Pokemon Protection?

For some businesses the influx of Pokemon users is a boon, but don’t ignore potential security risks.

July 21, 2016

SAN FRANCISCO – In just a few weeks since its launch in app stores, Pokemon Go has been downloaded by more than 26 million smartphone users worldwide. While it’s a game and it’s meant to be fun, some security experts are warning that the risks may not be worth the reward for capturing Pikachu. 

“Frankly, the truth is that Pokemon Go is a nightmare for companies that want to keep their email and cloud-based information secure,” Barbara Rembiesa, CEO of the International Association of Asset Managers, told the San Francisco Business Times. For many businesses, employees are using mobile devices to access a company’s networks, which the news source says is causing concern for IT professionals who manage security endpoints and the ability for unauthorized “actors” to access the company's networks.

According to security research firm the Ponemon Institute, roughly 69% of employees use personal devices for work purposes, which also amplifies security risks for businesses that allow employees to use corporate accounts or servers on their mobile devices.

“As Pokemon Go relates to businesses and 'bring your own device,’ the risks will start to outweigh the rewards,” Tom Bain of CounterTack told the news source. “From the cybersecurity side, there are permissions that the game asks the device owner that could represent multiple problems, not to mention geo-based data that could indicate the location of unsuspecting individuals.” 

The Kansas City Star also reports on the potential cybersecurity risks and privacy violations by Pokemon Go players who are using company-issued devices. “Anytime there is a mix of data collection and a corporate network, there are the possibilities of threats,” said Stacey Singleton, regional vice president for Robert Half Technology in Kansas City. “It’s important that security teams are intact and aware of trends and that security policies are clearly laid out throughout the organization.”

Going a leap further, security expert John McAfee believes that Pokemon Go should be the least of our cybersecurity worries. 

"Wake up. [More than] 50 million users have granted apps permission to make phone calls from your phone, without your approval or knowledge, for which you may have to pay," McAfee told Business Insider. He also calls apps that ask for unnecessary permissions from users “malware” because the apps are gathering data unbeknownst to the user.

"To my knowledge, there is not a single major smartphone supplier in the world that does not preload malware on their phones,” McAfee added. "Malware is anything that spies on you, that digs into your life and finds out who your friends are.”

He also says that picking on Pokemon Go is unfair, and a bit late, since nearly every app a user downloads from an app store ask for some type of permission. "Why pick on Pokémon Go when a quarter of a million apps have been doing this for years?" McAfee told the news source.

While we’re on the subject of cyber and mobile security, here’s another layer to tack on to the discussion: public Wi-Fi.

Avast Software, maker of mobile and PC security, revealed results of a Wi-Fi hack experiment conducted at various locations around the Republican National Convention site in Cleveland to demonstrate the risks of connecting to public Wi-Fi. The experiment, performed by Avast’s security researchers, revealed that more than 1,000 convention attendees were negligent in their behavior when connecting to public Wi-Fi. Attendees risked the possibility of being spied on and hacked by cybercriminals while they checked their email, banked online, used chat and dating apps, and even while they accessed Pokemon Go.

Avast researchers set up fake Wi-Fi networks at various locations around the Quicken Loans Arena and at Cleveland Hopkins International Airport with phony network names (SSIDs) like “Google Starbucks,” “Xfinitywifi,” “Attwifi,” “I vote Trump! free Internet” and “I vote Hillary! free Internet” that appeared to be set up for convention attendees. With mobile devices often set to connect to known SSIDs automatically, users occasionally overlook the networks to which they are connecting, notes Avast. While convenient for many, this feature bears the risk of users being spied on by cybercriminals who set up a false Wi-Fi network with a common SSID. Moreover, web traffic can be visible to anyone on any Wi-Fi network that does not request a password.

Over the course of a day, Avast saw more than 1.6 Gbs transferred from more than 1,200 users. Moreover, 68.3% of users’ identities were exposed when they connected, 44.5% checked their email or chatted via messenger apps, 6.5% shopped on Amazon, 1.2% accessed a banking app or website and 5.1% played Pokemon Go.