“There is no there there.”
- Writer Gertrude Stein on Oakland, California in 1939
Back in 2013, University of Texas researchers tricked the navigation system of an $80 million yacht and sent the ship off course in an experiment that showed how any device with civilian GPS technology is vulnerable to a practice called “GPS spoofing".
Fraudsters saw this technology as an opportunity. Fraudsters are now “spoofing” their locations using software hacks that were originally developed to test the operability and accuracy of the Global Positioning System (GPS).
A spoofing attack occurs when a person or software program masquerades as being another entity—or at a different location—to gain an illegitimate advantage. Manipulating GPS signals can mask a user’s device location or transposition a thing like the magic of David Copperfield.
In fact, last June, some 20 vessels in the Black Sea were effectively displaced on GPS receivers by what is believed to be a massive spoofing attack originating from Russian territory.
Spoofing isn’t a new threat. We can trace the origins of this form of electronic deception back to the early days of Cold War radar and “deception jamming.” Radar developers found ways to transmit fake radar bounce signals to paint incorrect pictures on enemy radar screens.
These days tech savvy users are finding ways to use the many spoofing apps available on Google Play store for quasi-legitimate uses like these:
Pokemon Go – Play without leaving the comfort of your home or office. One user wrote in a spoofing blog: “Faking my location on my 6S+ (iPhone) using a tweak called Walking Dead on Cydia to catch Pokemon while I’m at work unable to roam.”
Facebook – Spoofing makes it possible to check in at places on Facebook without actually being there.
Instagram – You can add photos to an Instagram Photo Map from anywhere in the world. Impress your friends with those wild animal photos from an African safari that happened without you.
Tinder – This wildly popular dating and hook up app includes a paid feature that lets members change their GPS location to increase the probability of a match outside their actual zone location.
So how does spoofing relate to eCommerce fraud? Common fraud prevention techniques and algorithms rely on location information to gauge fraud risk. We know that zip codes matter a lot—both for billing and shipping. Certain billing zips are known to be high in fraud risk. Curiously, these are not the same as the risky shipping zips.
Then there’s the IP address of the device used to place an order and its associated physical location. The geolocation of IP addresses has dramatically improved in accuracy over the years. Today there are very large databases showing IP addresses mapped to geographic locations.
However, this is where the fraud risk associated with GPS spoofing becomes a big headache. Ghana, Nigeria and Vietnam are countries on the high-risk lists for most fraud screeners. With GPS spoofing software, a fraudster anywhere in the world can place online orders using the stolen identity of an unsuspecting cardholder residing in Ashtabula, Ohio.
Sadly, it’s becoming easier by the day to spoof the location of a mobile phone. The Android operating system includes a feature to enable “Mock Locations. You can also learn how to fake the location of your iPhone on various websites like this one.
At Kount, we understand the implications of increasing mobility and the proliferation of mCommerce worldwide. This is why we have unpacked the pandora’s box of risks associated with GPS spoofing.
Kount’s product suite includes our proprietary protections against the growing GPS spoofing threat.
Wondering what GPS spoofing and other fraud schemes are costing you? Try our Fraud Calculator to generate a quick report on the dollars that you would be able to easily locate if they weren’t disappearing to fraudsters in hidden locations.