Blog Feed

10 Steps to Eliminate Digital Security Risks in Fintech Project

Posted by on 16:11 in Engineering, R&D | 0 comments

10 Steps to Eliminate Digital Security Risks in Fintech Project

Any kind of project can be of potential interest to attackers, since the information stolen in an attack can be turned into cash. In the case of financial projects, though, an attack usually results in attackers transferring user or system funds to an unknown location. This eliminates the extra steps it would otherwise take them to reach their ultimate goal. Regardless of what stage your fintech project is at, it’s never a bad idea to make sure that everything has been done that can be to eliminate all possible digital security risks to ensure that clients and the business itself are adequately protected. “There are only two types of companies: Those that have been hacked and those that will be hacked.” – Robert S. Mueller, III, Director FBI In this article, we’ll go over the key financial cyber security concerns, as well as a list of ten components for putting together an effective system to protect the financial information of both users and the company itself. Note: In early 2018, PSD2, the amended Payment Services Directive for the European Union, enters into force. Later in this article, we’ll describe the main IT security requirements of this directive. If your company operates in or plans to operate in Europe, we recommend that you familiarize yourself with it and download our checklist. The main financial cyber security concerns We’ll begin by looking over the main traditional digital security risks facing personal data protection in IT systems for fintech companies. SQL injection SQL injection is the kind of digital security threat that involves the introduction of altered SQL queries. Using vulnerabilities in the system’s software implementation, an attacker can execute arbitrary database queries. Brute-force attacks Brute-force attacks attempt to recover a password by automatically guessing from a pool of possible passwords. Using a database of likely passwords (like a dictionary), this process becomes much more efficient. Zero-day vulnerabilities Zero-days are unknown vulnerabilities used by hackers before software developers have fixed them. In addition, system administrators don’t always update software in a timely manner causing additional digital security risks. Man-in-the-middle (MITM) attacks In an MITM attack, messages being exchanged between the ends of a communication channel are intercepted and spoofed using an unauthorized connection. Phishing Phishing is a kind of the greatest financial cyber security concerns nowadays that involves the theft of a user’s information with the help of fake websites and web applications that mimic legitimate resources. Through nefarious means (often a link in an email or other message), users end up at these fake resources and voluntarily enter their login details into forms that look identical to the real ones. Banking Trojans This type of malware is aimed at compromising specifically banking cyber security. It gathers account details, collecting stored information about users’ accounts and sending this data to an admin panel. The admin panel, either by automatic rules or manual intervention, chooses a target and displays a fake page to the user. Ransomware Ransomware is typically spread through phishing messages. When run, the user is locked out of the system by the malware, which demands a ransom payment. For 2017, the Open Web Application Security Project (OWASP) identified the following as the most critical web application security risks: SQL injection Cross-site scripting Broken authentication Broken access control Sensitive data exposure...

read more

Top 7 Tips How to Protect Yourself from Phishing Scams

Posted by on 11:14 in R&D | 0 comments

Top 7 Tips How to Protect Yourself from Phishing Scams

What phishing is has been well-known for some time now. The first phishing attacks were noted shortly after the World Wide Web appeared. But despite the efforts of IT security specialists to create more effective ways of anti phishing protection, new phishing sites continue to appear every day. According to the data from several studies, there were about 5000 new phishing sites created every day in 2016. In 2017, this figure will be even greater. The secret to the resilience of this type of fraud lies in how it is based not on “holes” in software, but on a vulnerability in human beings themselves, particularly those with access to important data. That’s why we’re going to remind you once more what phishing is, what the most common phishing attacks examples are, and what you can do to counter them. “Phishing is a real threat, which is relatively easy to implement and difficult to identify and counteract.” ― Max Oliinyk, Chief Executive Officer, Protectimus Solutions LLP Basic phishing examples 2017 Phishing is a kind of internet fraud that’s based on social engineering principles. The main purpose of phishing scams is to gain access to critically important data (passport data, for example), accounts, banking details, secret company information, and so on; so that it can be used to steal funds at a later date. Phishing works by redirecting users to fake network resources that function as complete imitations of a real site. | Read also: Social Engineering Against 2FA: New Tricks Deceptive phishing examples The majority of phishing attacks fall under this category. Attackers send out emails pretending to be from a real company, in order to receive users’ account data and thus gain control over their personal or official accounts. You could receive a phishing email claiming to be from a payment processor, a bank, a courier service, an online store, a social network, a revenue service, and so on. Phishing emails are created very exactingly. They can be practically indistinguishable from the emails a user would normally receive from the company. The only difference may be in the request to follow a link in order to perform some kind of action. This transition, however, leads to the scammers’ site, which acts as a doppelgänger of the entity’s real website. To get you to click on these links, the emails may dangle a proverbial carrot in front of you: “Take 70% off our services if you sign up within 24 hours!” They may also try to scare you: “Your account has been locked due to suspicious activity. To confirm that you are the account owner, click on the link.” Here’s a list of some of the scammers’ favorite phishing examples: “Your account has been/is going to be locked/disabled.” Scare tactics can be quite effective. The threat of having your account locked if you don’t immediately log in can cause users to let their guard down, follow the link in the email, and enter their username and password. “Suspicious/fraudulent activity has been detected on your account. You must update your security settings.” These kinds of emails urgently ask you to log into your account and update your security settings. They work on the same principle as the previous attack. The user panics and lets their guard down. “You have received an...

