Pokemon Go Creates Security Vulnerabilities.
Pokemon Go, the viral mobile reality game, lures players to parks, landmarks and buildings -- perhaps even credit unions. Some businesses willingly capitalized on the craze, which has raised security concerns.
The app, available through Apple and Google Play, launched a few weeks ago and quickly began topping download charts in the United States, Australia and New Zealand.
"It is the first augmented reality game that has really caught fire," Mark McArdle, chief technology officer for the Canadian cybersecurity firm eSentire, said.
Reports claimed the game is poised to surpass Twitter's 100 million daily logins.
"There is a huge fandom that is the initial/original base for Pokemon, but what is unique is that we are seeing Pokemon Go trending wildly, capturing those that weren't in the original fan base," Emily Mayben, marketing director for the $264 million, Gadsen, Ala.-based Alabama Teachers Credit Union, shared. "Users may or may not go out and buy Pokemon trading cards or collectibles, but what is important is that they are engaging with the brand by playing the game."
The goal of the free, popular game, released by the San Francisco-based Niantic, is to capture Pokemon creatures and nurture them so they will win battles against other players' Pokemons. Unlike past Pokemon games, which took place in a fictional world, the new game is set in the real world and uses smartphones' geolocation capabilities.
Many locations received surprise visits from players while some business owners decided to capitalize on their status as a PokeStop or Pokemon Gym location, which Niantic pre-determines. Pokemon Go has a purchasable in-game item called a Lure Module, which attracts Pokemon to a particular PokeStop for 30 minutes.
"When something like this happens, it is another reminder of the relevance of social media, e-services and mobile device tools offered by credit unions," Mayben said.
She pointed out society is engrossed by electronic platform offerings such as Snapchat, Instagram, Facebook, Yelp and now Pokemon Go.
"Thus, this is where our members/potential members are."
Mayben said the game should serve as another reminder to credit union marketers to engage people through these platforms and trends. It also points to the importance of being able to adapt.
"Remember, social media was a trend 10 years ago," she said. "Now, look how it is an integral part of how we market."
Mayben added, "We have no idea if Pokemon Go will be around 10 years or even 10 months from now. However, what we can learn from Pokemon Go is, let's be relevant and cognizant of what's going on around us as marketers. Currently, Pokemon Go is a game with in-app purchases. Time will tell whether ads become part of the platform. There is potential for businesses whose locations become Pokestops, but credit unions need to consider risks involved in an influx of Pokehunters being drawn to credit unions to search for virtual animals."
There are other risks, too. When the app was developed, the author said, there was an error that led to the game asking for more privileges than needed, McArdle said. In mobile apps, users often do not pay enough attention to the required permissions.
"With the Pokemon Go app, the developer quickly came up with an update that reduced the level of permissions," McArdle explained. But it is still not clear if the developer forced users to re-authenticate the app through Google with a smaller set of permissions.
McArdle noted this is a great example of how accidently, or though inattention, mobile device users become vulnerable to malware or fraud by granting apps access to everything.
In addition, some requests, like access to GPS, seem very subtle or reasonable, but users should ask themselves if they want an app to know their location 24/7.
"You have to be a bit more skeptical and think through the implications of what these applications can access," McArdle said.
Predictably, the game became a target for attackers eager to take advantage of the trend, and soon after the official release, a malicious Pokemon Go app containing the remote-access tool DroidJack appeared.
Infected users received the malicious version by sideloading the app, circumventing the Google Play store, and instead downloading an Android application package format from the web, Amanda McAdoo, digital marketing coordinator at the Carlsbad, Calif.-based cybersecurity firm ThreatSTOP, explained in a blog.
"Android users have been able to do this for quite some time by simply changing their security settings, but this particular incident being attached to such a popular game has shined a spotlight on the loophole once again," she said.
McAdoo also pointed out in 2012, a McAfee study found that more than 60% of Android malware samples were from a family known as Fakeinstaller.
"So you might be thinking CyI never download anything illegally,' but does the same apply for everyone in your organization?" McAdoo asked.
She added the reality today is that people bring personal mobile devices, which touch company networks, to work all the time, even though their devices might contain malware.
"The only way to be truly safe is to stop threats at the source by blocking them from reaching your network in the first place," she said. "This Pokemon Go experience is a great example of how users have to be careful on what application they allow to install on their mobile devices that they are using in the office as well as their laptops."
Join us at Credit Union Times' Fraud: Don't Let It Happen To Your Credit Union Conference October 11-12 in Dallas, where you will find the latest tools and techniques for preventing fraud and data breaches; strategies for responding in the immediate aftermath and best practices for restoring reputation, financial stability and information security. This two-day conference is designed for credit union executives, boards of directors and those responsible for your credit union's cybersecurity policy. Register to attend and save $150.