Pokémon Go: Into the real world, with real crime

The game is getting its players off the couch, which already wasn’t safe from the bad guys

Pokémon Go sneaked up on me. One minute, I knew nothing about it, and the next, just about everyone was talking about it.

The twist with Pokémon Go is that players can catch Pokémon in real life, out on the streets and away from their couches. I love the idea that a smartphone game not only can be played anywhere, but actually requires its players to get outside. But because security is always on my mind, I quickly wondered what crimes Pokémon Go would enable. The answer wasn’t long in coming.

Criminals are quick to exploit new opportunities, and they have been targeting video gamers for a long time. Many games encourage in-app purchases, and they often allow players to trade tokens with other players. That creates an incentive for criminals to get their hands on people’s tokens, which they can then sell for financial gain. One major online gaming company hired me to strengthen its user authentication mechanisms, since criminals had been using social engineering to get help desk employees to reset passwords, thus granting them access to players’ in-app assets.

Then there are the typical hackers, who will exploit the popularity of the app. They will offer fake versions of the app loaded with malware. This is more likely in areas where the app is being phased in, as well as through distribution in Android stores that do not perform stringent security checks. It is also inevitable that when extra features become possible, criminals will offer fake upgrades loaded with malware as well.

In games such as World of Warcraft, criminals tend to hack characters and extract value. If criminals access a gaming account with a credit card attached to it, they can buy things. Other criminals, such as child predators, have abused the ability to interact with players to lure victims to real-world locations.

Now, within a week of the release of Pokémon Go, criminals have figured out a way to target players in the real world. They set up a beacon to lure people to a “pokestop,” a place where people can gather to play the game against others. They then robbed a would-be player at gunpoint.

More casual crimes are even more likely. When players head out of the house in pursuit of their game goals, their minds are fixed on the virtual world that resides in their phone, and they remain rather inattentive to the real dangers that might lurk on the actual streets they are wandering. They’re easy targets.

Protect yourself

Here are some precautions for players to follow. They apply just as well in many situations that have nothing to do with Pokémon Go.

Be on the lookout for phishing attacks and social engineering: Criminals will send out phishing messages or make phone calls in an attempt to get people to divulge their user IDs and passwords. Many will look or sound like legitimate messages from the company. You might receive an offer to load your account with extra Pokémon. You might be told your account has been compromised. Be suspicious, and confirm that the company has sent out such messages before responding in any way. Also, access the application only through legitimate sources.

  • Be careful in the real world: Vigilance is essential anytime you step out into the world. Players presented with a chance to meet like-minded people can let their caution lapse. And always bear in mind that people you meet in the virtual world may not be whom they say they are.

One of the best things about Pokémon Go is that it encourages people get out for some exercise, and perhaps to meet new people. Those are great benefits, but they won’t be worth much if you ignore the potential for danger.

Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. He can be contacted through his Web site, securementem.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags Pokemon

More about Vigilance

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts