Blog  |  Publications  |  Puzzles
Fun & Games  |  About

Mayor of the North Pole

[NOTE: I've posted some recent developments at the bottom. ]

I’ve been blatantly cheating at foursquare for the past week. I didn’t mean to start the week this way. Most of my friends know me as a responsible father who occasionally plays piano at local open mics, and makes puzzles.

Last Sunday, while checking into the Hill Street Cafe in Burbank using the foursquare iPhone app, I idly wondered, “Can I become the mayor of the North Pole?” So I tried checking into a nearby 7-Eleven. It worked. I tried the Griffith Observatory about 5 miles away. It worked. I tried Disneyland, which is about an hour away. It didn’t work, but I now had an afternoon hacking project.

When I got home, I looked to see if foursquare had an api. They did. So I found a venue that was close to the North Pole, the “Top of the World” hotel in Barrow Alaska, and checked myself into it.

This can be done on the command line using the curl program, like so:

curl -u EMAIL:PASSWORD -d “vid=993842″ http://api.foursquare.com/v1/checkin

Try it! You’ll need to substitute in your own email and password. 993842 is the venue id of the “Top of the World” hotel, as can be seen in the URL of this page:

http://foursquare.com/venue/993842

This venue wasn’t actually in foursquare’s database, so I added it, using the ‘addvenue’ call. I also added a venue for the actual North Pole. It turns out it’s much easier to become the mayor of something if nobody else has ever checked into it.

[ Edit: Some folks have rightly pointed out that you can easily do the same thing with the mobile website (mobile.foursquare.com). For my purposes, as you'll see in a moment, the API was more efficient... ]

Here’s the North Pole venue I made:

http://foursquare.com/venue/995274

Ultimately, I ended up adding a lot of venues. I used Google Earth to create KML files of interesting venues, and wrote a script to import them all into foursquare. I did the same thing with Yelp. I found that foursquare would rate-limit me if I added them too quickly, so I added them two and a half minutes apart. Later, I found that by rotating among multiple accounts while adding venues, I could add them much more quickly.

At some point last week, I devolved into a 12 year old hacker, and I spent many spare hours (and my computer’s spare cycles) abusing the system with a set of scripts operating fake accounts. Not only did I add new venues like the North Pole, but I started persistently checking into coveted landmarks, like the Statue of Liberty.

What can I say? It was fun, and foursquare’s incentives (badges and mayorships) spurred me on. Incentives invite abuse, even from mild-mannered folks like me.

Eventually I amassed a huge number of mayorships, spread among multiple accounts, including the Statue of Liberty, Mount Rushmore, the Lincoln Memorial, Stonehenge and the Taj Mahal, as can be seen in this screen snapshot.

I wrote a script that would walk through a list of venue ids, and check into them one by one. Then I created about 10 fake foursquare accounts, and had them take over different territories.

I created five “Java Monkeys” which grabbed about 120 different Starbucks in different regions (east, west, midwest, south, intl). I identified and targeted hotly contested Starbucks by searching Twitter for recent oustings. My script automatically visited those ones, to the consternation of the new mayors.

I created a fake Martha Stewart who checks into dollar stores and pawnshops when not visiting Martha Stewart Omnimedia and the set of her TV Show.

I created a fake Simon Cowell who visits massage parlors and gets lunch at Hotdog on a Stick when not visiting the Kodak theater.

I created a fake Tommy Chong who is mayor of 130 cannabis clinics.

I created a fake Sammy Davis Jr who checks into casinos and bars in Las Vegas.

I created a “random nerd” who checked into a number of large campuses in the Silicon Valley.

The “Java Monkeys” got the biggest reactions. Foursquare users get far more irate when they lose mayorship of a Starbucks, as compared to a Statue of Liberty or Mount Rushmore. People are much more attached to the small places they visit over and over, and have some personal investment in. The smaller the venue, the bigger the value.

I started collecting badges as well, by checking into places that have tags like “karaoke”, “photo booth”, “gym” and so on.

I was able to get a swarm badge by monitoring Twitter for when a particular location got up to 40 check-ins (this happens at a couple of Tokyo train stations quite regularly) and then checking-in all my accounts at once to trigger a swarm (which occurs at 50 check-ins). This RSS feed is useful for detecting impending swarms.

Finally, I started giving people free sailboats. I found that if you checked into a venue tagged “boat,” you automatically get the awesome “I’m on a boat” badge; and unlike the other badges, it only requires a single check-in. So I started identifying high-traffic places via the above Twitter search, and then adding the tag “boat”. Suddenly, visitors to metropolitan airports and various sports arenas got free sailboats for Valentine’s Day.