read more

The NotPetya Virus: How It All Went

Posted by on 13:33 in Industry News | 1 comment

The NotPetya Virus: How It All Went

27 June 2017 could be called Ukrainian history’s “black cyber Tuesday”. On that day, the NotPetya (Petya.A, ExPetr) attack began, affecting almost all sectors in the country: communications, energy, banking, media, and transportation. The Petya ransomware is far from the first test of the strength of Ukraine’s infrastructure. Such attacks have been attempted at least three times. The first two attacks didn’t take place on such a large scale, but were highly unpleasant: in late 2015, the BlackEnergy virus, targeting energy company “Ukrenergo”, led to blackouts in some areas. Exactly a year later, in December 2016, some commercial banks and the Ministry of Finance were targeted along with, once again, Ukrenergo. But up to that point, nothing like this had happened. What it was Initially, Petya took the form of a file-encrypting virus which would subsequently demand a ransom. Hackers promised a decryption key to users who sent $300 worth of Bitcoins to their electronic wallet. However, these users received no code after transferring the funds, and decryption of the data remained impossible. Some experts, having analyzed the hackers’ strategy, noted that ransomware doesn’t work that way; receiving the ransom funds was not the goal of this attack’s organizers. As time passes, there is more and more support for the belief that the NotPetya malware was only disguised as ransomware. Its main purpose was another: the destruction of information stored on affected computers’ disks. Based on this, the malware can be categorized as a wiper, rather than ransomware. The encryption-decryption story was there only to divert users’ attention. There is also another version of the story. The alternate story argues that the attackers’ goal was to obtain control over all the infected computers, which would persist even after the removal of the virus and cleaning up of disks. In response to this, though, it can be observed that the method by which the attack was executed was too “loud”, attracting too much attention. A real spy would have attempted to gain a foothold, so to speak, on victims’ computers in the least noticeable way possible, without advertising the infection. Thus, an attempt to cause chaos in large organizations and companies, causing them material losses as well as damaging their image, seems more realistic. How it got in and spread One of the main infection vectors was the accounting software M.E.Doc, used for submission of reports and circulating electronic documents in a majority of Ukraine’s enterprises and organizations. An investigation carried out by Ukraine’s cybersecurity team showed that malicious code was injected into an update for the program. Thus, only the computers on which users downloaded the update were immediately infected. The malware then spread through corporate networks, including to machines on which the notorious M.E.Doc had not been installed. This was possible because back in the spring of 2017, the attackers gained control of an account used by an employee of the developer (Intellect Service), thereby receiving access to the program’s source code. An additional risk factor was the use of outdated software on the company’s server. That very server, in fact, went four years without being updated. Another way the file-encrypting virus arrived on computers was through phishing emails that contained links which triggered a download of the malware. After infection and a spontaneous reboot, access to these...

