Security & Fraud

How Pokémon GO Became A Hacker’s Playground

Pokémon GO has literally become a total mobile game-changer.

Consumers have flocked to the game in epic proportions and with a level of passion that’s seen some quit their jobs to play full time or being so distracted while playing that they fall off cliffs or walk into traffic.

Pokémon GO hit 100 million downloads within a month of launch — 50 million of those in just the first week, with 80 percent of users making in-app purchases and the average user spending 43 minutes a day playing.

To put that into perspective, it took the telephone 75 years to reach that same milestone, and it took the television 13 years. Facebook needed 3.5 years, and the previous mobile game record-holder, “Angry Birds,” took 85 days to hit the 50 million-user mark.

Users have even become so enthralled with the game that they’ve provided full access to their Google accounts without even knowing it, essentially giving the mobile app full permission to see all of their email, search history and even payment card credentials — all in the name of advancing through the game.

That’s right, players are intentionally (or not intentionally) giving up personal and sought-after data just to get a level up.

Now, that’s influence.

But users looking for a fun new hobby or businesses going after the ultimate online-to-offline commerce experience aren’t the only ones flocking to Pokémon GO.

In a recent live digital discussion, Rich Stuppy, Chief Operating Officer of Kount, joined Karen Webster to highlight how Pokémon GO has quickly become a fraudster favorite — providing ample opportunity to compromise the highly sought-after, valuable personal information that Pokémasters are too busy trying to “catch ’em all” to realize is in jeopardy.

Not only has Pokémon GO racked up millions of users, it’s also brought it over $200 million in real revenue as of August — a significant figure that Stuppy said hackers are paying close attention to.


Shining Light On Hidden Dangers

Despite the fun, exciting and groundbreaking experience Pokémon GO was deigned to create for its millions of users, there is a dark side to the game many are unaware of.

With the game’s success has come the increased threat from fraudsters who have picked up on the niche opportunity presented and are looking to exploit the game’s players.

“This is a case of augmented reality taking on a life of its own — a game experience adding real value and spinning off additional industries — and sure enough, this big thing has attracted the attention of bad guys,” he explained.

With players so focused on performing tasks inside the game — such as making in-app purchases — in order to get to the next level, Pokémon GO has quickly become a breeding ground for hackers and fraudsters.

According to Stuppy, cybercriminals typically play by two rules: Get the money and don’t get caught.

“When you’re playing by such a limited set of rules, it’s really easy to react quickly and take advantage of a hot trend,” he added, noting that scammers are able to take an “observe-and-react approach” to popular crazes, like Pokémon GO.

Hackers are tapping into the psychology of the competitive gamer, who wants to keep advancing through the game, by using classic phishing campaigns to trick users into mistakenly giving up their credentials to the game, email, payment info, etc.

On eBay, Stuppy said that people sell access to legitimate leveled-up or advanced Pokémon GO accounts that allow users to pay for better game status without having to do the work, which can range in price from $20 to $10,000.

Knowing this, fraudsters are offering access to what looks like a leveled-up account or a bounty of in-game bonuses but is really just a ploy to collect and steal personal information.

Users even fall victim to malicious email campaigns promoting free Pokécoins (the virtual currency inside the game) that require filling out a form and providing data for a chance to “win,” which Stuppy said also takes advantage of the urgent emotional response gamers have to get something free or get ahead in the game.

“It’s essentially the Nigerian Prince scam but with Pokémon,” he explained.

Though the video game industry has long been a hotbed for fraud due the focus on digital goods with instant delivery, authentication challenges and the fact that the user experience is the product, the addition of a physical context in Pokémon GO has also brought on unique challenges.

“It can be a legitimate business for people,” Stuppy noted. “It’s early days with Pokémon GO, but we know other longstanding game platforms that have developed a huge following have black and grey markets all over the globe and all over the internet.”


The Gaming Tightrope

Though it’s easy to look at fraud through the narrow lenses of payments, the success and subsequent fraud threat related to Pokémon GO offer insight into a new environment where fraud risks go beyond just payments and, in many ways, have never really been experienced before.

In the world of gaming, Stuppy said that the challenge comes down to striking a balance between preventing the fraud and protecting the integrity of the game.

The customer experience is what’s at risk but, at the same time, what’s being sold to gamers, which makes fighting fraud a very complex problem for gaming companies.

In the case of Pokémon GO, its great success and viral following mean an even bigger job for the people responsible for detecting what’s fraud and what’s not.

“You’ve got to anticipate what the negative things that the following is going to generate and look at ways to protect the areas of exploitation,” Stuppy explained.

He said it’s a job that requires a layered approach and dealing with a tremendous amount of data in order to effectively classify transactions and behavior of those using the game and, of course, doing that without introducing additional friction.

With the current volume and level of digital and online payments, as well as the macrotrends impacting them, Stuppy said it’s getting harder for the good guys and easier for the bad guys.

Today, the payments industry is required to work simultaneously on many moving pieces, including stemming the tide of breaches, reducing the use of stolen credentials and managing fraud risk and loss to acceptable levels.

“The industry is really challenged with finding the balance between preventing fraud and facilitating commerce,” Stuppy stated.

But for a viral sensation, like Pokémon GO, which he noted has done a lot of things right in order to build up an engaged user base and solidify its value proposition, there’s always going to be challenges in addressing fraud.

“When in doubt, do everything you can to acquire the customers and put as little friction in the way of those customers as possible, but protect your flanks to the extent that you can in a friction-free way,” he suggested.




Digital transformation has been forcefully accelerated, but how does that agility translate into the fight against COVID-era attacks and sophisticated identity threats? As millions embrace online everything, preserving digital trust now falls mostly on banks and FIs. Now, advances in identity data and using different weights on the payment mix afford new opportunities to arm organizations and their customers against cyberthreats. From the latest in machine learning for fraud and risk, to corporate treasury teams working in new ways with new datasets, learn from experts how digital identity, together with advances like real-time payments, combine to engender trust and enrich relationships.

Click to comment