My juvenile crime spree is now over, and I’ve “laundered” my foursquare account, by transferring the credentials to a new one. This URL used to go to the account that stole the Statue of Liberty, but now it goes to a new account, because foursquare allows you to reassign twitter accounts, and constructs the URL using your active twitter account.

This is my original account, which is now inactive.

It seems clear that foursquare is going to have some massive authentication issues to deal with if they are going to grow larger than their current size. Some things to consider:

1) Provide additional measures to detect that people actually are where they say they are. I imagine this is not an easy problem to solve: if I send you a set of coordinates, it doesn’t mean I’m actually there. At a minimum, they can measure the time of travel between successive check-ins by comparing the coordinates and time stamps. If I’m traveling close to the speed of sound, something is clearly up.

2) Make it less easy to create fake accounts. Right now, there’s not even a Captcha.

3) Don’t construct a permanent-looking URL from a twitter account (which can be transferred to a different foursquare account). This provides a method of “laundering” accounts.

More generally, I think the combination of a poorly moderated and insecure folksonomy with incentives (e.g. badges, mayorships, free meals, etc.) is a fragile one. The greater the incentives, the greater the motivation for cheating.

As it stands right now, foursquare has quite a few holes. If I were a restaurateur or coffee shop owner, I would be very wary of giving free meals or lattes to foursquare mayors, unless the employees know the mayor by sight.

UPDATE

My story seems to be getting some picked up in a few places. Here’s some reaction on Twitter. Mostly positive, I think, although a few foursquare insiders were a bit put out, as one would expect. Dennis Crowley was quite nice about it, thank god.

If I stole your Starbucks, I’m really sorry about it, and I will gladly buy you a latte, if you find me in a Starbucks.

UPDATE #2: My story was covered on TechCrunch this morning. MG Siegler was mostly on-the-money, except for this bit:

The problem, with regard to false check-ins, is that the only solid way to do this is to a check-in to your actual GPS coordinates. The problem with this, as Gowalla knows all-too-well, is that it can be hard (and in some cases impossible) to get GPS data while users are indoors.

Um, not exactly. The problem is that you can’t trust the person who’s sending GPS coordinates to send the correct ones. This is a tough, tough problem, and it will become increasingly obvious as incentives increase.

UPDATE #3: Foursquare founder Dennis Crowley has provided some thoughtful commentary in the comments, below.

UPDATE #4: The LA Times interviewed me and got a few more details…

UPDATE #5: Alison Cummings of the Montreal Social Media Examiner posted this reaction to the whole brouhaha. I’m going to call her “perceptive” because she called TechCrunch’s tone “whiny”. :)

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • Design Float
  • E-mail this story to a friend!
  • HackerNews
  • MySpace
  • Reddit
  • Slashdot
  • StumbleUpon
  • Suggest to Techmeme via Twitter
  • Twitter

78 Responses to “Mayor of the North Pole”

  1. Scott Rocher Says:

    Jim,

    Thank you for exposing these holes. My fiance wrote a piece (and has since become the mayor of The Good Hurt, without ever going there).

    http://blitheelisse.tumblr.com/post/318747867/rant-1-updated

    Scott

  2. Joe Crawford Says:

    Ha! Awesome. I was playing with the FoursquareX MacOS app today and as I looked at Africa, wondered what would keep someone from checking in anywhere they pleased. I wonder if the Fire Eagle or BrightKite folks have taken any steps to be less hole-y than Foursquare. I don’t remember any kind of limits for truth in Dodgeball (makes sense, Foursquare is by (many of?) the same folks who created Dodgeball).

  3. Andy Says:

    You stole my Santa Monica Pier mayorship. I was not pleased.

  4. jbum Says:

    Sorry Andy! If you revisit the Pier one more time, you should get it back. I wrote the scripts to stop checking-in once the mayorship was acquired. At any rate,
    I owe you one Hotdog-on-a-stick.

  5. Jason DeFillippo Says:

    I fucking love the internet. Beautiful story… Really makes me want to hack again.

  6. Dave Curry Says:

    You made my day. Thanks for the great post!

  7. ArtLung : In mobile apps, nobody knows if you’re in the North Pole. Says:

    [...] & Processing maven Jim Bumgardner had quite a week! In his post Mayor of the North Pole today he detailed the shenanigans he got into playing with Foursquare, The Foursquare API, and [...]

  8. Matt Says:

    Get a life. You probably pissed off bunches and bunches of people.

  9. jbum Says:

    Well, clearly I pissed off at least one person! My apologies. I’m pretty sure some of the folks who got free sailboats were happy (if perplexed), if it’s any consolation….

