research-article

The man who was there: validating check-ins in location-based services

Authors:

Iasonas Polakis,

Stamatis Volanis,

Elias Athanasopoulos,

Evangelos P. MarkatosAuthors Info & Claims

ACSAC '13: Proceedings of the 29th Annual Computer Security Applications Conference

Pages 19 - 28

https://doi.org/10.1145/2523649.2523653

Published: 09 December 2013 Publication History

Abstract

The growing popularity of location-based services (LBS) has led to the emergence of an economy where users announce their location to their peers, indirectly advertising certain businesses. Venues attract customers through offers and discounts for users of such services. Unfortunately, this economy can become a target of attackers with the intent of disrupting the system for fun and, possibly, profit. This threat has raised the attention of LBS, which have invested efforts in preventing fake check-ins. In this paper, we create a platform for testing the feasibility of fake-location attacks, and present our case study of two popular services, namely Foursquare and Facebook Places. We discover their detection mechanisms and demonstrate that both services are still vulnerable. We implement an adaptive attack algorithm that takes our findings into account and uses information from the LBS at run-time, to maximize its impact. This strategy can effectively sustain mayorship in all Foursquare venues and, thus, deter legitimate users from participating. Furthermore, our experimental results validate that detection-based mechanisms are not effective against fake check-ins, and new directions should be taken for designing countermeasures. Hence, we implement a system that employs near field communication (NFC) hardware and a check-in protocol that is based on delegation and asymmetric cryptography, to eliminate fake-location attacks.

References

[1]

1.5 million facebook accounts offered for sale. http://www.zdnet.com/blog/security/1-5-million-facebook-accounts-offered-for-sale-faq/6304.

[2]

American Express discounts in FourSquare. https://sync.americanexpress.com/foursquare/.

[3]

Android issues: Enable real nfc p2p communication. http://code.google.com/p/android/issues/detail?id=28014.

[4]

Facebook developers - bugs. https://developers.facebook.com/bugs/244713388933143?browse=search_4f12b26febf840e00208758.

[5]

Foursquare - follow-up to "mayorships from your couch" post. http://blog.foursquare.com/2010/04/08/505862083/.

[6]

Foursquare adds nfc support to its android app. http://techcrunch.com/2012/02/10/foursquare-adds-nfc-support-to-its-android-app/.

[7]

Foursquare CEO: 'Not just check-ins and badges.'. http://money.cnn.com/2012/02/29/technology/foursquare_ceo/.

[8]

How does foursquare handle cheating? http://support.foursquare.com/entries/188307.

[9]

Mayor of the north pole. http://krazydad.com/blog/2010/02/15/mayor-of-the-north-pole/.

[10]

On foursquare, cheating, and claiming mayorships from your couch. http://blog.foursquare.com/2010/04/07/503822143/.

[11]

Rsa performance of sun fire t2000. http://blogs.sun.com/chichang1/entry/rsa_performance_of_sun_fire.

[12]

Russian underground. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian-underground-101.pdf.

[13]

Arkko, J., Keranen, A., and Sethi, M. Practical considerations and implementation experiences in securing smart object networks, 2012. http://tools.ietf.org/html/draft-aks-crypto-sensors-00.

[14]

Bittau, A., Hamburg, M., Handley, M., Mazieres, D., and Boneh, D. The case for ubiquitous transport-level encryption. In Proceedings of the 19th Conference on USENIX Security Symposium (2010).

Digital Library

[15]

C. Gerlitz and A. Helmon. Hit, link, like and share. Organizing the social and the fabric of the web in a like economy. Presented at the DMI mini-conference, volume 24, 2011.

[16]

Carbunar, B., and Potharaju, R. You unlocked the mt. everest badge on foursquare! countering location fraud in geosocial networks. In IEEE 8th International Conference on Mobile Adhoc and Sensor Systems (2012), MASS, IEEE.

Digital Library

[17]

Carbunar, B., Sion, R., Potharaju, R., and Ehsan, M. The shy mayor: Private badges in geosocial networks. In ACNS (2012), vol. 7341 of Lecture Notes in Computer Science, Springer.

Digital Library

[18]

Cramer, H. Gamification and location-sharing: emerging social conflicts. Proceedings of ACM CHI Workshop on Gamification (2011).

