View All

How to Make Your Online Contest Cheater-Proof

The “Gap Casting Call for Kids” contest, now in its sixth year, is wildly popular. The stakes are high: This fall, the winning four children, all selected by public vote, will be featured in a Gap marketing campaign. Many moms would love that opportunity and likely rally family, friends, neighbors ... even the local waitress to help run up the votes. But would they try to cheat the contest to win?

It’s a real concern for both agencies and brands that incorporate elements into contests and publicly post data—like public vote counts—that encourage participation and viral sharing, but also opens up the contests for potential attacks by cheaters.

“For any digital marketer, the adoption rate of consumers in general is increasing,” says Lauren McCabe, manager of digital and social marketing for Sears Hometown and Outlet Stores. “Consumers are getting smarter and participating more and you’re always learning from experience.”

To understand how to protect your contest from cheaters let’s look at three of the most highly visible elements of particular interest to cheaters—public votes, leader boards and prizing. We’ll also look at how hackers compromise contests and what you can do to prevent an attack.

Vulnerable elements

Leader Boards rank the top players, a popular marketing tactic to get players to return again and again to improve their scores and to boast about their rankings with their Facebook friends. Posting the rankings encourages repeat plays and new registrations, but also allows cheaters to see exactly what scores they need to post to reach the top of the leader board. For the cheaters, it’s about bragging rights and nothing more.

“There’s a lot of pride that goes into what the cheaters do,” says Sagar Parvataneni, senior vice president of product and technology at ePrize.

Prizing helps drive traffic and research has shown that what works best is a combination of both one large prize and lots of small prizes. The big prize offers something for people to shoot for—a dream vacation, a home entertainment center—but they don’t get discouraged because there are lots of other small prizes to win during the journey as well. Hackers will hack the contest to try to win both the grand prize and smaller rewards. They want the grand prize for obvious reasons, but a player who also sees, for example, that he can win an iTunes gift card just for registering may attempt to pump fake registrations into the system to win the cards and then resell them on eBay or to friends for financial gain, Parvataneni said.

Public Votes are often tied to a strong personal emotion, like the Gap Casting Call, which draws hundreds of thousands of votes each year. Other examples include votes to win a lucrative financial prize like funding for a local school, a national park or some community effort or a high-paying, high profile job or the wildly popular Doritos “Crash the Super Bowl” video contest with a chance to get your submission turned into a TV spot via a public vote. The number of votes each entrant is getting is often publicly posted, making it an easy target for cheaters, who can be heavily motivated to run up the vote tally in their favor.

“When you first start running contests and sweepstakes you really are a bit naïve,” Wendy Brannen, executive director of the Vidalia Onion Committee, says. “The more you do, the more you realize that you really have to be on your toes because there are scammers out there.”

For the Vidalia Onion Committee annual contests make for a sure-fire way to let consumers know that the onions are in season, a short run that requires a national marketing spread to make the most of the short season. Last year, the “Sweet Vidalia Jingle Contest & Free Music Downloads” drew 60 jingle contest entries and an astounding 130,050 public votes.

Vidalia, which runs its contests in house, monitors the promotions closely and during a recentjingle contest was alerted to suspicious activity.

“We were monitoring the site daily and had a contestant suddenly getting a bazillion votes,” Brannen says. “In that instance it was not a case of fraud, just an amateur singer/songwriter campaigning for his jingle. Word was spreading through his network, and because we were aware and were monitoring the site, we could see this guy had a lot of friends and they were voting.”

Ways to cheat online games

While the Vidalia example turned out to be a non-starter, there are plenty of hackers out there finding numerous ways to comprise contests.

Design flaws: One of the top ways to cheat an online game occurs if the game is not designed properly, or is designed in Flash. While the average player can’t see the coding in Flash, sophisticated technology users can decompile the Flash application by using widely available tools to figure out what’s in the code.