  10. Eric Andersen Says:

    Great blog post! I hate to break it to you, but everything you did by hacking with the API can also be done via Foursquare’s mobile web site – http://foursquare.com/mobile. From that site you can easily change your location to anywhere in the world, and check in anywhere you want to. Last Friday I used it to check in to the Olympic Stadium in Vancouver, just to see how many were checked in there. Oh and I’m guessing same goes for SMS check-ins.

    As for the broader issue of how “hackable” the system is, I’m not sure yet whether that matters – I suppose it temporarily damages some aspects of the competition, but I’m not sure it will impact real business transactions/specials, as all of these deals seem to require the person to physically be at the venue in order to claim them.

    The bigger issue isn’t hacking IMHO but rather new users who either don’t understand the point or are just playing around, checking in all day at every place they see nearby, regardless of whether they actually visit the venue in any real physical sense. These folks are generating extremely high levels of usage (# points, # mayorships, # check-ins, etc) without actually using the system or playing the game in any real way. I see this as the much bigger “hole” in Foursquare than API hacking.

  11. jbum Says:

    Eric: Agreed. My main reason for using the API, btw, was convenience and power tools (most of the check-ins I made were automated, running in the background by daemon scripts).

    I think the problem of how to authenticate geocoded check-ins is an interesting (and perplexing) one. If companies like foursquare are to truly add value to check-ins, they will ultimately need to solve that problem, and it’s not going to be a walk in the park…

  12. ameet3000 Says:

    brilliant jbum,
    great post, i am going to stop using foursquare now, you made it no fun ;) just playing, hope you are well. cheers.

  13. Steven Says:

    You sir, are a god. I fucking love it.

  14. Martijn RIjk Says:

    Awesome story!
    Any reaction from Foursquare yet?

  15. jbum Says:

    I exchanged a few tweets with Dennis. I don’t think he’s too terribly put out. He asked me to help repair some of the damage, which I was already doing.

  16. KrazyDad – Mayor of the North Pole « LostFocus by Dominik Schwind Says:

    [...] KrazyDad – Mayor of the North Pole [...]

  17. Man Checks-In Everywhere But Foursquare Rehab | Digital Digg Blog Says:

    [...] today, I was ousted as the mayor of the Googleplex Patio on Foursquare. Turns out, it was this guy. KrazyDad was a man on a mission to show the holes in Foursquare’s check-in based system. And [...]

  18. Mayor of the North Pole « Insomniaonline Says:

    [...] via KrazyDad » Blog Archive » Mayor of the North Pole. [...]

  19. mike bradshaw Says:

    [nelson]Ha-Ha[/nelson]

    As Eric says, if you use the mobile web version (m.foursquare.com) there is no need to start hacking the API, and normal people can “game” the system really easily as it allows you to check-in anywhere.

    Gowalla is better in this regard as it only currently has clients for platforms where they can access a GPS in some way to check that you are near the spot (iPhone native client, Android & N900 via a rich web App). There are no badges, no points etc, instead more like geo-cacheing there are vritual items to pick up and drop.
    That combined with the the much prettier client makes it more of a winner in my book.

  20. Fascinating post on “hacking” Foursquare – A Frog in the Valley Says:

    [...] Mayor of the North Pole by [...]

  21. Deon Says:

    This can’t be easily done on the iPhone version, because I’ve tried.

    After the 2nd checkin in <10 minutes it says: "Whoa.. that's a lot of checkins!" then says something like 'To keep it fair, no badges or points for rapid-fire checkins!'

    Nevertheless, the API method is pretty cool.

  22. » Foursquare is kapot Says:

    [...] activiteiten” mogelijk zijn door de API te misbruiken, laat blogger Krazy Dad zien in zijn blogpost zien. Zo is hij bijvoorbeeld in staat om te simuleren dat een zwerm aan mensen zich op een bepaalde [...]

  23. remco janssen Says:

    Wouldn’t have been easier to simply access the m.foursquare.com mobile website from your laptop and then check in anywhere you like?

  24. Mike Gorski Says:

    Very well done.

    When 4sq opened up to all cities recently I decided to create a number of now defunct businesses to check in at – the coffee shop that’s been closed for 10 years, fake places like Xanadu, etc. It was a blast and demonstrated the weakness with the 4sq notion of location.

    Then I quit using 4sq.

  25. Nathan Gaskin Says:

    “We have detected your speed as 1.5x the speed of light. Please contact your local physics department.”

    Great post!