read more

Credit Card Fraud – Most Common Ways

Posted by on 12:47 in Industry News, R&D | 0 comments

Credit Card Fraud – Most Common Ways

The faster is the technical progress developing, the more sophisticated and ingenious become the fraudsters’ attempts to turn it to their advantage. The more actively we replace cash money in our pockets with credit cards, the more ways to hack money from our bank accounts emerge. Not to become an easy prey for fraudsters, it is useful to know what techniques the violators use to steal data from credit cards. We are going to provide an overview of the fraudsters’ favorite methods of credit card fraud. How does the credit card fraud occur? Whatever scheme is used for credit card fraud, one of the main tasks of the violator is to find out a credit card PIN. For this purpose a fraudster may use: ATM overlays on a keypad. The thief sets a barely noticeable cover plate on the top of the real buttons. And this device is able to “remember” the digits of every PIN-code. A miniature camera can be attached just above the screen under the hood of the ATM and transmit images to the nearby fraudster’s laptop. Yet, it’s easy to withstand this method if to have a habit of covering a keyboard with your hand while typing the PIN (just in case). Visual observation. The PIN-code may be simply peeped by the person standing nearby. Fake ATM. They are usually installed in popular walking areas. Of course, this ATM does not give money. Instead, it records all PIN-codes of the inserted cards. It can also read data embedded in the magnetic strip. These data may further help to make a full-fledged copy of the credit card. A fake ATM is a large-scale variant usually applied for a long-term operation. It’s unlikely that anyone would turn to this method for the sake of one or two stolen PIN-codes. Once a fraudster receives a PIN-code, he needs to get a credit card data. He can steal it – the simplest method. He can defraud the card holder. For this purpose, a special plastic envelope unnoticeable at a casual glance is enclosed into the card slot. When a cardholder tries to withdraw money, the ATM does not ‘see’ the card through the envelope. It’s also impossible to return the card without knowing how to do this. Then a seemingly well-meaning stranger comes up and says that recently he has faced the same problem and tackled it by typing the PIN-code twice and pressing the enter button. After a several predictably failed attempts a victim goes to inform the bank about the incident. The fraudster gets your credit card with an envelope (he knows how to do that) and withdraws the money, using the code you just entered. These two methods have one disadvantage: the limited time for cards use. When realizing the fraudster has stolen money from the card, the customer will immediately ask the bank to block it. The more time passes after the fraudster had withdrawn the money, the better it is for him. That’s why there is one more method. He can make a duplicate of a credit card. Another one way to get necessary information is skimming credit cards. Here again, the main instrument is a pad placed over the real card slot, but not to make a credit card invisible for the ATM, but to copy...

read more

Fappening 2.0 – Will There Be a Sequel?

Posted by on 15:29 in Industry News | 2 comments

Fappening 2.0 – Will There Be a Sequel?

The public’s (sometimes unhealthy) interest in celebrities’ personal lives has inspired hackers to break into their accounts on more than one occasion. In 2014, intimate photos of a number of actresses were leaked online; among them were Kim Kardashian, Kate Upton, and Rihanna. This scandal has since become known as The Fappening. The legal proceedings that followed ended exactly a year ago, in March 2016. According to an official statement, a 36-year-old resident of Pennsylvania was found guilty by the United States Department of Justice. Lo and behold, on the anniversary of that court’s decision, 15 March 2017, another collection of stars’ private photos appeared online. So far, the victims this time around are Emma Watson and Amanda Seyfried. The names of the affected actresses were previously made known in a post on Reddit, where it had been reported that their names would soon be in the headlines. The attackers plan to publicly distribute photos of other public figures in the future. If the list of names in the “forecast” is to be relied upon, then Jennifer Lawrence, who was also named as a future victim, will suffer such an attack for the second time. Lawrence’s name was also to be found in the cast of characters of the first “fappening”. Emma Watson, whose photos appeared in the first set of leaks from the latest iCloud Fappening, kept her cool with a tough response to the incident, drawing up a lawsuit against those distributing her private photos. The famous Hermione was angered by the manner in which her photos were distributed freely, without her consent. Her calm determination is understandable: none of the stolen pictures were erotic and they’re unlikely to damage her reputation. Most of the pictures were taken while trying on clothing and swimsuits two years ago. Even so, besides the “fitting room” photos, there are also images which allegedly depict a nude Emma Watson that were taken in a bathroom. However, it’s impossible to know for sure whether these photos really are of a nude Emma Watson, as the face of the woman in the images isn’t visible. For this reason, the actress’s representatives have no comments regarding these pictures. Another actress, Amanda Seyfried, was hit harder: the stolen files include both nude images of the actress as well as intimate scenes with her fiancé. So far, no legal action has been taken to protect Seyfried’s privacy. How the 2017 Fappening was carried out is still unclear. Last time, the attacker sent phishing messages purporting to be from Google or Apple to potential victims and their acquaintances, requesting their logins and passwords. The hacker’s “harvest”, so to speak, amounted to some fifty iCloud accounts and seventy-two Google accounts, all of the famous public figures. The latest attack was very likely made possible thanks to social engineering. The best safeguard against seeing your intimate photos all over the web, of course, is not putting them there in the first place; store them locally instead. Cloud data protection cannot be 100% reliable – cloud services have been hacked into repeatedly. However, if you do store data there, you ought to at least follow a few simple safety rules – they’ve been well-known for quite some time, though there are few who follow them in practice. Don’t think that this...

