Geolocation was once a glorious way to know who your business deals with (and sometimes what it does). Then VPNs started to undermine that. And now things have gotten so bad that the Apple App Store and Google Play both have apps that shamelessly state they can spoof locations – and neither mobile OS vendor does what. whatever to stop him.
Why? It seems that Apple and Google created the holes that these developers are using.
In a nutshell, Apple and Google – to test their apps in different geographies – had to be able to trick the system into believing that their developers are where they meant they were. Only good for the mobile goose, as they say.
– Advertising –
Food delivery services use geolocation to track delivery people and see if they delivered to a customer’s address. Banks use location to see if a bank account applicant is really where the applicant claims – or to see if multiple fake applications are from the same area. And AirBNB uses geolocation to try to detect fake listings and reviews, according to André Ferraz, CEO of mobile location security company Incognia.
“For fraudsters, in addition to exploiting developer mode to change GPS coordinates, there are many other tools that enable location spoofing, both for IP-based geolocation and GPS-based geolocation,” said Ferraz. , tunneling. For GPS, the most accessible are fake GPS apps. Yet there are also tampering and instrumentation tools, rooted or jailbroken devices, emulators, in-motion location data tampering and many more.
Ferraz is unfortunately right. Whichever one of these many options a fraudster chooses to use, the bottom line is that IT simply can’t trust geolocation for most things anymore. There are some apps where the risk of significant damage from location fraud is so low that it’s probably a good idea to use location – for example, a gaming app where someone pretends to be in Central Park when it is not. If they only get points or access to a special visual treat, it’s probably harmless.
Trust here is the key word. If your business needs to trust location data, an alternative is needed.
Can this location fraud be detected? It gets tricky. Some fraudulent methods can be detected, but not all — and certainly not all the time. More importantly, the mere detection of a geolocation anomaly alone should not positively determine fraud.
VPN is a wonderful example of this. Many users have become so used to surfing the Internet in VPN mode that they do it all the time. This means that they may not even think about it when trying, for example, to open a bank account. Instead of assuming fraud and blocking access and denying the app, banks could offer a simple pop-up warning: “It looks like you are using a VPN. While we applaud your intent for security and privacy, what appears to be a VPN is interfering with our location detection. Please disable your VPN, close your browser, relaunch your browser and return.
The problem with detecting spoofing is that some companies will overreact and assume intentional fraud. It is not that simple.
Ferraz chooses not to blame either Google or Apple because they really need to emulate locations around the world.
“This feature allowing developers to test their applications as if they were somewhere else was deliberately designed by OS, Android and iOS vendors. Therefore, it is not an operating system security flaw. Otherwise, developers couldn’t work remotely, for example, because they would have to go in person to places where the app offers location-based service for testing purposes,” Ferraz said. “The OS even provides APIs for developers to identify if the device is in developer mode and has enabled the tool that allows them to change GPS coordinates. Unfortunately, many developers don’t use this and other device signals to identify location spoofing. »
Ferraz cites the food delivery service as a classic example of how some companies try to use location tracking — but can get burned. There are several ways for scammers to try to rip off food delivery services; some will accept a delivery and simply go nowhere. Instead, they trick the food delivery system into thinking they picked up the order and then delivered it.
The problem with some of these services is that they pay instantly once the system thinks the food has been delivered. If they chose to wait, say an hour or so, they could avoid the fraud. This time allows plenty of time for the customer to phone and complain that the food was never delivered. (Sometimes the food delivery company “checks” if the food was delivered by looking at the geolocation tracking. Oops! They don’t deliver and may call a client a liar.)
Sometimes food delivery fraud isn’t about the money, it’s about the food itself. Ferraz said some drivers would actually take the order and eat it themselves – while tricking the app into “seeing” the driver deliver to the customer.
This raises the question of what the IT department should do when faced with this issue. There is a big difference between “not using geolocation” and “not trust geolocation. It’s similar to how a journalist treats an unreliable source; you don’t necessarily have ignore what they say, but you triple check everything.
Take cybersecurity authentication, for example. If you’re doing everything right, especially in a zero-trust environment, you’re probably relying on dozens of data points or more. In this scenario, it is good to use geolocation data. After all, most of this data is probably correct. Just like in the bank example, don’t reject someone based solely on an incompatible location. But it is perfectly appropriate to use any mismatch to trigger further questions.
There’s no reason you can’t have different processes; in some cases, we rely on the accuracy of the geolocation; in others, it is simply complementary; in still others it doesn’t matter much (maybe games). In short, use geolocation but don’t even think about relying on it.
Copyright © 2022 IDG Communications, Inc.
We would love to give thanks to the author of this short article for this incredible content
Unfortunately, IT can no longer trust geolocation for most things
Explore our social media profiles and also other related pageshttps://yaroos.com/related-pages/