Pokémon Go: Into the real world, with real crime
The twist with Pokémon Go is that players can catch Pokémon in real life, out on the streets and away from their couches. I love the idea that a smartphone game not only can be played anywhere, but actually requires its players to get outside. But because security is always on my mind, I quickly wondered what crimes Pokémon Go would enable. The answer wasn’t long in coming.
Criminals are quick to exploit new opportunities, and they have been targeting video gamers for a long time. Many games encourage in-app purchases, and they often allow players to trade tokens with other players. That creates an incentive for criminals to get their hands on people’s tokens, which they can then sell for financial gain. One major online gaming company hired me to strengthen its user authentication mechanisms, since criminals had been using social engineering to get help desk employees to reset passwords, thus granting them access to players’ in-app assets.
Then there are the typical hackers, who will exploit the popularity of the app. They will offer fake versions of the app loaded with malware. This is more likely in areas where the app is being phased in, as well as through distribution in Android stores that do not perform stringent security checks. It is also inevitable that when extra features become possible, criminals will offer fake upgrades loaded with malware as well.
In games such as World of Warcraft, criminals tend to hack characters and extract value. If criminals access a gaming account with a credit card attached to it, they can buy things. Other criminals, such as child predators, have abused the ability to interact with players to lure victims to real-world locations.
Now, within a week of the release of Pokémon Go, criminals have figured out a way to target players in the real world. They set up a beacon to lure people to a “pokestop,” a place where people can gather to play the game against others. They then robbed a would-be player at gunpoint.
More casual crimes are even more likely. When players head out of the house in pursuit of their game goals, their minds are fixed on the virtual world that resides in their phone, and they remain rather inattentive to the real dangers that might lurk on the actual streets they are wandering. They’re easy targets.
Here are some precautions for players to follow. They apply just as well in many situations that have nothing to do with Pokémon Go.
Be on the lookout for phishing attacks and social engineering: Criminals will send out phishing messages or make phone calls in an attempt to get people to divulge their user IDs and passwords. Many will look or sound like legitimate messages from the company. You might receive an offer to load your account with extra Pokémon. You might be told your account has been compromised. Be suspicious, and confirm that the company has sent out such messages before responding in any way. Also, access the application only through legitimate sources.
One of the best things about Pokémon Go is that it encourages people get out for some exercise, and perhaps to meet new people. Those are great benefits, but they won’t be worth much if you ignore the potential for danger.
Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. He can be contacted through his Web site, securementem.com.