"There are widely available tools and mechanisms cheaters use to figure out how scores get posted," ePrize's Parvataneni says. "They can then hack the site and post a fake score to get to the top of the leader board or to win prizes.

 

One answer to the problem: make sure the methods to post scores in your Flash games are secure and email prize codes/scores out after a short delay rather than displaying them immediately on screen.

 

Fake registrations: In the public voting scenario, cheaters use automated software to create fake registrations to run up vote tallies. Hackers can uses email addresses that are not valid but good enough for the registration process. Cheaters will sometime use software that will automatically register them numerous times in a random stream of characters to try to trick the promotion sponsors. An internal team can be alerted to monitor the situation and in extreme cases to do outright blocking.

“One person could generate hundreds of thousands of fraudulent votes," Parvataneni says. "There are so many promotions out there it’s a high probability that they can find something they can cheat on.”

Social listening tools: The growing popularity of online contests with public voting has led to the rise of websites on which contestants can bargain to "trade" votes. A variety of social listening tools are leading savvy participants to sites such as GetOnlineVotes.com. In Canada gamers can easily navigate their way to SmartCanucks where people start threads asking others to vote for them.

“Other suspicious activity can include lots of registrations or votes from a single IP address or the user has their cookies turned off,” Parvataneni says. “All of these things pop red flags and make us look to see if there is anything suspicious."

 Preventing attacks

Set Limits such as allowing one vote per day. Preventing people from registering multiple times will also start you off in the right direction.

Validate all the information required during registration such as the email, as well as checking the physical address, against the U.S. Postal Service database, Vidalia’s Brenner says.

Monitor online conversations to see what people are talking about. Cheaters will often brag and post comments on sweeper blogs if they have cheated a contest or hacked a free code.

Block cheaters One of the most potent ways to protect your contest is to prevent cheaters from winning without them knowing it. “If we know you’re cheating we’ll allow you to register, but prevent you from winning,” Parvataneni says. “It’s very hard as a cheater to adapt, to change their methodology to figure out a way around the safeguards. The key is doing that so users don’t know they’ve been blocked.”

Rotate scores randomly Sears Hometown Stores is running the “Sears for Life Video Contest” where customers can upload a 25-second video telling a story about their relationship with Sears—like when they got their first Craftsman tool set from dad. The winners, who receive a $2,500 Sears gift card and a chance to be featured in a TV commercial, will be decided this month by public vote. To curtail fraud, the vote tallies are rotated making it difficult to track which video is actually getting the highest votes.

“I think the way we’re running the contest in terms of having it gated before being posted and the random viewing” makes sense, McCabe says. “It’s not something I’m truly concerned about, but we’ve set up the rules and the technology to prevent it.”

Avoid real-time feedback. If a player can take an action and immediately see his place move up on the leader board, that’s a good incentive to cheat.

“If posting is done asynchronously it is usually a strong disincentive and also allows the back-end administrator to look at data before its get posted to catch cheaters before they post,” Parvataneni says.

Some agencies and their clients decide not to include any elements that encourage hackers. Of course, doing so sometimes also cuts down on the features that lead to player engagement and viral spread.

“Where there is the ability to tamper, there is temptation,” says Paul Slovak, chief operating officer at Marden-Kane. “The best defense against dishonest players is to remove their ability to benchmark and determine where they stand. This means eliminating leader boards, vote tallies and otherwise posting any performance data that would enable them to formulate a plan of attack. By essentially blinding them from knowing where and when to strike your promotion, you encourage them to seek softer targets.”

Despite the challenges, the multiple benefits brands reap such as brand exposure and the rich piles of consumer data are the true reward.

“We can sit here and think of all the bad things that can potentially happen, but there will always be another problem, next week, next month,” Sear’s McCabe says. “But it can’t stop you from trying and doing and learning from it. You have to be aware of what’s out there now, especially because things can go viral very quickly and you need to address the issues right away.”

See the article