After Jim Bumgardner‘s blog post Monday confessing to cheating on Foursquare and subsequent LA Times coverage, I think Foursquare will be addressing their service’s security immediately. For those of you who don’t know, Foursquare is a location based social network that incorporates gaming elements. Bumgardner used Foursquare’s 3 month old API to become mayor the North Pole among other notable landmarks around the world while also creating fake celebrity accounts. Luckily for Foursquare he was just having a little fun and not trying to cause any damage. What if he lost control of his scripts or had malicious intent? What if he wasn’t employing a dozen fake accounts but hundreds of thousands of fake accounts? Would Foursquare been able to survive?

Think about it. They are approaching half a million users which is great but doesn’t compare to the multiple millions other social media services have. Bumgardner’s dozen or so fake accounts caused a little disruption and made a few people mad, but if his tactics were taken to the extreme by a large botnet the service would become unusable. Every location could be overtaken by fake accounts. Real users would get lost in all the fake check-ins. The only way to stop the onslaught would be shutting off the API, but even then Foursquare would be left cleaning up their venue and user databases for days if not weeks trying to figure out what’s real and what was generated by a bot.

I’m not advocating anyone go out and kill Foursquare. But it wouldn’t be hard to round up a couple hundred thousand bots by the end of the day and maybe a million by the end of the week. I don’t see how Foursquare could combat it with their current security policies (are there any?).

Why would someone want to shut down a fun service like Foursquare? Well there are some jerks in this world and then there always the money motivator.

Hey Foursquare Founders,

I’m the one responsible for overrunning your service and making it unusable thanks to your poor security practices. I see you got a million dollars in angel funding a few months back. Give me $1 million and I’ll undo all the harm I’ve done and everything will go back to normal.

Same scenario happens to banks every day and it’s cheaper for banks to payoff the hackers than admit to the public how insecure they are. If Foursquare wants to keep making business deals with companies like Zagat, they’ll do the same thing. Established companies aren’t going to pair with insecure startups that can be shut down by script kiddies just like the people aren’t going to deposit their money into an insecure bank.

Bumgardner offers a few suggestions on how Foursquare could improve their security like adding a CAPTCHA to the sign up process. (I was really surprised they didn’t even have that in place.) Foursquare founder Dennis Crowley even commented on the blog to assure people that the team was working on some of these flaws, but he seemed more focused on geo-accuracy than anything else.

I would really hate to see Foursquare lose out in the location based social network race because they couldn’t put together some decent security practices. I also hope other services like Gowalla take this seriously since they have about a third of the users that Foursquare does. Is it likely a botnet will take them down? Not really. Is it possible? For sure.