cool – I have been testing it out at Best Buy and Macy’s and the team has done a terrific job. However, the long term viability of ultrasound as a micro-location/background check-in technology is quite limited.

    7. Chris P Says:

      I LOVE Shopkick. Especially because 5 minutes down the road I have an Old Navy, Target, and Best Buy. I frequent these stores, so I’ve had a ball collecting kicks and even know some of the guys at BB who help me find the scans. It’s a total hoot. It has driven my foot traffic to these stores and as much as I swear I’m going in for the kicks and to poke around, I inevitably end up buying SOMETHING. This is the earliest I’ve ever gotten xmas shopping done because I was so excited to go out on Black Friday. That said, I was at a Simon Mall on Friday and I got a warning that I was cheating the system. It really kind of startled me. It said I had one warning and if I cheat again I’ll be kicked off the system. I didn’t know what I’d done wrong since I was IN the MALL…can anyone tell me if the warning can be in error? The servers did seem to be going a little haywire that day. I am just worried I’ll be booted for life for doing nothing wrong….and I LOVE it! I visit SK more than Facebook now! Any thoughts on an error warning sign?

    8. Dan C Says:

      What Chris P experienced was that the anti-fraud system/algorithm DOES NOT believe any devoted Shopkicker could frequent nearby stores that frequently, let along anyone willing to spend time to visit multiple malls in a short period of time. Probably need to limit daily kick collection to be below 1 or 2K.

      After the orange warning, what any Shopkicker can do is to (1) dial down your Shopkick devotion at once, (2) redeem your kick collection as soon as possible — before it’s too late. Once banned, there is no route of discussion/petition. Looks like only physical phone swap could restart the Shopkick habit — the ban at least backlisted your phone ID. It may not worth the trouble though.

      Set your kick appetite low. Forget about those impossible kick reward levels, for the reason they can arbitrarily terminate any user “immediately” and forfeit all kick collection. (read TERMS OF SERVICE) You will only realize how much time has been wasted by paying too much attention to what store merchants want to brainwash us, after you got banned. Time is money too.

    9. Scott Says:

      Why don’t you create an app that actually works and is beneficial. All yours does is lock up the phones and create a crowd of people standing by doors and products (that we don’t necessarily need) waiting for the app to connect to the server. In today’s economy, you have to know that people will do whatever they can to earn the most amount of points/money. If you really want to get this going, make it worth our while. Better walk-ins and better products (why would I want to buy printer ink from 3 different places?? I am going to purchase it from the cheapest location !)

      just my thoughts.

    10. Peter Says:

      just tested the app, quite amazing with the rewards/gift cards.

      the only downsides are…

      this app is a battery killer, with mobile network and GPS enabled, half of the juice was kick off your phone for staying in the mall for an hour or two when you are trying to scan and walk in.

      this app is time waster… for 1250 kicks / $5 gift card, you wasted 1-2 hours

      app ban issue: if it allow multiple user to login the same device for cheating and ban, why would you had a sign out button then?

      app ban issue: if it allow you to scan without physically onsite and ban you afterward, why would you allow that function?

      finally: app lover becomes app hater


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.