Hacking the “Bike Angels” System for Moving Bikeshares

I always like a good hack. And this story delivers. Basically, the New York City bikeshare program has a system to reward people who move bicycles from full stations to empty ones. By deliberately moving bikes to create artificial problems, and exploiting exactly how the system calculates rewards, some people are making a lot of money.

At 10 a.m. on a Tuesday last month, seven Bike Angels descended on the docking station at Broadway and 53rd Street, across from the Ed Sullivan Theater. Each rider used his own special blue key -­- a reward from Citi Bike—­ to unlock a bike. He rode it one block east, to Seventh Avenue. He docked, ran back to Broadway, unlocked another bike and made the trip again.

By 10:14, the crew had created an algorithmically perfect situation: One station 100 percent full, a short block from another station 100 percent empty. The timing was crucial, because every 15 minutes, Lyft’s algorithm resets, assigning new point values to every bike move.

The clock struck 10:15. The algorithm, mistaking this manufactured setup for a true emergency, offered the maximum incentive: $4.80 for every bike returned to the Ed Sullivan Theater. The men switched direction, running east and pedaling west.

Nicely done, people.

Now it’s Lyft’s turn to modify its system to prevent this hack. Thinking aloud, it could try to detect this sort of behavior in the Bike Angels data—and then ban people who are deliberately trying to game the system. The detection doesn’t have to be perfect, just good enough to catch bad actors most of the time. The detection needs to be tuned to minimize false positives, but that feels straightforward.

Tags: , ,

Posted on September 23, 2024 at 11:46 AM11 Comments

Comments

yet another bruce September 23, 2024 5:19 PM

I wonder if it would be possible to construct a naturally robust system by always considering the state of the originating station and the state of the terminating station in the cost of any. This means that trips originating from a nearly empty station would be more expensive as would trips terminating in a nearly full station. I imagine you would want a smooth function to avoid exploits based on quantization or thresholds and you would want to adjust price frequently. Fifteen minutes between updates seems very slow.

You could still pay angels to move bikes since trips originating in very full stations or ending in mostly empty stations could be assigned a negative cost.

Erdem Memisyazici September 24, 2024 12:31 AM

If you allow it, it could be exploited. There are entire communities who can round up at least 100 people in one hour who would gladly ride a bike for $5 across one block. Gone are the days of genuine crowds when we now have these group think enabling devices all in the hands of the general public leading to cheap astroturfing and the like as common occurrences.

It used to be solely done by state level actors to gather fake crowds and stage the appearance of uprisings yet now every Joe has an app for it. Not to mention medical networks on the rise that monitor the mental health of an entire area (a bit harsh for the privacy conscious). Private groups that do the same for law enforcement, neighborhood watch groups, or just students in a frat who can also gather a crowd to call the first group of 100 bike riders “silly sods” the whole way across the block but they get paid better.

It’s ridiculous what a fast communications network and a bad economy can lead to.

Bike rider September 24, 2024 3:12 AM

Clearly the reward could be less for an empty station when there are full stations very close by. Regular bike users can easily walk a block to the full station, so the empty one isn’t as much of an emergency as it would be if it was a more isolated one. The exploit depends on the short distance.

Winter September 24, 2024 3:41 AM

Sounds like yet another example of the Cobra Effect [1]:

The term cobra effect was coined by economist Horst Siebert based on an anecdotal occurrence in India during British rule. The British government, concerned about the number of venomous cobras in Delhi, offered a bounty for every dead cobra. Initially, this was a successful strategy; large numbers of snakes were killed for the reward. Eventually, however, people began to breed cobras for the income. When the government became aware of this, the reward program was scrapped. When cobra breeders set their snakes free, the wild cobra population further increased. This story is often cited as an example of Goodhart’s law or Campbell’s law.

It has often been shown that monetary rewards for volunteering activities people do as good citizens (ie, intrinsic motivations) reduces their motivation for doing the volunteering. [2] So, a reward scheme for “Bike Angels” will not attract more “Angels”, but more grifters, as is shown.

[1] ‘https://en.wikipedia.org/wiki/Perverse_incentive#cite_note-schwarz22-4

[2] ‘https://www.researchgate.net/publication/2392860_Does_Pay_Motivate_Volunteers

But we obtain the puzzling result that, when rewarded, volunteers work less. These findings are in line with a large literature in social psychology emphasizing that external rewards can undermine the intrinsic motivation for an activity.

arf'n'arf September 24, 2024 5:34 AM

Obviously, the Bike Angels shouldn’t be able to use their blue key to drop bikes at a station that doesn’t need them.

