This is page 4 of:

Check-In Cheating: Shopkick Retail Mobile System Easily Faked

February 24th, 2011

Part of the strategy behind Shopkick’s defenses is simple minimization. How many fraudsters will bother to do this? With the anti-fraud provisions in place, even a dedicated thief can’t trick the app too often or alarms will go off. Shopkick is also watching for consumers who are using multiple accounts. With only one account, it would take a long time to generate sufficient incentives to make it worthwhile for a consumer.

Given how very low the barrier to entry for the fraud is, the incentives for the fraudsters don’t need to be very substantial to make it worth their while. From the fraudsters’ perspective, that’s a good thing, because the incentives are indeed quite low. One of the knocks on the way some of these check-in systems—Foursquare is another good example—have been implemented by retailers is that the incentives given to consumers to use this unfamiliar application, to engage in a very new behavior, are so low as to barely incent many.

The type of incentives Target chose, for example, include small discounts on higher priced products, the same type of incentives the chain would typically offer to consumers for free.

The concern over this fraud is not that consumers will falsely ring up millions of dollars in unearned discounts. The incentives are too low for that to happen. The concern is simply that it makes it almost impossible for a retailer to trust that the numbers seen are legitimate.

Today, vendor incentives of various forms mean that the major chains are likely not paying much—and, most likely, nothing at all—for participating in these mobile trials. That means that even if it yields just a few new customers, it’s worth it. What about months from now, though, when retailers will be expected to pay for every customer who checks in? Does this undermine the faith in the accuracy of these first-generation mobile systems?

Editor’s Note:

  • Page 1 of this Special Report covers The Fake And How It Works.
  • Page 2 covers GPS Problems
  • Page 3 covers Putting It Into Fraud Context
  • Page 4 covers Shopkick Defenses

    Analyst Nick Holland said he prefers NFC tags for location systems. “It becomes cost-prohibitive to fake NFC tags, as opposed to a sonic frequency,” which is what Shopkick uses, he said.

    Emigh said that the Shopkick team knew of the potential for the sound-recording fraud before they launched. When asked if Shopkick mentioned that possibility to any of the retailers—when they were pitching them to use the system—Emigh said that the details of the specific conversations they had with retailers were confidential.

  • advertisement

    10 Comments | Read Check-In Cheating: Shopkick Retail Mobile System Easily Faked

    1. Aaron Emigh Says:

      I’m the CTO of shopkick and am quoted in this article. We were happy to provide our support and input to the editor while the story was prepared, but there seems to be a disconnect about what the key points are for retailers. From our point of view, the key question is: does it work?

      The shopkick Signal technology was created for retailers because if you’re a retailer, you want to know that your promotions are really driving foot traffic. Traditional marketing can’t tell you that, because it is not measurable. Simple check-ins can’t do that either because, as stated in the article, 95 of incented check-ins are fake and GPS isn’t accurate enough to detect it. The shopkick Signal, on the other hand, demonstrably drives foot traffic and actual transactions. In short, it works.

      While had a very small number of fraudsters try to exploit us early on, as any platform does, the good news is that shopkick’s fraud levels are exceedingly low – much lower than other models. This is due to a sophisticated multilayer detection system that automatically give users one warning, then permanently ban the user and their smartphone from shopkick. Simply put, nobody can engage in systematic fraud of a known type in our system today.

      The “barrier to entry” for fraud, referred to in the article, is actually quite high. It’s one thing to be able to play a single recording and get a few points (not nearly enough to cash out with). The key point is that if you attempt to engage in fraud at a level that is economically worthwhile at all, you will run afoul of the many mechanisms that are in place to detect anomalous activity, and you will be banned. It’s highly misleading to emphasize the ability to play a single recording. Such activity poses no threat to the economic integrity of the shopkick ecosystem for anyone involved. (And as mentioned in the article, very few users even do that.)