read more

Social Engineering: What It Is and Why It Works

Posted by on 18:46 in R&D | 0 comments

Social Engineering: What It Is and Why It Works

What do advanced network hackers have in common with run-of-the-mill scammers lying in wait for unsuspecting victims on the street? Both of them make extensive use of social engineering. …though many of them don’t even know this term. Social engineering refers to a method of acquiring desired information by using psychology; in particular, the weakness of the human factor. The fact that the reaction of Homo sapiens is largely predictable. Knowing this, it’s possible to “program” the behavior of both individuals and groups. Examples of social engineering can be found both online and in everyday life. It’s used in marketing and political campaigns, for which terabytes of information about people’s preferences and habits is gathered in advance. After all, knowing typical behavioral and preferential patterns makes it possible to target advertisements that encourage people to buy something, order something, or vote for a particular candidate. Practices like these certainly aren’t going to please everyone, but at least as far as legal collection of information is concerned, citizens do have the option to not share their data. For example, internet users can prohibit sites from tracking their search and geolocation history. The criminal application of social engineering techniques is first and foremost to obtain some desired confidential information, naturally without any thought as to the victims’ wishes. The standard procedure used by these social hackers consists of several basic steps: Choosing a valuable target. Collecting data on the target in order to find the most vulnerable avenue of attack. Creating a scenario based on the collected data — this scenario should coerce the victim into taking some action desired by the attacker. (On the internet, the goal is usually to facilitate unauthorized access to a computer system, bypassing authentication and other security measures.) Speaking of coercion: it’s important to note that there is no outright force involved; instead, the manipulation is transparent to the target, who thinks they are acting of their own free will. We can model such a situation, in which the victims themselves turn to the attacker for “help”. For example, a flyer with the contact information for a tech support service is left in some conspicuous location in an office, and the attacker remotely creates some sort of problem on an office computer. As a result, the user him/herself turns to the attacker, and in the process of “solving the problem”, they disclose the information desired by the attacker. Basic social engineering techniques Phishing One way to obtain confidential information from the user is through phishing. In this technique, an e-mail is sent to the victims, supposedly from their bank or some other authoritative organization, asking the user to enter some information into a form, such as a username, password, card number, or PIN code. In addition to revealing sensitive information to the attacker, the phishing victims also risk having their devices infected by malware when navigating to the fake website or filling out the form. (We cover the dangers of phishing and how to protect yourself from it in another post.) Trojan Viruses Trojan viruses are a variation on the previous method, typically also distributed through e-mail. Instead of a fake form to fill out, the email features an attachment containing malware which can collect or modify data on the user’s computer at a later...

read more

Malvertising: Can It Be Stopped?

Posted by on 16:48 in Industry News | 0 comments

Malvertising: Can It Be Stopped?

Yet another threat to users’ safety is becoming increasingly prevalent — malicious advertising or malvertising. Malicious advertising itself isn’t new, but recently, its use has become alarmingly widespread: last year, there have been almost twice as many instances of malicious advertisements than there were in 2015. Of the 80 million sites analyzed by researchers in 2015, 19,000 pages were found to be infected; in 2016, nearly 30,000 such pages have been found. The total number of pages checked was the same for both periods. So, what exactly is malvertising, and what makes it so dangerous? The history of malvertising The first cases of malvertising were discovered around late 2007 to early 2008. At that time, attackers exploited a Flash vulnerability (and even today, Flash is loved by hackers due to a large number of security “holes” in it). In 2009, after the online version of the New York Times had malware posing as advertisements inserted into its pages, the site was forced to suspend the serving of third-party ads, and even published advice to help readers avoid the threat. By 2010, malicious browser advertisements grew to such proportions that an interdisciplinary group was formed to combat them. Since 2015, in addition to desktop and laptop browsers, malvertising has also begun targeting the browsers of mobile devices. Most frequently, attacks target sites with large volumes of daily traffic, enabling attackers to infect as many devices as possible. For example, Huffington Post, The Daily Mail, NYTimes, LATimes, and other major news portals have fallen victim to malvertising attacks at various times. Attackers’ traditional “favorite” targets have been file-sharing sites and BitTorrent trackers. Problems were seen on large forums and at IT help desks. Not even giants like Yahoo and Forbes have been able to escape malvertising attacks. How it works Malvertising refers to the practice by which an attacker hides malicious software in advertisements. Typically, what appears to be a simple banner or text ad actually triggers an exploit, infecting the user’s computer with various kinds of malware. Specialized scripts can filter out and target users running vulnerable software, redirecting them to pages that distribute malicious software. Sometimes, it’s not even necessary to click an infected advertisement to be affected. Scripts inserted into the page are automatically run when the page loads. Attackers have turned to these methods of viruses spread since the traditional methods involving phishing emails, torrent trackers, and pornographic sites have become problematic. First, these methods have begun to arouse suspicion among users; and second, these methods make it more difficult for the attackers to “catch” employees of major companies in their nets, so to speak. After all, these users are obviously not going to download torrents and watch porn on the company-owned computers they use while on the job. How, then, can attackers reach this “audience”, one which is of such high interest to them? They’ve found a solution in advertisements. Tools already exist to facilitate attacks on specific companies that interest criminals. This possibility exists thanks to the precisely targeted advertising platforms offered by search engines. (In the search, one can specify a particular region of users, a field of interest, and/or advertising section.) When an employee of a particular company visits the site, he/she is shown the “correct” advertisement, containing a built-in malicious payload (usually spyware)...

