FBI: Agency issues warning about session cookie theft

The FBI Atlanta recently issued a warning that cybercriminals are using session cookie theft to take over email accounts. The method is not new, but seems to be on the rise. The perfidious thing about it is that even more secure login methods, such as passkeys or the various types of two-factor authentication, do not protect against an account takeover in this way.

Google is working on a solution

Google has been working on a solution to the problem for some time: so-called device bound session credentials are intended to prevent attackers from being able to take over an active session remotely in future. The development is taking place in a public GitHub project. The aim is to create an open web standard. Active sessions are to be bound to the respective device with device bound session credentials. Stolen cookies could then no longer be used to log into an account remotely.

The mechanism is somewhat reminiscent of Passkeys: Like the login procedure, it relies on public-key cryptography: when logging in to a service, a key pair consisting of a private and a public key is generated. The private key should be stored securely on the respective device, the public key on the server of the respective web service. To keep the private key safe, the developers want to use protected hardware modules such as the Trusted Platform Module (TPM) of a Windows computer. Users should be able to delete generated keys at any time in the browser settings.

Until then, you can protect yourself against session cookie theft by not catching malware that steals cookies. It is important, for example, that you only surf the net via secure connections and do not fall for phishing emails that contain a link to download such malware. To further minimize the chances, you should always log out of a service instead of simply closing the browser window or tab. Closing the browser also ends active sessions and invalidates the session cookie.

(kst)