  26. Man Checks-In Everywhere But Foursquare Rehab « Insanity Reviews Friends Says:

    [...] today, I was ousted as the mayor of the Googleplex Patio on Foursquare. Turns out, it was this guy. KrazyDad was a man on a mission: to show the holes in Foursquare’s check-in based system. [...]

  27. jbum Says:

    Remco – since I was doing my check-ins from a script that did hundreds a day, it was simpler to use the API, however you are right that the mobile website works great for manual check-ins.

  28. jbum Says:

    Deon: I had to keep my automatic check-ins separated by about 20 minutes to avoid rate-limiting.

  29. Keith Stoeckeler Says:

    You nailed it with this post. So many times I wonder how many people are “cheating” with foursquare.

    You’re dead-on with this:
    “At a minimum, they can measure the time of travel between successive check-ins by comparing the coordinates and time stamps. If I’m traveling close to the speed of sound, something is clearly up.”

    Great work.

  30. ben vandgrift Says:

    well done. creative, clever, and interesting. you should get a ‘L33T HaXX0R’ badge, at least. well done indeed.

  31. DGentry Says:

    “People are much more attached to the small places they visit over and over, and have some personal investment in.”

    It used to be said that in academia, tempers run high because the stakes are so small. I suspect foursquare has a similar characteristic.

  32. KrazyDad: Mayor of the North Pole - Laughing Meme Says:

    [...] I’ve been blatantly cheating at foursquare for the past week … At some point last week, I devolved into a 12 year old hacker, and I spent many spare hours (and my computer’s spare cycles) abusing the system with a set of scripts operating fake accounts. Not only did I add new venues like the North Pole, but I started persistently checking into coveted landmarks, like the Statue of Liberty. – Jim [...]

  33. Dem Says:

    Your next challenge: Mayor of the Moon.

  34. Marc Says:

    Maybe I take my foursquare too seriously (probably). But finding ways to take the fun out of it is sort of lame. The whole premise of the game is to get out and go places! Something that someone sitting behind there computer hacking locations might completely miss. (coughing) “Nerd!”.

  35. jbum Says:

    Marc: … and this is why it’s important to point out flaws in the system – so foursquare will tighten their security, and put the fun back into it. Having said that, I can’t deny I was having a bit of fun at your expense. Like most trolls, I was playing a game with a different set of rules.

  36. dens Says:

    Hey all – thanks for all the discussion around this. There’s a weird balance between a social utility (“find your friends”) and a social game (“most checkins gets your on the leaderboard!”) that we’re still working on figuring out.

    On one hand, we want everyone to be able to check-in from anywhere on any device. We’ve never liked the idea of creating a service that only your coolest friends with the coolest phones could use so we made sure any user on any phone would be able to check-in (SMS. mobile_web)

    On the other hand, the social game really works best when you can rely on GPS accuracy to police the checkins – if you’re not really there, you shouldn’t get credit for being there, right?

    But what’s more valuable – a system in which everyone can play & participate? Or a system that places emphasis on the validity of each checkin/post at the expense of all inclusiveness? I think the thing that makes fourssquare so interesting – and yet so difficult – is that it wants to be both things at the same time. And if you survey users, just as many use it for finding their friends as they do for trying to get points / badges / mayorships.

    At foursquare, I think we still have some thinking to do on this. We do see a lot of fake checkins (yes, we log and flag them… i think 2-3% of total checkins were “fake” last time we checked) and there are a few bad apples that like to steal mayorships from their couch. We’ve been punting on addressing this because it requires removing some of the magic from foursquare (mayors, points, badges) for users with non-GPS phones.

    We often wonder why people “cheat” when there’s really nothing to win – it’s not like we’re giving away trips to Hawaii or Ford Fiestas over here. But I guess the combo of mayorships, local recognition and, hey, maybe a free slice of pizza is a little too much for some people to live without :)

    (Sidenote: for the first 9 months of foursquare (< 300k) users this wasn't a problem, but we're seeing as we inch closer to 500k users, we're seeing a higher percentage of "cheating")

    The Good news: We have a lot of this code already written, we're been tracking this for a while and you'll be seeing some geo-accuracy stuff from us soon.

