Iasonas Polakis
ABSTRACT
The growing popularity of location-based services (LBS) has led to the emergence of an economy where users announce their location to their peers, indirectly advertising certain businesses. Venues attract customers through offers and discounts for users of such services. Unfortunately, this economy can become a target of attackers with the intent of disrupting the system for fun and, possibly, profit. This threat has raised the attention of LBS, which have invested efforts in preventing fake check-ins. In this paper, we create a platform for testing the feasibility of fake-location attacks, and present our case study of two popular services, namely Foursquare and Facebook Places. We discover their detection mechanisms and demonstrate that both services are still vulnerable. We implement an adaptive attack algorithm that takes our findings into account and uses information from the LBS at run-time, to maximize its impact. This strategy can effectively sustain mayorship in all Foursquare venues and, thus, deter legitimate users from participating. Furthermore, our experimental results validate that detection-based mechanisms are not effective against fake check-ins, and new directions should be taken for designing countermeasures. Hence, we implement a system that employs near field communication (NFC) hardware and a check-in protocol that is based on delegation and asymmetric cryptography, to eliminate fake-location attacks.
- 1.5 million facebook accounts offered for sale. http://www.zdnet.com/blog/security/1-5-million-facebook-accounts-offered-for-sale-faq/6304.Google Scholar
- American Express discounts in FourSquare. https://sync.americanexpress.com/foursquare/.Google Scholar
- Android issues: Enable real nfc p2p communication. http://code.google.com/p/android/issues/detail?id=28014.Google Scholar
- Facebook developers - bugs. https://developers.facebook.com/bugs/244713388933143?browse=search_4f12b26febf840e00208758.Google Scholar
- Foursquare - follow-up to "mayorships from your couch" post. http://blog.foursquare.com/2010/04/08/505862083/.Google Scholar
- Foursquare adds nfc support to its android app. http://techcrunch.com/2012/02/10/foursquare-adds-nfc-support-to-its-android-app/.Google Scholar
- Foursquare CEO: 'Not just check-ins and badges.'. http://money.cnn.com/2012/02/29/technology/foursquare_ceo/.Google Scholar
- How does foursquare handle cheating? http://support.foursquare.com/entries/188307.Google Scholar
- Mayor of the north pole. http://krazydad.com/blog/2010/02/15/mayor-of-the-north-pole/.Google Scholar
- On foursquare, cheating, and claiming mayorships from your couch. http://blog.foursquare.com/2010/04/07/503822143/.Google Scholar
- Rsa performance of sun fire t2000. http://blogs.sun.com/chichang1/entry/rsa_performance_of_sun_fire.Google Scholar
- Russian underground. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian-underground-101.pdf.Google Scholar
- Arkko, J., Keranen, A., and Sethi, M. Practical considerations and implementation experiences in securing smart object networks, 2012. http://tools.ietf.org/html/draft-aks-crypto-sensors-00.Google Scholar
- Bittau, A., Hamburg, M., Handley, M., Mazieres, D., and Boneh, D. The case for ubiquitous transport-level encryption. In Proceedings of the 19th Conference on USENIX Security Symposium (2010). Google ScholarDigital Library
- C. Gerlitz and A. Helmon. Hit, link, like and share. Organizing the social and the fabric of the web in a like economy. Presented at the DMI mini-conference, volume 24, 2011.Google Scholar
- Carbunar, B., and Potharaju, R. You unlocked the mt. everest badge on foursquare! countering location fraud in geosocial networks. In IEEE 8th International Conference on Mobile Adhoc and Sensor Systems (2012), MASS, IEEE. Google ScholarDigital Library
- Carbunar, B., Sion, R., Potharaju, R., and Ehsan, M. The shy mayor: Private badges in geosocial networks. In ACNS (2012), vol. 7341 of Lecture Notes in Computer Science, Springer. Google ScholarDigital Library
- Cramer, H. Gamification and location-sharing: emerging social conflicts. Proceedings of ACM CHI Workshop on Gamification (2011).Google Scholar