read more

What is Online Skimming and How to Avoid It

Posted by on 16:39 in Industry News | 8 comments

What is Online Skimming and How to Avoid It

Card skimming, implemented through card reading slips on ATM machines, is familiar to many. Nowadays this type of credit card fraud is also appearing on the web. Of course, it is improved and adapted according to its new ‘habitat’. But the crux of the matter remains the same: the theft of credit card information for its use in criminal undertakings. On the web, harmful Javascript code effectively replaces the skimmers on the card slots. In order to introduce this code onto the servers of internet shops (it is precisely online stores that turn out to be the most frequent victims of these frauds), hackers exploit vulnerabilities which exist in the websites’ software. After the installation, the spyware reads the data from the credit cards input by clients while making purchases. The information of every credit card payment conducted in the shop is thereby intercepted and sent off to a server under the assailant’s control. After that the thief is able to either sell the card number (on the black market the average price of one “lot” ranges around ten dollars) or use the other person’s credit card himself. All the while protected HTTPS-connection won’t help to protect the data: since the malware is installed on the shop’s server, information leakage takes place even before the process of encryption. Often a break-in will leave no trace not only for the customer, whose data was abducted but even for the owners of the merchant websites. Online skimming at first attracted serious attention to itself at the end of 2015, when researchers found over 3000 internet shops which were “pouring out” client cards’ information. For most of the identified websites, the skimming code worked over the span of a few months, and in certain places even more than half of a year. You don’t even want to imagine how many credit card numbers were compromised during this period. Since then a year has passed. What are the results? Now the number of merchant sites with online skimming has increased significantly. One of the factors which impact the increase of infected stores was that hackers learned to skillfully mask the harmful code, making its detection quite difficult. If a year ago just one type of online skimmer with a few modifications in the code was generally used, then today nine types of JS-scripts related to three different families are revealed. However, the main reason for the spread of online skimming is that the managers of internet stores are not quite concerned to eliminate it. After the detection of the problem, the owners of the resources were at once informed by researchers about vulnerabilities that the data protection systems on their websites had. Unfortunately, the overwhelming majority didn’t react to that with due attention. Some simply did not respond to the warnings of specialists, some doubted the presence of spyware on their sites, claiming their data protection systems to be all in order. Meanwhile, there are certain means allowing not only to escape these harmful “additions” but moreover to prevent reinstallation. This is a special software for scanning websites for the presence of vulnerabilities and changes in code able to exercise daily monitoring and report arising problems. Insofar as the store owners are clearly not aware of serious problems, it is worthwhile for potential customers to...