    Bad news: This may mean changing the experience for some MobileWeb users, to prevent the <1% of cheaters for ruining it for everyone else :(

    Anyway, thanks for all the feedback and know that we are listening and hustling to continue to tweak the product

    – @dens
    co-founder, foursquare

  37. matt newberg Says:

    jim is a genius for reminding everyone about this in such a clever way. dens knows people are using 4sq in ways that aren’t really intended by the co-founders, but that’s what happens with any product.

    for example, in a recent panel in nyc he spoke about club promoters friending all girls and then shouting messages to them at night, to get them to come down to their events. the same thing happens on facebook. venues create profiles as people so they can do more creative things. that’s the beauty of the internet. creativity (in this case, jbum’s brilliant hax0r mind) can and will come from anywhere. (look at chatroulette, it’s a kid who’s 17 in moscow). this whole space is disruptive, and we all love it.

    having said that, there is a slippery slope of what should and shouldn’t be allowed. that’s what i think they’re focusing on right now. i think fake mayorships are on the side of things they actually don’t want to happen. people checking in from cabs is cool, because they’re actually somewhat valid. the issue is what happens when this becomes a huge platform for venue promotion, generating lots of revenue for local biz? how can you verify all this on a trust system, and that’s where jim enlightened us in his conquest to take over the world.

  38. jbum Says:

    Wow Matt. Free sailboat for you! Er…

  39. dens Says:

    @matt – Good points. In the early days of dodgeball, one of my grad school prof (Clay Shirky!) told us that a social system really isn’t truly successful until people start using it in ways unimagined by it’s creators.

    And we’re seeing tons of this… what was meant as a bar-hopping friend-finder (dodgeball days) has morphed into a tool for parents meeting up at playgrounds, folks leaving tips about street art instead of restaurant dishes, and people checking into taxis, traffic and airplanes.

    But there’s two types of unexpected behavior – the interesting and the malicious. The interesting (playgrounds and taxis) illustrates how people *want* to use foursquare and helps guide the way we think about the product. The malicious (stealing mayorships from couches) illustrates what people are passionate about and helps us focus on the core parts of the experience we should strive to protect.

    This whole thing is an amazing case study in what happens when social utility and social games overlap… it’s just tough trying to keep the thing running (scaling is hard) and re-invent the product all while keeping an eye on the ways the bad apples are trying to game the rules.

    Also worth noting – I don’t think this is an “only foursquare” problem. Look at the foursquare “spot” on Gowalla in which 75% of the checkins are from people who have never been to our office. I read somewhere that MyTown claims to have checkins at *every business in the US*… ha, is that you Jim? :) I’d also be interested in seeing how Yelp’s addition of not just checkins, but a leaderboard threw a monkeywrench into a system that previously gave users no incentive to cheat. Anyway, we’re all in a very interesting spot and it’ll be interesting to see how all the different players in this space innovate our way around these issues.

  40. jbum Says:

    Don’t get me started on Yelp. :) So broken… So many incentives to break it further…

    I’ve said this a few times, but I’ll say it again – the problem of authenticating geocoded check-ins is a tough one – not just for foursquare, but anyone who wants to do it. Solving it with some measure of confidence may require that the venues themselves participate in some way…

  41. Devon Says:

    Just a side note, Yelp verifies the user’s location to avoid false check-ins (at least they did when I tried checking into a restaurant I had just left). This fits with their “real reviews from real people” mantra. Then again, they don’t have the “fun” elements that FourSquare have which make it more compelling for people to game the system.

    From a business point of view, allowing users to make false check-ins makes it less appealing to offer certain types of incentives, e.g. $1 off for every fifth check-in, 10% if you are the mayor, etc. Companies wanting to reward their most loyal customers in this way will need to be careful.

  42. Mark Jaquith Says:

    If their source code is private, they could work around this issue. They could just create a GPS+time hash and send that along with the check in. If the hash doesn’t match, it is being spoofed. That’d only work if they can keep their salt and the hash creation algorithm a secret.

  43. anon Says:

    As a humorous note, Scott Kurtz covered this in a recent comic series starting here:

    http://www.pvponline.com/2010/02/01/grinding-rep-2/

  44. Aaron Zinman Says:

    Foursquare is policed socially. In its typical use-case, where you actually have friends that see your updates, they will put pressure on you if you are checking into places that you aren’t. Most people don’t like cheaters. Checking into the north pole, however, is funny, and doesn’t really constitute cheating so much as a joke. Jokes don’t ruin the system.

    Writing scripts to exploit it kind of misses the point.

    Aaron

  45. Wout Says:

    Wow, really Awesome…
    In the Netherlands I made a blogpost about getting badges by tagging… That kind of cheating is less more impressive than yours!

    @Foursquare, keep up the good work…

  46. Via RSS zien wanneer er een Foursquare Swarm Badge uitgereikt wordt in Nederland | LifeStreamen | RSS Feeds van Social Media in een lifestream Says:

    [...] aanleiding van de berichtgeving over “Foursquare Kapot” werd ik op een idee gebracht voor deze RSS Feed. Om Foursquare Newbies in Nederland te [...]