[19]

Cramer, H., Rost, M., and Holmquist, L. E. Performing a check-in: emerging practices, norms and 'conflicts' in location-sharing using foursquare. In Proceedings of the 13th International Conference on Human Computer Interaction with Mobile Devices and Services (2011), MobileHCI, ACM.

Digital Library

[20]

Douceur, J. R. The sybil attack. In the First International Workshop on Peer-to-Peer Systems (2002), IPTPS '01'.

Digital Library

[21]

Hancke, G. P., and Kuhn, M. G. An rfid distance bounding protocol. In Security and Privacy for Emerging Areas in Communications Networks, 2005. IEEE SecureComm (2005).

Digital Library

[22]

He, W., Liu, X., and Ren, M. Location cheating: A security challenge to location-based social network services. In Proceedings of the 2011 31st International Conference on Distributed Computing Systems (2011), ICDCS '11.

Digital Library

[23]

Hu, Y.-C., Perrig, A., and Johnson, D. B. Packet leashes: A defense against wormhole attacks in wireless networks. In INFOCOM (2003).

[24]

Jang, K., Han, S., Han, S., Moon, S., and Park, K. Sslshader: cheap ssl acceleration with commodity processors. In Proceedings of the 8th USENIX conference on Networked systems design and implementation, NSDI'11.

Digital Library

[25]

Kounavis, M. E., Kang, X., Grewal, K., Eszenyi, M., Gueron, S., and Durham, D. Encrypting the internet. In Proceedings of the ACM SIGCOMM 2010 conference, SIGCOMM '10', ACM.

Digital Library

[26]

Lindqvist, J., Cranshaw, J., Wiese, J., Hong, J., and Zimmerman, J. I'm the mayor of my house: examining why people use foursquare - a social-driven location sharing application. In Proceedings of the 2011 annual conference on Human factors in computing systems, CHI '11, ACM.

Digital Library

[27]

Luo, W., and Hengartner, U. Veriplace: a privacy-aware location proof architecture. In Proceedings of the 18th SIGSPATIAL International Conference on Advances in Geographic Information Systems (2010), GIS '10', ACM.

Digital Library

[28]

Narayanan, A., Thiagarajan, N., Lakhani, M., Hamburg, M., and Boneh, D. Location privacy via private proximity testing. In NDSS (2011).

[29]

Noulas, A., Scellato, S., Mascolo, C., and Pontil, M. An empirical study of geographic user activity patterns in foursquare. In ICWSM (2011).

[30]

Patil, S., Norcie, G., Kapadia, A., and Lee, A. J. Reasons, rewards, regrets: privacy considerations in location sharing as an interactive practice. In Proceedings of the Eighth ACM Symposium on Usable Privacy and Security, SOUPS '12.

Digital Library

[31]

Rasmussen, K. B., and Čapkun, S. Realization of RF distance bounding. In Proceedings of the 19th USENIX conference on Security (2010).

Digital Library

[32]

Saroiu, S., and Wolman, A. Enabling new mobile applications with location proofs. In Proceedings of the 10th workshop on Mobile Computing Systems and Applications (2009), HotMobile '09', ACM.

Digital Library

[33]

Saroiu, S., and Wolman, A. I am a sensor, and i approve this message. In Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications (2010), HotMobile, ACM.

Digital Library

[34]

Sastry, N., Shankar, U., and Wagner, D. Secure verification of location claims. In Workshop on Wireless Security (2003).

Digital Library

[35]

Tippenhauer, N. O., Pöpper, C., Rasmussen, K. B., and Capkun, S. On the requirements for successful gps spoofing attacks. In Proceedings of the 18th ACM conference on Computer and communications security (2011), CCS, ACM.

Digital Library

Cited By

Yang HXia ZShin JHua JMao YZhong S(2024)A Comprehensive Study of Trajectory Forgery and Detection in Location-Based ServicesIEEE Transactions on Mobile Computing10.1109/TMC.2023.327341123:4(3228-3242)Online publication date: Apr-2024
https://doi.org/10.1109/TMC.2023.3273411
Eryonucu CPapadimitratos PJadliwala MKim YDmitrienko A(2022)Sybil-Based Attacks on Google Maps or How to Forge the Image of City LifeProceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3507657.3528538(73-84)Online publication date: 16-May-2022
https://dl.acm.org/doi/10.1145/3507657.3528538
Yang HXia ZShin JHua JMao YZhong S(2022)Are You Moving as You Claim: GPS Trajectory Forgery and Detection in Location-Based Services2022 IEEE 42nd International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS54860.2022.00115(1166-1176)Online publication date: Jul-2022
https://doi.org/10.1109/ICDCS54860.2022.00115
Show More Cited By