The problem is that the blue key is used to permit bike removal not bike drop off. If that problem was fixed then everything would work nicely.

branden September 24, 2024 10:55 AM

Now it’s Lyft’s turn to modify its system to prevent this hack. Thinking aloud, it could try to detect this sort of behavior in the Bike Angels data—and then ban people who are deliberately trying to game the system.

I don’t even know that they have to “prevent” it. It was their choice to design a system that apparently (I can’t be sure with the paywall) rewards non-riders in legal fungible currency, with unlimited payouts. Did they really not consider the obvious implications? Perhaps they wanted a system that would encourage people to lug these bikes long distances via motor vehicles. Probably they wanted to avoid having to hire people to move bikes—on account of minimum wage, payroll taxes, and so on.

As “yet another bruce” says, incentives to depart or arrive at certain stations could’ve been used. If someone’s putting their route into an app, it could easily point out alternate stations and offer them a dollar or two in savings to walk a bit farther. That also raises the idea of paying only in non-transferable ride credits, and perhaps credits that don’t accumulate. For example, they could set the maximum discount at 80%, and only allow it to be applied to the current ride or rides from the last month. Were I designing this, I’d try such a thing first—branded as a special promotional deal—and only allow “discounts” to exceed 100% if the system somehow wasn’t working (and employees or contractors weren’t options).

Jon (a different Jon) September 25, 2024 8:28 PM

Hazard an easier suggestion:

Randomize the ‘app reset’ times. This is truly old-school hacking – if you know the security guard always takes 20 minutes to do their “round”, then you know that, once they pass, you’ve got 19 minutes to get what you want and get out before they get back.

Randomize it, so sometimes the guard will be back in five, or back in thirty – and pop goes your clever scheme. This goes FAR into the past, and should be known to everyone in security planning.

And if you want to, you can even rig the ‘randomization’ – a station that is 100% full or 100% empty (or getting close to it) gets its rewards recalculated much more often.

J.

ResearcherZero September 28, 2024 2:15 AM

Kiatool

Enter the license plate number and unlock the vehicle. Honk♪ Honk♪

‘https://samcurry.net/hacking-kia

jelo 17 October 3, 2024 1:55 PM

Since any configuration can occur without malicious intent, it’s hard to see how any algorithm could resolve the issue (@ Clive Robinson “the directing mind”).

Perhaps instead, as a part of ongoing maintenance, adjust station distribution and bike numbers so that outages are rare, dispensing with the biker wranglers in their current form.

Clive Robinson October 6, 2024 6:07 PM

@ Bruce, ALL,

Hopefully anyone old enough to remember this can tell us more.

But at the moment push bikes and electronic communications are both still free of individual identifying “licence Plates”.

Few know that the E2EE battle we are having today is in effect a repeat of a battle from the tail end of the Victorian era and the “horseless carriage” we might these days call a road vehicle automobile or car.

Back then there were no number plates or road taxes etc.

However “The Authorities” in England were very very keen on putting,

“The mark of Cain on Gentlemen of the autocar.”

The Gentlemen lost, and all sorts of things resulted that most citizens from a personal perspective would consider considerably detrimental.

You can read more, and see that “authority” has not changed in it’s insistent grab at unwarranted power that is then significantly abused, for the past century and a quarter,

https://www.autocar.co.uk/car-news/from-the-archive/controversy-over-introduction-numberplates

It will also give an indicator of how things will play out with Authority and their demands with respect to the security of communications.

They want “population control” we’ve seen this with China where walking down a street gets you “facially Recognized” and you can be sure every authoritarian wants the same.

And yes “taxation”, “fines” or both to raise revenue are very certainly in electronic communications future once a reliable way to tag them becomes a reality.

The only real way to defend against it is to design electronic communications so it can not be tagged.

Clive Robinson October 7, 2024 4:31 AM

@ Bruce, ALL,

You say,

“I always like a good hack. And this story delivers”

Well this might amuse…

I note from time to time that back in the early 1930’s it was proved even before computers existed that you could not trust what a computer tells you.

Without digging into Kurt Gödel’s work the simple explanation is,

“A computer core will always tell you what it is programmed to tell you, and the computer is incapable of knowing thus telling you it has been reprogrammed by malware etc.[1]”

So it’s a given –or should be– that you can not trust a computer in somebody elses control…

So what did McDonalds do?

Have a read of,

https://liberda.nl/weblog/trust-no-client/

It made me smile and chuckle over my morning brew.

[1] It’s because it’s a game of “Turtles all the way down” any type of programmatic check you put in, runs at the CPU level or higher, and will thus always be defeated by a rouge set of instructions at a lower level in the computing stack. It’s to be expected from an even earlier warning about crypto systems we now say as the pithy saying of

“The enemy knows the system”

(The Shannon restatement of August Kerckhoffs’s 2nd principle of cryptography from ~1882)

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.