  47. Location based fraud « Braker One Nine Says:

    [...] been a lot of talk lately about a guy who gamed the competitive aspect of Foursquare.  Basically he used the API and some scripts to create a [...]

  48. jbum Says:

    Aaron – if it’s funny it’s legal, eh?

    Hmm, I’ve heard just about every possible opinion today about what constitutes, and does not constitute cheating… It’s almost as if every player has their own personal rule book, which I guess they kind of do.

    In a board game like Scrabble, there is a common rule book which everybody shares. In an app like four square, the application (and what it permits) is the defacto rulebook. When the app (and what it permits) is ambiguous, so are the rules, or people’s understanding of what they are.

    For every type of activity that the foursquare app permits, there are going to be at least some users who think the behavior is legit.

  49. Zane Aveton Says:

    Yes…well..I can’t believe you didn’t find/check into any of my personal venues like “My Shower” “@zaneology’s sofa”, “My Happy Place” or “OVER IT!”:)

    I was so excited to read your post because of the “HACKER” Title…but alas you were just automating what everyone already knows they can do without really being a “hacker” (check in anywhere from anywhere) Your project is fun, but..was hoping for some serious awesome insider stuff..like…”I know your baby’s blood type and what McDs you hang out at” kind of stuff… :)

    Either way, I think that anytime anyone uses Foursquare – even if it’s to check into “My Sofa” — and as long as that person is not typing in “Fousquare Sux!” when they do it — it’s a win because it’s a Foursquare brand mention/short url.

    Odd thing is: 6 people have checked into my HOME on Gowalla because of it’s ambiguous name, but no one has done it on Foursquare…I’d rather those people actually come in and hang out with me then be geo gamers that don’t even have “real game” :)

    So…Come over & hang out on my sofa…I’ll let you be the Mayor if you come twice and bring Pizza both times.

    xo,

    Zane

  50. ELise Says:

    Sure you can check into anywhere you want… but what happened to honestly and integrity?

  51. jbum Says:

    Elise – yes, dishonest people suck.

    However, it’s going to be hard to find five hundred thousand people with the same core values, or who agree what is and what isn’t fair. This is why the application needs to enforce it to *some* degree (more so than it currently does). You can’t expect a crowd this large to behave rationally (or cohesively).

  52. Tamooj Says:

    It’s wryly amusing to people in the online video game industry to watch the casual-games and web services (foursquare, twitter, etc.) learn the hard lessons about hacking and griefing that we skinned our collective knees on about ten years ago. The techniques, motivations, and core psychology of people who tweak with your system is pretty constant and predictable, in much the same way MTBF works for hardware. Eventually you just start to grok the mindset and make sure you design around the hot buttons. This is not about better algorithms for detecting cheating – this is about the psychology of getting-attention (a core need for all social animals) and the rewards for play. In the game industry we call these emergent behaviors ‘interesting failure states’. The reality is that 500,000 people will find a lot more bugs, loopholes and exploits than your five internal testers could ever dream of uncovering, especially when there are incentives involved… even if that reward is only attention.

  53. Man Checks-In Everywhere But Foursquare Rehab « Christian Hershberger Says:

    [...] Earlier today, I was ousted as the mayor of the Googleplex Patio on  Foursquare. Turns out, it was this guy. KrazyDad was a man on a mission: to show the holes in Foursquare’s check-in based system. [...]

  54. jimhop Says:

    Well done! You should have crated some vague “hot spots” like “NobodoyGivesADamn” and become “Mayor” – I would be funny to see “You are the Mayor of NobodyGivesADamn”. Thanks for pointing out the time drain that is FourSquare

  55. Petites réflexions sur la géolocalisation | Nicolas Roos Says:

    [...] Foursquare et Gowalla, deux services quasimment similaires ont introduit sur ce marché la notion de jeu et de classement. Chaque action (localisation, ajout de lieu, …) est récompensé par des points et des badges. Une façon de récompenser les utilisateurs pour leur activité sur le réseau. Ce système a, selon moi, des limites. En effet, en dehors d’un public de technophiles et de geeks avertis, l’utilisateur lambda n’a que faire de ces points virtuels. Même les utilisateurs assidus perdent vite intérêt  à ce système. Une fois le sommet du classement atteint (ou au contraire, la stagnation en bas de l’échelle), les utilisateurs s’essoufflent, et l’effort demandé devient alors supérieur aux bénéfices. On peut parler ici de ROI pour l’utilisateur final. L’autre aspect négatif de cette notion de jeu et de classement est le fait qu’elle génère une fausse activité dans l’unique but de gagner des places. Un utilisateur a récemment démontré qu’il était même possible de tricher de manière automatique via l’API. Vous pouvez voir un de ses profil Foursquare et lire son article sur les méthodes utilisées et les différents comptes créés. [...]