- Cramer, H., Rost, M., and Holmquist, L. E. Performing a check-in: emerging practices, norms and 'conflicts' in location-sharing using foursquare. In Proceedings of the 13th International Conference on Human Computer Interaction with Mobile Devices and Services (2011), MobileHCI, ACM. Google ScholarDigital Library
- Douceur, J. R. The sybil attack. In the First International Workshop on Peer-to-Peer Systems (2002), IPTPS '01'. Google ScholarDigital Library
- Hancke, G. P., and Kuhn, M. G. An rfid distance bounding protocol. In Security and Privacy for Emerging Areas in Communications Networks, 2005. IEEE SecureComm (2005). Google ScholarDigital Library
- He, W., Liu, X., and Ren, M. Location cheating: A security challenge to location-based social network services. In Proceedings of the 2011 31st International Conference on Distributed Computing Systems (2011), ICDCS '11. Google ScholarDigital Library
- Hu, Y.-C., Perrig, A., and Johnson, D. B. Packet leashes: A defense against wormhole attacks in wireless networks. In INFOCOM (2003).Google Scholar
- Jang, K., Han, S., Han, S., Moon, S., and Park, K. Sslshader: cheap ssl acceleration with commodity processors. In Proceedings of the 8th USENIX conference on Networked systems design and implementation, NSDI'11. Google ScholarDigital Library
- Kounavis, M. E., Kang, X., Grewal, K., Eszenyi, M., Gueron, S., and Durham, D. Encrypting the internet. In Proceedings of the ACM SIGCOMM 2010 conference, SIGCOMM '10', ACM. Google ScholarDigital Library
- Lindqvist, J., Cranshaw, J., Wiese, J., Hong, J., and Zimmerman, J. I'm the mayor of my house: examining why people use foursquare - a social-driven location sharing application. In Proceedings of the 2011 annual conference on Human factors in computing systems, CHI '11, ACM. Google ScholarDigital Library
- Luo, W., and Hengartner, U. Veriplace: a privacy-aware location proof architecture. In Proceedings of the 18th SIGSPATIAL International Conference on Advances in Geographic Information Systems (2010), GIS '10', ACM. Google ScholarDigital Library
- Narayanan, A., Thiagarajan, N., Lakhani, M., Hamburg, M., and Boneh, D. Location privacy via private proximity testing. In NDSS (2011).Google Scholar
- Noulas, A., Scellato, S., Mascolo, C., and Pontil, M. An empirical study of geographic user activity patterns in foursquare. In ICWSM (2011).Google Scholar
- Patil, S., Norcie, G., Kapadia, A., and Lee, A. J. Reasons, rewards, regrets: privacy considerations in location sharing as an interactive practice. In Proceedings of the Eighth ACM Symposium on Usable Privacy and Security, SOUPS '12. Google ScholarDigital Library
- Rasmussen, K. B., and Čapkun, S. Realization of RF distance bounding. In Proceedings of the 19th USENIX conference on Security (2010). Google ScholarDigital Library
- Saroiu, S., and Wolman, A. Enabling new mobile applications with location proofs. In Proceedings of the 10th workshop on Mobile Computing Systems and Applications (2009), HotMobile '09', ACM. Google ScholarDigital Library
- Saroiu, S., and Wolman, A. I am a sensor, and i approve this message. In Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications (2010), HotMobile, ACM. Google ScholarDigital Library
- Sastry, N., Shankar, U., and Wagner, D. Secure verification of location claims. In Workshop on Wireless Security (2003). Google ScholarDigital Library
- Tippenhauer, N. O., Pöpper, C., Rasmussen, K. B., and Capkun, S. On the requirements for successful gps spoofing attacks. In Proceedings of the 18th ACM conference on Computer and communications security (2011), CCS, ACM. Google ScholarDigital Library
Index Terms
- The man who was there: validating check-ins in location-based services
Recommendations
Venue attacks in location-based social networks
GeoPrivacy '14: Proceedings of the 1st ACM SIGSPATIAL International Workshop on Privacy in Geographic Information Collection and AnalysisLocation-Based Social Networks (LBSNs), such as Foursquare, Yelp and Facebook Place, have attracted many people, including business owners who use LBSNs to promote their businesses. A physical location is called a venue or a place of interest in an ...
Detecting Insider Theft of Trade Secrets
Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...
Comments