Index Terms

The man who was there: validating check-ins in location-based services

Recommendations

Venue attacks in location-based social networks
GeoPrivacy '14: Proceedings of the 1st ACM SIGSPATIAL International Workshop on Privacy in Geographic Information Collection and Analysis

Location-Based Social Networks (LBSNs), such as Foursquare, Yelp and Facebook Place, have attracted many people, including business owners who use LBSNs to promote their businesses. A physical location is called a venue or a place of interest in an ...
D-ward: source-end defense against distributed denial-of-service attacks
Detecting Insider Theft of Trade Secrets

Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '13: Proceedings of the 29th Annual Computer Security Applications Conference

December 2013

374 pages

ISBN:9781450320153

DOI:10.1145/2523649

Conference Chair:
Charles N. Payne
Adventium Labs

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Seventh Framework Programme

Conference

ACSAC '13

Sponsor:

ACSA

ACSAC '13: Annual Computer Security Applications Conference

December 9 - 13, 2013

Louisiana, New Orleans, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
387
Total Downloads

Downloads (Last 12 months)18
Downloads (Last 6 weeks)3

Reflects downloads up to 01 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yang HXia ZShin JHua JMao YZhong S(2024)A Comprehensive Study of Trajectory Forgery and Detection in Location-Based ServicesIEEE Transactions on Mobile Computing10.1109/TMC.2023.327341123:4(3228-3242)Online publication date: Apr-2024
https://doi.org/10.1109/TMC.2023.3273411
Eryonucu CPapadimitratos PJadliwala MKim YDmitrienko A(2022)Sybil-Based Attacks on Google Maps or How to Forge the Image of City LifeProceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3507657.3528538(73-84)Online publication date: 16-May-2022
https://dl.acm.org/doi/10.1145/3507657.3528538
Yang HXia ZShin JHua JMao YZhong S(2022)Are You Moving as You Claim: GPS Trajectory Forgery and Detection in Location-Based Services2022 IEEE 42nd International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS54860.2022.00115(1166-1176)Online publication date: Jul-2022
https://doi.org/10.1109/ICDCS54860.2022.00115
Khan SWoszczyk DYou CDemetriou SNaveed M(2021)Characterizing Improper Input Validation Vulnerabilities of Mobile Crowdsourcing ServicesProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3485888(944-956)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3485888
Biehl JLee AFilby G(2019)Anchor of trust: towards collusion-resistant trusted indoor location for enterprise and industrial usePersonal and Ubiquitous Computing10.1007/s00779-019-01220-5Online publication date: 8-May-2019
https://doi.org/10.1007/s00779-019-01220-5
El Moniem DMokhtar H(2019)Check2: A Framework for Fake Check-in DetectionIntelligent Computing10.1007/978-3-030-22868-2_1(1-12)Online publication date: 9-Jul-2019
https://doi.org/10.1007/978-3-030-22868-2_1
Ding CWu TQiao TZheng NXu MWu YXia W(2019)A Location Spoofing Detection Method for Social Networks (Short Paper)Methionine Dependence of Cancer and Aging10.1007/978-3-030-12981-1_9(138-150)Online publication date: 7-Feb-2019
https://doi.org/10.1007/978-3-030-12981-1_9
Shaghaghi AKanhere SKaafar MBertino EJha S(2018)Gargoyle: A Network-based Insider Attack Resilient Framework for Organizations2018 IEEE 43rd Conference on Local Computer Networks (LCN)10.1109/LCN.2018.8638245(553-561)Online publication date: Oct-2018
https://doi.org/10.1109/LCN.2018.8638245
Agadakos IPolakis JPortokalidis GChoudhury TKo SCampbell AGanesan D(2017)TechuProceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services10.1145/3081333.3081345(475-487)Online publication date: 16-Jun-2017
https://dl.acm.org/doi/10.1145/3081333.3081345
Abdou AMatrawy Avan Oorschot PKarri RSinanoglu OSadeghi AYi X(2017)Accurate Manipulation of Delay-based Internet GeolocationProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3052993(887-898)Online publication date: 2-Apr-2017
https://dl.acm.org/doi/10.1145/3052973.3052993
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents