To hack an online account, you need a password. Wrong. Today’s tech-savvy hackers have found a way around the pesky task of hunting down login credentials – using cookies.
In the online world, cookies do not refer to sugary confections best eaten with milk. Instead, cookies are sequences of letters and numbers your computer stores. Think of the times you’ve seen a “Remember me” box on a login page. By checking that box, you’re asking your computer to keep track of cookies.
Fraud Prevention Manager at CO-OP Ashley McAlpine says the beauty of cookies – from a user experience at least– is their ability to let you bypass repeated logins. That’s also what hackers love about them. Through reverse engineering, hackers can re-create cookies to trick websites into automatically logging them in. Then they have free rein to explore an account for as long as they want.
“Once a hacker accesses consumers’ accounts, say for email, they may be at risk of identity fraud,” said McAlpine. “Any personal details available through their accounts are at the mercy of someone with malicious intent.”
Beyond consumers’ personal information, forged cookies could lead hackers to something equally vulnerable – payment card information. Some websites remember credit and debit card information for repeat customers. While this offers some convenience at checkout, it also presents an increased risk of card fraud should an account become compromised.
Incidents of forged cookies have already occurred on a large scale. In addition to their initial hack woes, Yahoo also announced cookies were used to breach more than 32 million accounts through 2015 and 2016. Looks like those hackers got their hands caught in the cookie jar.
While creating forged cookies is extremely difficult, it is not impossible – as the Yahoo breach shows. CO-OP’s Chief Information Security Officer Paul Love notes determined hackers will likely find their way into online accounts. “This breach demonstrates just how valuable robust security measures are,” said Love. “Even a company with vast resources like Yahoo can be susceptible to attack if security best practices aren’t followed.”
For credit unions, Love says the best line of defense is ensuring strong protections are in place around software development processes and information systems. Security teams should be involved early in the software development process. This can help ensure a credit union’s code is built securely.
Mitigating members’ vulnerability to forged cookies is also important. By educating members on the following best practices, credit unions can help them stay safe.
- Frequently change passwords. Performing this simple action on a consistent basis can help reduce the impact of forged cookies – helping ensure an account’s security.
- Never share PINs or passwords. A financial institution will not request PIN or password details. Any phone calls or emails requesting this information should be considered suspicious and treated with caution. It could very well be a fraudster on the other end.
- Opt for multi-factor authentication. Some websites will offer the option to engage in multi-factor authentication – meaning consumers must verify their identities two different ways before entering their accounts. With this method, for example, consumers may log in with a password and then confirm the access through a text message.
- Ignore the “Remember me” box. Not allowing web browsers to save usernames and passwords can reduce members’ cookie trails.
- Regularly review financial account information and activity. Should hackers gain access to consumers’ payment card information, the chances of fraudulent charges occurring are relatively high. By carefully going over their credit and debit card statements upon receipt, consumers can help ensure there are no unauthorized charges.
- Browse responsibly. Members should open a new web browser when using financial and other sensitive sites. General web surfing activities should be kept separate.
To learn more about how to optimize today’s most advanced security innovations, download CO-OP’s eBook below.