  56. Nu kan man fuska i GPS också « Kraschkurs Says:

    [...] allt det här bygger ju på att systemet funkar. Och nu har en användare visat att det är rätt lätt att fuska. Jim Bumgardner, programmerare som har bloggen KrazyDad började med att bli Mayor för [...]

  57. Gotanda @4square Says:

    Wondered why all of a sudden I got random badges like “I’m on a Boat!” when I checked in to Shinjuku Station the other day. Now all is revealed. Thanks!

  58. @HHOTELCONSULT Says:

    Very interesting.

    I think less deviously, if SMS isn’t recording proper location… and you set it up so that it looks like you are going to and from airports…. you can create a relative level of legitimacy by making your tracks look sanguine and logical…. “well yes you can go from that landmark to an airport to another landmark”

    I will likely delete it, but I just got my swarm badge – I just got back from DC yesterday, and live in SF. My last check in was Dulles…. and it isn’t illogical to think I flew to NY (not sfo), got my swarm in brooklyn, then went to La Guardia and flew back to SF. I was just experimenting, but I got addicted to foursquare from the business practicality side… I work in hotels and was VERY excited.

    I am now not so excited.

    This is a major problem. One that will put me off of it.

    In the end, a real community is about really knowing people. Until these loopholes are closed I don’t know if this is meaningful….

    It isn’t the 90% of the users not cheating, it’s the 10% that are. And like irrevocably broken yelp, there’s a lot of incentive to cheat.

    These people don’t think the internet is serious bussiness, they think it’s Candyland. Why not cheat at Candyland? It’s not a big deal…….

  59. inya face Says:

    I just wanted you to know
    You’ve seen better days
    And no matter what happens
    You’re a waste of space

    Have a horrible day!

    Oh and by the way, your websites are horribly designed. Maybe you should hire out help? Looks like you need it. Good luck!

  60. Jeff Ballweg Web Design // Christchurch » Balance in the Economy of Foursquare Says:

    [...] snag with the game: it’s easy to cheat. You don’t have to be a hacker to do it either, though some have gone that route. You simply check into places you’re not really at. Because your GPS is only so accurate, and [...]

  61. The Web Outside » Blog Archive » Place-Based Screens Encourage Authentic Check-Ins with Location Relevant Messaging Says:

    [...] has been fairly heavily criticized for their lack of lockdown on whether or not users “cheat,” while Gowalla has been getting slammed for being almost too strict, in that GPS [...]

  62. Montgomery Burns Says:

    KrazyDad, why build when you can buy?? Buy your way into office that is. http://www.getmayor.com Want to get mayorship of that starbucks down the street, well now you can!

  63. jbum Says:

    Oh jeez. And so it begins..

  64. I’m a Foursquare Cheater | MikeKey.com Says:

    [...] of places like the Taj Mahal, the Pyrmaids and the PlayBoy Mansion. I was inspired by a guy called Dr. Cheat who also blogged about it and become the mayor of dozens of places. The problem with Foursuare and [...]

  65. » Realtime Datamining Of Location Data Karl Reinsch’s Blog Says:

    [...] also Jim Bumgardner’s “Mayor Of The North Pole” for a perspective on forging location [...]

  66. Perpetual Work in Progress » Blog Archive » Foursquare- Is it more than just a game? Says:

    [...] about it, you have one who is out there to take advantage of the platform.  Recently there was a guy who, through the Foursquare API, was able to become mayor of places without ever being there among [...]

  67. Gaming FourSquare with Bill Brasky Says:

    [...] confess however, that this idea isn’t original. I have to give credit to Jim Bumgardner of KrazyDad.com who began similarly gaming FourSquare some time ago. Though this isn’t a new idea, I’m [...]

  68. Foursquare Cops « Thoughts Says:

    [...] Comment! The problem of policing location-based check-ins is actually not an easy one to solve, especially since many of the locations themselves are user-created in the first place. Although GPS is accurate enough, not all mobile phone triangulation techniques are (and GPS won’t work indoors), so Foursquare had chosen to be lenient in making check-in honesty a matter of honour rather than validating it themselves. Combined with an open API, this led to a certain amount of abuse, including from the Mayor of the North Pole. [...]