read more

How to Make a Profit out of Voice Call Based 2FA

Posted by on 15:12 in Industry News | 0 comments

How to Make a Profit out of Voice Call Based 2FA

You thought all hackers are bad? It’s not so simple: in IT circles there has long been a distinction between “black hat” and “white hat” code crackers. The first are easily understood: they are using their skills to deprive users and companies of money, and also prey on other valuable information for the purposes of identity theft. But there are those who engage in hacking, not for gain, but with humanitarian and scientific motives. Such “good guys” are called white hat hackers. The main point of their work is to find vulnerable websites and services, and then notify the administrators of such resources. With the help of white hat hackers, administrators have eliminated a lot of bugs, and data protection in the network space becomes a more tractable problem. Sometimes experts manage to find a “hole” even in those functions that were designed to protect against hacking. That’s exactly what happened with two-factor authentication. The Belgian white hat hacker A. Swinnen has found a clever way to earn extra cash by means of voice call-based 2FA. How can this be possible? One of the main tasks of information security is to establish the legitimacy of the person requesting access to his or her account on a website, online bank, or payment system. To solve this problem, there exist numerous (often quite exotic) ways to authenticate users. The most reliable among them today is recognized as two-factor authentication using one-time passwords. The most common way of one-time passwords delivery is SMS authentication. But some companies use its modified version – voice calls to the number tied to the user’s account. This is the option used by A. Swinnen. He set up experimental accounts in Instagram, Microsoft Office 365 and Google using phone numbers, calling and messaging which are not free. Unfortunately, the systems of these services could not determine that these were paid numbers. As a result, after each call, the companies were billed. The researcher found a way to make the robots used by Google, Microsoft and Instagram make calls to premium rate numbers as often as possible. Swinnen calculated that for a year he would have been able to get somewhere between 2000 to 670 000 dollars, depending on the service targeted (the least promising was Instagram, and the most – Microsoft). The white hat hacker told developers about the problems he found at the end of 2015. Admittedly, all three companies have taken steps to eliminate the bugs that had been found in their two-factor authentication. Such problems could be avoided altogether if companies used more robust and modern methods instead of SMS and phone calls. One of such solutions can be hardware or software OTP tokens, which generate one-time passwords offline. These devices do not use the Internet or telephone networks for the transmission of OTP passwords, which eliminates the possibility of fraud or one-time passwords interception. Businesses relying on dual-factor authentication in their interaction with customers should remember that, though this is an excellent tool, it in itself is not a panacea against all threats. To make 2FA truly effective, its implementation should be well thought out. The developers should take into account all possible risks (which are often hidden in the most unexpected places). Don’t want fraudsters to find another loophole in your two-factor...

read more

The Risks and Perils of Pokemon GO

Posted by on 11:56 in Industry News | 2 comments

The Risks and Perils of Pokemon GO

This summer it seems the world has gone crazy over Pokemon. The characters who first gained fame in the animated series from the early 2000s have returned triumphantly and are again earning millions – now in the form of the game Pokemon GO. Its popularity is such that even serious IT-themed internet publications are writing articles about the rules of the game and advice about how to download and install it in countries where the app is not officially released yet. However, the game has drawn more than just praise. Even though it is a very recent phenomenon, the app has already caused several incidents. In some, it has played the role of victim, and in others, that of villain. For example, on Google Play there have been three viruses masquerading as Pokemon GO. Of particular concern was one called “Pokemon GO Ultimate”. This “app” from hackers promised access to the game in countries where it had yet to be officially released, but then completely paralyzed smartphones, frequently without the possibility to reboot them. Even after hard reboots, the virus would continue to work in the background. It would also redirect browser traffic to pornographic websites. Two more pieces of malware displayed ads on the screens of the affected devices or threatened the owners of the smartphones into signing up for paid services. The offending apps were detected and removed from the store, but a large number (more than 50 thousand) of users managed to download the app before that and infect their gadgets. And this happened in the official Google play store! Imagine what is taking place in less regulated app repositories, where there are practically no checks on the available programs. It turns out that these are not the only problems one can encounter after downloading Pokemon GO. Widely circulated posts worry about the game’s capability to spy on gamers and pass their personal data on to third parties. Few apps have drawn so much criticism for violating the confidentiality of their users. Some talk of the dirty PR tactics of the company (to attract interest in its product), others hint about a conspiracy of the “hidden world” or about the direct participation of the surveillance state in making the game. Whether or not to believe these extreme versions is a private choice. However, there is a perfectly official source that makes it possible to find out exactly which information is being collected. On the website of the company Niantic in the section dedicated to Pokemon GO, one can find the publicly-available confidentiality policy. It’s a shame that people rarely read the EULA – such agreements are not always as boring and useless as they seem. Let’s Refer to the Source Writing this article, we used the most recently published Pokemon GO confidentiality policy. We provide here a short summary of the contents of this document: To register for the game, in addition to going directly through the service, you can use a Facebook or Google account. All users will need to provide an email address. You also need to provide your age and a name (not necessarily your real one). For children 13 years and younger, the permission of a parent or guardian is required in order to register for the game. If a child is discovered to...

read more
Share This