People used to ask me whether online banking was risky. I used to tell them no, as long as you see the little icon of the lock at the bottom of the screen, then you know you have a secure connection. When they ask me that question today, my answer is a little bit different. That depends, I’ll tell them.
You see, hackers are always trying to find new ways to get in and steal personal data, and it looks like they found a new one. It’s in the session information in your cookies. Cookies are small files that websites deposit on your hard drive, kind of like place markers. They store information about what you might’ve done at that website and even store cached credential information, including “session” data. That session data is exactly what the hackers are trying to get a hold of. Session information is created when you are authenticated by a website. The Web server assigns a session key and drops a cookie in your browser with that information in it. This session key information is used during your entire website session. It saves you from having to login every time you change pages. If somebody gets a hold of that session key information, they can trick the website into thinking they are you, and potentially perform actions on websites as YOU.
So how could a hacker get ahold of your session key? There are a few ways someone can get your session information.
- Clicking on a link sent from an attacker which has a session key created by the attacker. Once you log in, the hacker knows your session ID and can impersonate you.
- Logging into a website over a public Wi-Fi without using a VPN. This could make your data visible to hackers who are sniffing the network traffic with a packer sniffer.
- Malware-based attack. A user gets malware on the computer that is designed to sniff for traffic and find session cookies.
- Cross-site scripting – A cross-site scripting (XSS) attack fools the user’s machine into executing malicious code, although it thinks it secure because it seemingly comes from a trusted server. When the script runs, it lets the hacker steal the cookie.
How do you prevent Session Hijacking
- Make sure you ALWAYS go to a site that uses HTTPS. HTTPS traffic is encrypted and is very difficult to unencrypt. These sites usually send the cookie via HTTPS, and that prevents packet sniffers from reading them.
- Use anti-Malware software. This will prevent cookie stealing software from getting on your system.
- Close web sessions when you’re done. Don’t wait until the website prompts you to close it.
- Clear your cache after connecting to any financial, investment or banking websites.