      The amount of fraud we experience is not absolutely zero – any model that claims that is not credible – but it is very close to that. In successful models, fraud is kept to a negligible level that does not interfere with the economic utility being provided. We have achieved that with shopkick, just as banks have achieved it with credit cards, as the best ad networks have achieved it online, as retailers have achieved it with coupons, and as governments have achieved it with currency. All of these systems have some fraud, and they all provide enormous value.

      We can be sure that shopkick has achieved this level of fraud resistance not only because of our monitoring and anti-fraud technologies, but especially because we observe that our partners’ promotions on shopkick result in measurable increases in actual purchases. Our retail partners have tested shopkick intensively over the past 6 months, in dozens of experiments. A direct and measurable correlation of rewards for walking in, actual walk-ins, and real, dollar-based shopping transactions has been proven. Shopkick is a marketing vehicle that is more cost efficient than other current models by an order of magnitude.

      This is the key: shopkick does something that has never been possible before, and it works. It is a whole new way to incent foot traffic, much more measurable and more resistant to fraud than anything that has come before. We believe that it is an important innovation for the retail industry as a whole, and we are gratified that our partners have welcomed it as such.

    2. Richard Nedwich Says:

      One other security measure could be “2 factor location” rather than 2 factor authentication. What this means is, could there be more than 1 way to verify location?

      Using inaudible frequencies is 1 method. What about device connectivity to store WLAN? If the Shopkick app could use the platform/OS API to network resources, to read the local networks in range (ESS_ID in techspeak), then this is another indicator that the device and user are in range of the physical store. This, too, could be faked, but raises the bar for the ‘casual cheater.’

    3. Dave Vockell Says:

      This feels like an article written by a technologist more focused on “perfect” tech than “great” marketing programs that create value for consumers and brands.

      I suspect that if the inflammatory “95 of check-ins are by consumers not actually there” were to be adjusted to “validate” check-ins that were within 50 feet (any heavy user has done some ‘near’ check-ins) then the new number would be low single digits. If I’m a retailer, I think I don’t mind a ‘near’ check-in. If someone likes my brand enough to make that quick brand-connection-through-check-in, then I believe that experience increases brand engagement and I don’t consider it “fraud”, I consider it a great marketing moment.

      The Shopkicks and foursquares of the world are still in v1.0 of the value they deliver to consumers at point-of-sale. If the level of “bad fraud” suggested by this article were actually grounds for discontinuing testing, I imagine that the author would probably shut down almost all retail stores, since “shrinkage” and credit card fraud DWARF check-in fraud (of course, in absolute dollars, but also in of activity). There are always bored and bad people, and whether they are pointing that mal-intent at getting free KickBucks, or stuffing sweaters in their backpacks and returning them later, they are not grounds for stopping commerce.

      I have to imagine v2.0 of Shopkick and foursquare will manage gaming/cheating better (just like paid search did as you moved from 1.0 to 2.0) and also turn so-called “fraudulent” check-ins into valuable marketing moments.

      The title of the article should have been “Check-In Cheating: Shopkick Retail Mobile System Easily Faked – Here are Five Reasons You Shouldn’t Care.”

    4. Evan Schuman Says:

      Dave, appreciate the very valid comments. But I think you misinterpreted the point of the piece. Nowhere did it suggest or imply that retailers should back off the testing of efforts such as Foursquare and Shopkick. Quite the contrary: we wouldn’t have devoted so much space to a topic that we think people should abandon. The intent was to put these (as you correctly said, version 1.0) mobile efforts into the proper context.
      Retailers need to be reminded of the lack of certainty that these numbers reflect reality. That certainly doesn’t you mean you stop testing. A similar statement could have been made about Version 1.0 of any major effort, including early Web analytics (and, much worse, the early CONCLUSIONS taken from those early analytics), RFID (remember the initial accuracy of read-rates?) and just about every other key retail technology effort. We had simply seen many vendors tout accuracy and informational claims that needed some additional context and reality. That’s all that the piece was trying to do.
      I personally am quite confident that Version 3 or 4 of these mobile check-in programs will address these accuracy issues and it will be a critical piece of retail technology. (OK, maybe some applications leveraging Wi-Fi may trump check-ins by then, but we’ll be watching all of that space and reporting on it as it happens.)
      P.S. As for your nearby check-in thought, that’s fine UNLESS you’re in the middle of a city or a shopping mall or anywhere else where that “nearby checkin” is actually for a competitor.

    5. Evan Schuman Says:

      Or–and I hate to suggest an icky inter-personal effort–but how about a store associate interact with the unit in some manner to verify existence. That could also be faked, but it gets far more difficult, theoretically driving the fraud down much further. But yes, a 2-factor effort would be a really nice touch.

    6. Pat Burns Says:

      The Shopkick app is very cool – I have been testing it out at Best Buy and Macy’s and the team has done a terrific job. However, the long term viability of ultrasound as a micro-location/background check-in technology is quite limited.

    7. Chris P Says:

      I LOVE Shopkick. Especially because 5 minutes down the road I have an Old Navy, Target, and Best Buy. I frequent these stores, so I’ve had a ball collecting kicks and even know some of the guys at BB who help me find the scans. It’s a total hoot. It has driven my foot traffic to these stores and as much as I swear I’m going in for the kicks and to poke around, I inevitably end up buying SOMETHING. This is the earliest I’ve ever gotten xmas shopping done because I was so excited to go out on Black Friday. That said, I was at a Simon Mall on Friday and I got a warning that I was cheating the system. It really kind of startled me. It said I had one warning and if I cheat again I’ll be kicked off the system. I didn’t know what I’d done wrong since I was IN the MALL…can anyone tell me if the warning can be in error? The servers did seem to be going a little haywire that day. I am just worried I’ll be booted for life for doing nothing wrong….and I LOVE it! I visit SK more than Facebook now! Any thoughts on an error warning sign?

    8. Dan C Says:

      What Chris P experienced was that the anti-fraud system/algorithm DOES NOT believe any devoted Shopkicker could frequent nearby stores that frequently, let along anyone willing to spend time to visit multiple malls in a short period of time. Probably need to limit daily kick collection to be below 1 or 2K.

      After the orange warning, what any Shopkicker can do is to (1) dial down your Shopkick devotion at once, (2) redeem your kick collection as soon as possible — before it’s too late. Once banned, there is no route of discussion/petition. Looks like only physical phone swap could restart the Shopkick habit — the ban at least backlisted your phone ID. It may not worth the trouble though.

      Set your kick appetite low. Forget about those impossible kick reward levels, for the reason they can arbitrarily terminate any user “immediately” and forfeit all kick collection. (read TERMS OF SERVICE) You will only realize how much time has been wasted by paying too much attention to what store merchants want to brainwash us, after you got banned. Time is money too.

    9. Scott Says:

      Why don’t you create an app that actually works and is beneficial. All yours does is lock up the phones and create a crowd of people standing by doors and products (that we don’t necessarily need) waiting for the app to connect to the server. In today’s economy, you have to know that people will do whatever they can to earn the most amount of points/money. If you really want to get this going, make it worth our while. Better walk-ins and better products (why would I want to buy printer ink from 3 different places?? I am going to purchase it from the cheapest location !)

      just my thoughts.

    10. Peter Says:

      just tested the app, quite amazing with the rewards/gift cards.

      the only downsides are…

      this app is a battery killer, with mobile network and GPS enabled, half of the juice was kick off your phone for staying in the mall for an hour or two when you are trying to scan and walk in.

      this app is time waster… for 1250 kicks / $5 gift card, you wasted 1-2 hours

      app ban issue: if it allow multiple user to login the same device for cheating and ban, why would you had a sign out button then?

      app ban issue: if it allow you to scan without physically onsite and ban you afterward, why would you allow that function?

      finally: app lover becomes app hater


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.