Hacking Pokémon Go: a classic case of follow the money

Pokémon Go released to a slew of historic firsts on July 6. In its first week, downloads for the augmented reality location-based game surpassed many of the top-used mobile apps like Snapchat, Tinder, and Instagram, leading to a massive influx of value and a 13 percent increase in stock price for the game’s IP holder, Nintendo, as players downloaded the app almost 8 million times in the days after its release and took to the streets hoping to “catch ‘em all.”

Unfortunately, its runaway popularity, combined with its exposure in the press, has also led to equally massive security issues. The risks range from reported cases of malware and exploits, to concerns from cybersecurity experts on the publisher’s storage and use of players’ personal data, to reported cases of real-world bad guys using the game’s system of visible Pokémon “lures” (which can draw huge crowds of players hoping to catch the resulting in-flux of virtual Pokémons to that location) as a honeypot for armed robberies. This has all happened within seven days of the game’s release.

While certainly surprising to the general public, these ramifications should come as no surprise to veteran online video game developers and players. With recent events such as the targeted attack on Steam, bad guys hoping to make a buck are increasingly looking at online games as a business opportunity and will always “follow the money” toward the latest, hottest title. Pokémon Go is the current “hot thing” in online games, and the same effect that generates excitement and buzz in players’ minds also serves as both an irresistible temptation and lucrative opportunity for those who prey on them.

The bad news for Pokémon Go players is that given its runaway success, things are bound to get worse before they get better as more hackers, cheaters, and fraudsters turn their attention toward this game. If history is any indicator, this will lead to decreasing player satisfaction and retention, as well as higher support costs and a negative impact on monetization. Even worse for developer and operator Niantic, as well as license-holder Nintendo, the longer these bad actors remain inside the game environment, the harder and more expensive it will be to drive them out.

More important, with the recent announcement that in-game item trading between players is a feature that will soon appear in Pokémon Go as “a core element,” massive cyber attacks, as well as an increase in in-game fraud, item farming, and player abuse, are all but certain. Once in-game item trading is turned on, financially motivated hackers and fraudsters will have even more reason to flock toward the game, creating a booming gray market in unauthorized Pikachu and Charmander resales, in-game item and currency farmers, and an inevitable spike in account takeover activities designed specifically to steal and liquidate players’ hard-earned collections, as well as players’ financial and personal information.

In-game cybercrime now costs video game publishers up to 40 percent of their in-game revenue, which, if not addressed quickly and efficiently, could equate to tens or hundreds of millions of dollars in loss for Pokemon Go over time. Unfortunately, the virality of the game creates an equally massive financial opportunity for bad guys who prey on and ruin online virtual worlds. To protect the financial integrity of the game and the in-game experience for the player, video game publishers, including Niantic and Nintendo, must aggressively invest a portion of their profits to do everything they can to root out cheaters and fraudsters before their actions become intolerable to the players.

The video game industry is under siege, and the hackers, fraudsters and cheats will only become more motivated and skilled with time. As in-game cyber attacks increase in frequency and sophistication, it’s more important than ever for video game publishers to take responsibility in protecting their games, and their players, from cyber crime – or risk perpetual financial and reputational damage.

Matthew Cook is a veteran security and risk professional, lifelong gamer, and co-founder of Panopticon Labs.