Gotta Catch Em All
This is the slogan for Pokemon Go which is now the biggest mobile game in the history of U.S. whether it is here to stay or it’s a fad; Pokemon has made the entire world Go-ing completely crazy.
Pokemon has been around for decades now before the app was launched and if you grew in the 90’s or 2000’s you probably have heard of it. If not, you have seen someone playing the game, or even seen it appear at in one of your social media pages.
Just like the slogan says, your main aim while playing the augmented reality game is to capture Pokemon on your mobile device. You can capture as many as you can, and this will depend on how much time and money the players have. Unfortunately, most people have become addicted to the game, and they just can’t get enough of it. Be it at the malls, parks, schools, or at work, people are playing the game on their mobile devices and are focused on capturing, training or battling their Pokemon.
Pokemon Go At Work
If the main activity of this game is trying to catch Pokemon and this has brought great concern with employees who play the game as they work. How are they managing their time at work, are they productive and completing their tasks at work or are they catching the fictional virtual characters?
Employees using the app while they work and using up their paid hours is not the only concern as there could be a considerate IT security risk that is brought about by playing the game at work. When the app is downloaded on iOS device by the Pokemon Hunters, they sign in through the Pokemon Trainer Club or use their Google account so that the registration and sign-up is fast. However, if they sign up with Pokemon Go, it gives Niantic Labs who are the game developers access to all their account information. Unfortunately, most people don’t read the security permission, but if they do, they can restrict access to their information in one way and that is denying access entirely.
The concern and wave of panic among the IT security professionals is that if Niantic gets full access, they can send and receive emails, delete files from Google Drive, access the calendar and perform a lot of other functions using the user’s account.
If your company or employees are using iOS/Apple devices and Gmail to perform their business or any other projects, there are chances of cyber threats as they could be leaving the company’s door open.
Moreover, even if Niantic doesn’t use the information, there is a risk of systems being hacked hence the attackers fully access the user’s information. This is for the gamers who have logged in using their personal Google accounts, but imagine if they had used their corporate email address to sign in? This would automatically give Niantic, and hackers full access to files, maps, emails, passwords and more.
How Did This Happen And Who Is To Blame?
To complete the sign-up process for most apps, one is required to give basic information like name, location, age, and gender.
However, when Niantic created the app, they “unintentionally” used a Version of Google shared sign-in functionality which is outdated and unsupported.
They say that the “full access” message from Google is misleading but in reality, they have full access to users basic information. They further claim that they have never asked for more than ID and email address of any users. However, the good news is that both claims have been corroborated by Google and independent security researchers.
Who’s To Blame? Is It Google Or Niantic?
When Niantic recognized their mistake, they hurriedly issued a public statement assuring everyone that the problem will be quickly fixed as they are working with Google. Some people blame Niantic for being negligent while others blame Google, which is a big and more security focused company, should not have allowed an outdated version to be used by the developer.
Irrespective of who is to blame, Niantic is still an unknown company since it was shunned out of Google a year ago.
Side Loading The App
Just when people were assured that there is no need to panic, security firm Proof Point says that the cyber criminals have other ways that they could hack into and take control mobile phones.
Pokémon App was initially released on July 4, 2016, in New Zealand and Australia and the U.S on July 6. As the word of the game’s release spread like wildfire throughout the stratosphere, people looked for illegal ways or a backdoor where they could side load the app into their Android devices. The game was not released at the same time around the world; hence this gave hackers the opportunity to release a malware version of the app which when installed on a mobile device it gives them full access.
ProofPoint didn’t give the exact number of how many devices had been infected by the fake Pokémon app, but they recommended that people who had downloaded this app should take the necessary step and check if their device was infected.
What does all of this mean for you and your business IT security?
It may seem impossible for a company to completely protect their IT systems from cyber threats, but with Pokémon, they should take caution by regulating the usage of any devices by their employees that could link to the commonly s systems. This should also apply in using company’s devices or for any other non-work related apps. Moreover, they should fully restrict employees from accessing the app by use of the company’s email.
Although Pokémon is fun and viral, attention should be paid to ensure that the sensitive personal and company’s information is safe. However, you can now go out and Catch Em All but not at work or by using an illegitimate copy of the app.