After Jim Bum­gard­ner’s blog post Mon­day con­fess­ing to cheat­ing on Foursquare and sub­se­quent LA Times cov­er­age, I think Foursquare will be address­ing their service’s secu­rity imme­di­ately. For those of you who don’t know, Foursquare is a loca­tion based social net­work that incor­po­rates gam­ing ele­ments. Bum­gard­ner used Foursquare’s 3 month old API to become mayor the North Pole among other notable land­marks around the world while also cre­at­ing fake celebrity accounts. Luck­ily for Foursquare he was just hav­ing a lit­tle fun and not try­ing to cause any dam­age. What if he lost con­trol of his scripts or had mali­cious intent? What if he wasn’t employ­ing a dozen fake accounts but hun­dreds of thou­sands of fake accounts? Would Foursquare been able to survive?

Think about it. They are approach­ing half a mil­lion users which is great but doesn’t com­pare to the mul­ti­ple mil­lions other social media ser­vices have. Bumgardner’s dozen or so fake accounts caused a lit­tle dis­rup­tion and made a few peo­ple mad, but if his tac­tics were taken to the extreme by a large bot­net the ser­vice would become unus­able. Every loca­tion could be over­taken by fake accounts. Real users would get lost in all the fake check-ins. The only way to stop the onslaught would be shut­ting off the API, but even then Foursquare would be left clean­ing up their venue and user data­bases for days if not weeks try­ing to fig­ure out what’s real and what was gen­er­ated by a bot.

I’m not advo­cat­ing any­one go out and kill Foursquare. But it wouldn’t be hard to round up a cou­ple hun­dred thou­sand bots by the end of the day and maybe a mil­lion by the end of the week. I don’t see how Foursquare could com­bat it with their cur­rent secu­rity poli­cies (are there any?).

Why would some­one want to shut down a fun ser­vice like Foursquare? Well there are some jerks in this world and then there always the money motivator.

Hey Foursquare Founders,

I’m the one respon­si­ble for over­run­ning your ser­vice and mak­ing it unus­able thanks to your poor secu­rity prac­tices. I see you got a mil­lion dol­lars in angel fund­ing a few months back. Give me $1 mil­lion and I’ll undo all the harm I’ve done and every­thing will go back to normal.

Same sce­nario hap­pens to banks every day and it’s cheaper for banks to pay­off the hack­ers than admit to the pub­lic how inse­cure they are. If Foursquare wants to keep mak­ing busi­ness deals with com­pa­nies like Zagat, they’ll do the same thing. Estab­lished com­pa­nies aren’t going to pair with inse­cure star­tups that can be shut down by script kid­dies just like the peo­ple aren’t going to deposit their money into an inse­cure bank.

Bum­gard­ner offers a few sug­ges­tions on how Foursquare could improve their secu­rity like adding a CAPTCHA to the sign up process. (I was really sur­prised they didn’t even have that in place.) Foursquare founder Den­nis Crow­ley even com­mented on the blog to assure peo­ple that the team was work­ing on some of these flaws, but he seemed more focused on geo-accuracy than any­thing else.

I would really hate to see Foursquare lose out in the loca­tion based social net­work race because they couldn’t put together some decent secu­rity prac­tices. I also hope other ser­vices like Gowalla take this seri­ously since they have about a third of the users that Foursquare does. Is it likely a bot­net will take them down? Not really. Is it pos­si­ble? For sure.