Skip to main content

Warning: Hackers could take over your email account by stealing cookies, even if you have multi-factor authentication (MFA)

 



Posted: November 5, 2024 by Pieter Arntz

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are taking over email accounts via stolen session cookies, allowing them to bypass the multi-factor authentication (MFA) a user has set up.

Here’s how it works.

Most of us don’t think twice about checking the “Remember me” box when we log in. When you log in and the server has verified your authentication—straight away or after using MFA–the server creates a session and generates a unique session ID. This session ID is stored in a session cookie (or a “Remember-Me cookie” as the FBI calls it) on your browser, which is typically valid for 30 days.

Every time you return to that website within the time frame, you don’t need to log in. That’s really convenient… unless someone manages to steal that cookie from your system.

If someone steals the session cookie, they can log in as you—even if you have MFA enabled.

This is particularly relevant for email handlers that have an online—webmail—component. This includes major players like Gmail, Outlook, Yahoo, and AOL.

With access to your email account, a cybercriminal can find a lot of useful information about you, such as where you bank, your account numbers, your favorite shops, and more. This information could then be used for targeted cyberattacks that only mention information relevant to you, leaving you more likely to fall for them.

Cybercriminals could use your account to spread spam and phishing emails to your contacts. And perhaps most worrying of all, once an attacker is in your email account they can reset your passwords to your other accounts and login as you there too.

How do these criminals get their hands on your session cookies? There are several ways.

On very rare occasions, session cookies can be stolen by you visiting a malicious website, or via a Machine-in-the-Middle (MitM) attack where a cybercriminal can intercept traffic and steal cookies if they’re not protected by HTTPS on an unsecured network.

However, session cookies are usually stolen by malware on the your device. Modern information-stealing malware is capable of, and even focuses on, stealing session cookies as part of its activity.  

How to keep your email account safe

There are a few things you can do to stay safe from the cookie thieves:

  • Use security software on every device you use.
  • Keep your devices and the software on them up to date, so there aren’t any known vulnerabilities on them.
  • Decide whether you think it’s worth using the Remember me option. Is convenience worth the risk in this situation?
  • Delete cookies, or—even better—log out when you are done. That should also remove or invalidate the session ID from the server, so nobody can use it to log in, even if they have the session cookie.
  • Only visit sites with a secure connection (HTTPS) to protect your data from being intercepted during transmission.
  • For important accounts regularly check the log in history where you can see which devices logged in when and from where. You should be able to find this option in your account settings.

Comments

Post a Comment

Please no profanity or political comments.

Popular posts from this blog

Unlocking the Power of Emeritus Board Positions in Credit Unions

  Explore how the Emeritus Board Position in credit unions honors long-serving members, offering them a chance to mentor new leaders while maintaining strategic influence without the responsibilities of active board roles.
Post a Comment
Read Complete Article HERE>»

Both Sides of The Desk!

With over 50 years of experience in the credit union sector, I have had the privilege of observing and participating in its evolution from various vantage points. My journey has taken me from serving as a dedicated volunteer holding critical leadership roles, including serving on the supervisory committee, as director, and as board chairman, culminating in my tenure as CEO for 12 years and now founder and President/CEO of the National Council of Firefighter Credit Unions . This extensive background has enabled me to " Sit On Both Sides Of The Desk ," blending operational expertise with strategic oversight. In this blog post, I want to share how this dual perspective has enriched my understanding of credit union dynamics and fostered more effective governance. By leveraging the insights gained from years spent navigating both the intricacies of daily operations and the broader strategic objectives, I have witnessed firsthand the transformative power of collaboration, communi...
Post a Comment
Read Complete Article HERE>»

How To Make Decisions With Conviction—Even Under Pressure

Why strong leaders act when others hesitate — and how to develop that confidence without needing every answer. I’ve watched smart, experienced leaders freeze. And I’ve been in that same position myself. It’s not because we lack information, but because we don’t feel ready to choose. Leaders often get stuck because they’re waiting for the perfect moment to act. They’re thinking through the consequences, weighing the trade-offs, trying to get it right. But the longer they wait, the harder it becomes to move at all. The truth is that the worst decision isn’t always the wrong one. It’s the one you never make. If you’re in a leadership role, you don’t always get the luxury of knowing. You have to move anyway. Not recklessly, not blindly, but with clarity, purpose and conviction. In high-pressure moments, the gap between average leaders and great ones gets exposed. It’s not a gap in intelligence or experience. It’s a gap in decisiveness. Because conviction doesn’t mean certainty—it means mak...
Post a Comment
Read Complete Article HERE>»

Live - Podcast Understanding The Importance P&L Statements

A Weekly Dose of Innovation for Credit Unions Serving First Responders Welcome to the NCOFCU Podcast: Your Weekly Dose of Innovation. Hosted by Grant Sheehan CCUE | CCUP | CEO, NCOFCU, this podcast is your definitive source for the latest news, insights, and trends in the first responder credit union world.
Post a Comment
Read Complete Article HERE>»

Fed Kicks Off Two-Days of Meetings Today as Critics, Proponents Respond to Rate Increases; Plus, What CUs Should Expect

CUToday WASHINGTON–The Federal Reserve’s Open Market Committee (FOMC) will kick off two days of meetings today and the decision they announce tomorrow will affect everything from the major U.S. markets to credit unions that are seeing strong loan growth to individual credit union members struggling with monthly bills. The FOMC is widely expected to again raise its benchmark rate as it seeks to cool raging inflation. Among those expecting rates to be higher by Wednesday afternoon is CUNA’s chief economist, Mike Schenk, who expects the Fed will push up rates by 75 basis points. That follows the full one percentage point increase made during the Fed’s July meeting. “That’s pretty substantial, but inflation is over 9%,” said Schenk...
Post a Comment
Read Complete Article HERE>»