  69. How Foursquare Is Changing The “Game” « Danielle Ricks' Social Media Update Says:

    [...] to earn those coveted Superstar and Overshare badges. And you may even start cheating, just so you can make outrageous claims like, “I’m the mayor of the North Pole.” The whole time, you’ve also got one eye on the Leaderboard, so you can prove, once and for [...]

  70. Brian Jones Says:

    Looks like we’ve got our first actual checkin on Mt. Everest. From Fourquare’s official twitter stream: “RT @AndeanHealth: John Rudolf, First person to Check in on @Foursquare from Everest Base Camp! He’s climbing the 7 Summits for @AndeanHealth”

    There’s going to be a new mayor in town. haha.

  71. Joe Rosenberg Says:

    Recently joined foursquare and figured I might meet some local people who eat at the same places I do who otherwise would remain nameless and maybe even faceless. Now my world wide friends are asking to be my friend and it becomes just another site where the intended purpose gets devalued. Brilliant expose by the mayor of all places.
    Joe

  72. jbum Says:

    Chris Gwynne sent in the following comment:

    Couldn’t post due to proxy, but wanted to add my 2 cents:

    The topic of hacking Mayorships came up today amongst my friends as a way to potentially decrease someones social standing in an ironic twist of Foursquare’s intention. As we live in Bangkok, if say a politician was to become mayor of a very well known brothel such as Poseidon Entertainment Complex, it would have some ramifications during the pseudo civil war we are having here now. And of course given the high probability that the politico is hobnobbing with a general (who probably owns the place) this would be be fantastic to abuse.

    Thanks for showing me how! Don’t worry, I won’t do it as I don’t have the time to spare with all that scripting, but I was curious about pulling off this kind of prank.

    But now surely someone else with political motivation will for far more nefarious purposes.

  73. Paul Evans Says:

    Just curious, for a tech dolt like me looking to just help a client add multiple locations (several hundred actually, same name/different address) … is there a way to do that without laboriously typing them all into “add venue” in Foursquare?

  74. jbum Says:

    There is a way to do it with scripts, for sure, but perhaps out of direct reach for neophytes. Perhaps you could hire someone?

  75. Stephen Tong Says:

    I wonder if foursquare is gonna fix these “holes” now.

  76. jbum Says:

    I’ve heard they’ve already fixed some of them, but I haven’t messed around to find out the extent of the fixes.

  77. Chris Smowton Says:

    To all of you who’re suggesting that GPS or other geolocation is the answer: you just can’t do it.

    How’re you going to find out where a given user is? They could send their GPS coordinates, but the scripts pulling that data out of the phone are written in Javascript, meaning the source is wholly visible to the user. There’s nothing to stop you from figuring out what the script does with the coords and doing it yourself manually.

    The second way many sites try to locate users is by consulting your IP address. This doesn’t work, however, as mobile operators typically have a single large pool of IPs that gives little or no hint about your true location (could give a good hint that a desktop user is cheating, though).

    The third thing we could use is nearby cell towers, wifi hotspots, and other things Google has a list of :) Again if we rely on a client-side Javascript to harvest the data then it *won’t* work, as there’s no way for the server to differentiate the results of its own scripts from a malicious user generating server-side calls directly. This would work, however, if it were possible to e.g. query the mobile operator, asking a suitably vague question like “is this IP address associated with a device near this cell tower?” I wouldn’t want my mobile operator to answer that question, though — too much potential for abuse, as it’s be possible to harvest your location fairly precisely without the site asking permission.

    There is one solution: phones with a Trusted Platform Module could generate trusted data. This is essentially a physical device which holds a secret private key, to which the corresponding public key is well known (e.g. can be looked up given the device’s serial number). Then at the OS kernel / hardware level you support an operation which queries the GPS chipset (or mobile chipset to discover a list of nearby cell towers, etc) and encrypts that information using the TPM. Then you have an unforgable blob of data which can be sent to FourSquare or whoever which attests to your location.

    Of course even this is somewhat vulnerable; depending on the level at which the “secure-get-location” operation is implemented you might be able to get around the restriction by rewriting the OS kernel to permit TPM-encryption of arbitrary data or by physically messing with the hardware. It’d certainly make it a heck of a lot harder though.

  78. Dave McKinney Says:

    Hi,

    I am a big fan of your site. You’ve always got great info. Anyway, I know that you are interested in Foursquare, so I thought you might like to check out the Foursquare app I’ve just built for Facebook and WordPress.

    “My Foursquare makes it easy to show off your badges, mayorships and checkins on Facebook, your blog or your website”.

    http://www.myfoursquare.net/

    If you want more info I can send you a detailed blurb and screenshots etc. Thanks, and keep the good info coming!

    Dave McKinney
    My Foursquare