Pokémon Go has won over the world, but has it put us more at risk as a result?
The augmented reality game is entertaining millions of its fans and capturing lots of media attention. But fans are much more focused on play and fun than on the risks they are accepting. Security vendor RSA shared some tips around the security of Pokémon Go that I’ll share here.
My own advice to Pokémon Go users? Look up from your screen for one moment and consider if these risks should influence your behavior.
Cyber world risks
Niantic, which developed the game for Nintendo’s Pokémon brand, issued a statement on July 11, 2016 that they had “recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account.” Niantic assured players, though the mistake allowed them the ability to dive deep into everyone’s personal data, the game only accesses a user’s ID and email address. Apparently, this problem has now been resolved to some extent.
Still, “it’s important to keep in mind that what an organization actually accesses is not necessarily the same as what they can actually access, and, more so, what they may be able to access in the future,” says a spokesperson from security vendor RSA.
You can address this problem of the scope of access to your Google account through one of the following actions:
- Sign up through the game’s website at pokemongo.com. This website has been overwhelmed with users and was limiting the number of new users that can sign up at once.
- Create a secondary Google account that is dedicated to Pokémon Go. Set up the secondary account with a minimum of profile information and store no data there.
While it’s reasonable to accept the assurances of Niantic, there remains the risk that your Google account information could be compromised by:
- Niantic itself being hacked by nefarious outsiders.
- A rogue Niantic employee selling the user data.
As RSA points out, the incredible popularity of Pokémon Go has been duly noted by hackers that have promptly offered:
- Rogue, malware-infested versions of the Pokémon Go software for download at some file sharing services. These versions are especially enticing to prospective fans that live in countries where Pokémon Go has not yet been released.
- Apps that claim to help you improve your success playing Pokémon Go but actually consist of malware.
The consequences of having your smartphone infected by such malware is severe and can include hackers:
- Copying data from your phone.
- Committing crimes, attributed to you, such as making fraudulent online purchases or downloading child pornography.
- Making social media posts or sending emails and text messages on your behalf.
You can mitigate the risk of installing malware apps by:
- Only downloading apps through official channels, like the Google Play store or the Apple App store.
- Being wary of apps that are only being used by a small number of people. In such a case, you may be dealing with a rogue app that somehow infiltrated the walled garden of the app store.
Real world risks
Watch where you’re walking while playing Pokémon Go. Even despite the game’s warnings, some captivated players have unintentionally wandered into private yards, onto busy roads, through cemeteries and even into a police station. The search for the games’ cartoon monsters appears to be totally engrossing.
The police and transit authorities have become increasingly concerned about the risk of serious injury and about being lured into situations that can escalate into robbery or violence. Their advice is to always play with a friend close beside you.
Niantic’s privacy policy for Pokémon Go notes it is collecting considerable amounts of data and may share “aggregated information and non-identifying information with third parties for research and analysis, demographic profiling, and other similar purposes.” Players of Pokémon Go are sharing details on who they are, where they live, locations they frequent, who they associate with, and time spent in various location with Niantic. All this data collection, while necessary for the game to function, undermines personal privacy (if there’s any left) and creates risk of identity theft.
What Pokémon Go risks have you encountered and how are you mitigating them?