Confessions of a Foursquare cheater
It all began when Burbank software engineer Jim Bumgardner decided he wanted to be mayor of the North Pole. Bumgardner, who was checking into the Hill Street Cafe in Burbank, was a new recruit to fast-growing Foursquare, one of the major players in a new social networking space that lets users “check in” and alert friends to their current location.
Foursquare is the successor to Dodgeball, which Dennis Crowley started in 2004 and sold a year later to Google. Google killed the service. So Crowley kicked it off again with business partner Naveen Selvadurai last March during South by Southwest, the annual technology and musical festival. You earn “badges” for checking into venues. One of the chief goals of Foursquare is to become “mayor” of a particular location. The better the location, the greater the bragging rights. So it was only be a matter of time before players started bending the rules. Bumgardner, 47, who is also a part-time teacher, author and musician, may have been the first to blog about it. Bumgardner, who has been interested in social media since the mid-1990s, has been using Foursquare since January. He says it took a few weeks for him to warm up to the service, which he initially thought was “annoying.” “It definitely gets more appealing when you start earning badges and mayorships,” he said. He started cheating on Feb. 7. ‘Basically I thought it would be funny if I could add the ‘North Pole’ to my list of mayorships, and I started to wonder how to pull it off,” he said in an e-mail interview. “Once I got started on that project, I realized how ridiculous the Foursquare security was. I tried to imagine a variety of different ways that someone more malicious than I could exploit the foursquare service, and I tried a few of them out, one-by-one. My goal was to eventually reveal my findings, so Foursquare would be motivated to tighten their security. But obviously I was having a bit of fun during my land grab. “I realized I could not only grab the North Pole, but possess most of the major world landmarks -- the Statue of Liberty, Mount Rushmore, The Taj Mahal, ala Dr. Evil -- by writing a script to check into them every day. “I imagined a scam in which someone could ‘frame’ a celebrity by creating fake accounts and having them check into seedy venues, so I tried my hand at that. I realized that any visitor to the Martha Stewart show, or her office building, who was also a foursquare user, would encounter the fake account I had created for her, and discover that ‘Martha’ had been visiting pawn shops, and 99-cent stores. Similarly, any visitor to the Kodak theater would discover my fake ‘Simon’ account. I thought it was important to demonstrate this scam, so that Foursquare would eventually take steps to prevent it. “I realized the security was so poor, that I could probably take over every single Starbucks as ubiquitous as they are. So I created a set of ‘Java Monkey’ bots that grabbed about 120 in a single week. If I had made a few more of them, and left them turned on, I would have eventually grabbed every single Starbucks. This exploit could be used by rival businesses to ‘poison’ the venues of their competitors, or used as a platform for malicious advertising. ‘By the end of the week, I had about 10 scripts, each operating different accounts, running in the background on my laptop, each one checking into a different venue every 20 minutes or so. After a week of this kind of stuff, I discovered the simple ‘boat’ hack, and started giving people boats (you add the tag ‘boat’ to an airport, and every Foursquare user who checks into the airport gets the ‘I’m on a boat!’ badge). On Monday while eating breakfast with his wife at the same diner where he conceived the “North Pole” idea, he realized his job was done. So he headed home to share with the world what he had learned. The blog post went viral. Crowley responded in a comment. As Foursquare closes in on 500,000 users, cheating has increased, he said. “There’s a weird balance between a social utility (‘find your friends’) and a social game (‘most checkins gets your on the leaderboard!’) that we’re still working on figuring out. On one hand, we want everyone to be able to check-in from anywhere on any device. We’ve never liked the idea of creating a service that only your coolest friends with the coolest phones could use so we made sure any user on any phone would be able to check-in (SMS. mobile_web) On the other hand, the social game really works best when you can rely on GPS accuracy to police the checkins – if you’re not really there, you shouldn’t get credit for being there, right? ‘But what’s more valuable – a system in which everyone can play and participate? Or a system that places emphasis on the validity of each checkin/post at the expense of all inclusiveness? I think the thing that makes fourssquare so interesting – and yet so difficult – is that it wants to be both things at the same time. And if you survey users, just as many use it for finding their friends as they do for trying to get points / badges / mayorships. “At Foursquare, I think we still have some thinking to do on this. We do see a lot of fake checkins (yes, we log and flag them… i think 2-3% of total checkins were “fake” last time we checked) and there are a few bad apples that like to steal mayorships from their couch. We’ve been punting on addressing this because it requires removing some of the magic from foursquare (mayors, points, badges) for users with non-GPS phones. “We often wonder why people ‘cheat’ when there’s really nothing to win – it’s not like we’re giving away trips to Hawaii or Ford Fiestas over here. But I guess the combo of mayorships, local recognition and, hey, maybe a free slice of pizza is a little too much for some people to live without. :)” -- Jessica Guynn