In a recent advisory, the FBI alerted users about a dangerous trend in cybercrime: the ability of hackers to bypass multifactor authentication (MFA) by stealing session cookies. This revelation raises serious concerns about the security of online accounts, including email services, even when additional security measures like MFA are in place.
Understanding the Cookie Theft Risk
Most internet users are familiar with tracking cookies, which monitor online activity. However, the FBI’s warning focuses on session cookies, often referred to as “Remember Me” cookies. These cookies enable users to stay logged in to their accounts without repeated logins. Unfortunately, cybercriminals are increasingly targeting these cookies to gain unauthorized access to user accounts, including email platforms such as Gmail, Outlook, Yahoo, and AOL.
Once hackers obtain session cookies through malware, they can impersonate users without needing usernames, passwords, or MFA codes. This method has proven effective, with Google acknowledging that cookie theft is a growing problem, making these cookies a lucrative target for cybercriminals.
How Cybercriminals Operate
Attackers typically use phishing schemes to steal session cookies. By tricking users into clicking malicious links or visiting compromised websites, they can infect systems with malware that captures these cookies. The FBI warns that selecting the “Remember this device” option when logging into websites can make users more vulnerable. If a hacker gains access to this cookie, they can sign in as if they were the legitimate user, effectively circumventing MFA protections.
Targets Beyond Email Accounts
While email services are a primary focus for cookie theft, this issue extends to online shopping platforms, social media, and financial services, where security measures are often more robust. Despite these protections, the risk remains significant, as attackers continuously evolve their tactics.
Recommended Preventive Actions
In light of these threats, the FBI has provided several recommendations to help users safeguard their online accounts:
1. Regularly Clear Cookies: Make it a habit to delete cookies from your browser to minimize risks.
2. Be Cautious with “Remember Me” Options: Think twice before using this feature, especially on shared or public devices.
3. Avoid Suspicious Links: Only click on secure sites (identified by “HTTPS”) and be wary of unsolicited messages.
4. Monitor Account Activity: Regularly check your account login history for any unauthorized access.
If you suspect that you’ve been targeted by cookie theft or any other cybercrime, report it to the FBI’s Internet Crime Complaint Center (IC3) at www.ic3.gov.
The Continuing Importance of MFA
Despite these alarming tactics, MFA remains one of the most effective ways to enhance account security. Experts stress that MFA, when used alongside safe online practices, can significantly bolster defenses against unauthorized access. For instance, Amazon’s recent decision to implement MFA for its enterprise email service underscores the ongoing need for robust security measures, despite delays in its rollout.
Embracing Advanced Security Measures
While any form of MFA is beneficial, not all are equally secure. Passkeys, which link user credentials to device security, offer a superior option. These technologies eliminate the need for traditional passwords, requiring an attacker to have physical access to the user’s device to gain entry. The FIDO Alliance has reported a notable rise in awareness of passkeys, with familiarity increasing from 39% in 2022 to 57% in 2024.
Consumer Trends and Security Awareness
As consumers increasingly embrace passkeys, the demand for passwordless login solutions grows. Notably, FIDO found that 42% of people have abandoned purchases due to forgotten passwords, with that figure climbing to 50% among younger users. Additionally, there’s a rising awareness of sophisticated scams, particularly those leveraging AI, which heightens the need for improved security measures.