Exploring 3 Different Location Spoofing Methods Used By Fraudsters
Subscribe to the Incognia Newsletter
Once a tool for militaries and shipping companies, today we all carry a powerful piece of location technology right in our pockets, and its uses range from fraud prevention to helping reinforce local connections through location-based apps. Unfortunately, the same tool that app developers use to make good connections between users can be used by fraudsters to try and damage those connections.
A brief primer on location spoofing & why fraudsters do it
Where you are can say a lot about who you are, and both fraud prevention teams and fraudsters themselves understand this. Many fraud prevention teams use location as an identity signal to help assess the risk of logins or transactions—for instance, if someone who normally does all of their day-to-day business in the United States suddenly tries to withdraw cash in France, that could be a sign that their account has been compromised. Other times, the app itself relies on location to function even outside of an anti-fraud scope, such as food delivery, local dating, or vacation rental apps.
Location spoofing helps fraudsters mask their identity and evade detection, in addition to sometimes helping them commit abuses more directly. For example, with food delivery apps that use location to function, a fraudster could spoof their location to claim fares in higher-paying areas, such as a driver in New Jersey claiming delivery orders in Manhattan. Similarly, someone trying to create a fake listing on a vacation rental app might use location spoofing to thwart an address verification check on their device while they’re creating the listing.
Beyond these more direct applications, fraudsters can also use location spoofing to help anonymize themselves and their devices. For example, if an automated fraud detection system uses location as one of its risk or identity signals, or to re-identify fraudsters that have been caught in the past, location spoofing can disrupt that signal from working as intended.
GPS spoofing apps
We understand why bad actors are interested in spoofing their location, but how do they go about it? The easiest method is to use a GPS spoofing app. These apps are widely available on the Google Play and Apple App stores and require no technical skill from users to operate. They first became popular in 2016, when Pokemon Go players were using them to change their location and capture rarer and more valuable Pokemon without actually traveling. The popularity of Pokemon Go has faded over the years, but the GPS spoofing apps it spawned are here to stay, and they’re just as popular among fraudsters as ever.
Virtual private networks (VPNs)
IP addresses are a common way that apps and websites determine where their users are visiting from, but as a location signal, they’re unreliable. In addition to being imprecise, IP addresses are also easily spoofed or changed by using a virtual private network (VPN). VPNs are completely legal and have legitimate applications, such as maintaining user privacy while surfing the web, but fraudsters can use them to mask their IP address and commit abuses with less risk. For instance, if a fraudster living in a different country than their victim gains access to the victim’s online banking credentials, they might use a VPN to spoof their IP address to one from the victim’s country, lowering the risk assessment of that transaction. Because they’re legal and useful, VPNs are easily accessible for a subscription fee, and require little technical skill to operate.
Developer mode
Developer mode is another tool with a legitimate purpose that’s been appropriated by fraudsters. Quality assurance and testing are important parts of the app development process, but sometimes app developers need to ensure their apps work as intended even in places where the developer doesn’t live. If you’re developing an app that relies on location, for instance, you want to test before its release that it can reliably process location data and show the intended results.
Instead of making app developers become world travelers for the sake of QA, software developers like Apple and Android have equipped their devices with developer modes, or settings that let developers change some device information for testing purposes. For fraudsters with a little more know-how than the average bear, this can mean changing their device’s reported location for fraudulent purposes—in a word, location spoofing.
Protecting your platform from location spoofing
We might think about app security using the Swiss cheese model of error, imagining security layers as multiple layers of Swiss cheese stacked on top of each other. Fraudsters and other bad actors only get through when all of the cheese holes line up. The more layers of “cheese” or security there are, the less likely that is to happen. Where one measure might fail to catch a fraudster, the next still has a chance to succeed.
Moving this analogy to location, the more signals your platform uses to determine location (and identity), the more likely you are to be able to identify high-risk users and behavior. For example, Incognia doesn’t rely solely on GPS or IP address to determine device location. Instead, we use a combination of different signals to create location environments. This way, we have a super precise picture of a device’s location, and if someone tries to spoof their GPS data, we know from the other location signals we’re using that that information isn’t accurate. We also use device intelligence measures like device integrity checks to check for the presence of things like rooting, jailbreaking, emulators, app tamperers, and GPS spoofing apps, all of which raise the risk level of a given device.
Location spoofing presents a significant challenge in app security, increasing the risk of fraud and abuse. While tools like GPS spoofing apps, VPNs, and developer mode settings can be used for legitimate purposes, they can also be exploited by fraudsters to mask their locations and identities. However, as daunting as these threats may seem, they are far from insurmountable.
By employing layered security measures and leveraging advanced technologies that utilize a mix of signals to accurately determine device location and integrity, businesses can effectively mitigate the risks associated with location spoofing. As we move forward in this digital era, adopting these robust security strategies will be crucial in maintaining the trust and safety of your platform's user base.
