Annual Computer Security Applications Conference (ACSAC) 2013

Full Program »

The Man Who Was There: Validating Check-ins in Location-Based Services

The growing popularity of location-based services (LBS) has led to the emergence of an economy where users announce their location to their peers, indirectly advertising certain businesses. Venues attract customers through offers and discounts for users of such services. Unfortunately, this economy can become a target of attackers with the intent of disrupting the system for fun and, possibly, profit. This threat has raised the attention of LBS, which have invested efforts in preventing fake check-ins. In this paper, we create a platform for testing the feasibility of fake-location attacks, and present our case study of two popular services, namely Foursquare and Facebook Places. We discover their detection mechanisms and demonstrate that both services are still vulnerable. We implement an adaptive attack algorithm that takes our findings into account and uses information from the LBS at run-time, to maximize its impact.This strategy can effectively sustain mayorship in all Foursquare venues and, thus, deter legitimate users from participating. Furthermore, our experimental results validate that detection-based mechanisms are not effective against fake check-ins, and new directions should be taken for designing countermeasures. Hence, we implement a system that employs near field communication (NFC) hardware and a check-in protocol that is based on delegation and asymmetric cryptography, to eliminate fake-location attacks.

Author(s):

Iasonas Polakis    
FORTH-ICS
Greece

Stamatis Volanis    
FORTH-ICS
Greece

Elias Athanasopoulos    
Columbia University
United States

Evangelos P. Markatos    
FORTH-ICS
Greece

 

Powered by OpenConf®
Copyright©2002-2014 Zakon Group LLC