The Biggest Mistake Many of Us Make Online

How many of you log off your accounts after completing a bank transaction?

Hopefully, this is your normal process while on a shared or public computer but, even in your private system, it is important to log off after you finish your transactions. The issue is that even while on your home network, not logging off after starting a session can be risky.

Would you ever start a phone call and leave it open for the rest of the day? No, right?

When you log in to your bank, social media, email, etc. you start something called a session; this is like making a phone call and having someone answer. After you complete the conversation, you hang up by pressing the end button; this action closes that call session. Now let’s say that, instead of pressing the end button, you press the lock screen. When you do this, the call will stay open and the conversation can be started at any moment without dialing that number again. In the same way, if you just close the browser without logging off, the session stays open.

When you log in, the session creates something called a cookie that lets the website know it is talking to the right authorized user. The problem lays in that your cookies can be stolen and someone using those stolen cookies can highjack the still open session. Inversely, when you log off from the account, the session closes. Therefore, if the attacker tries to go back to the page using the cloned cookie, they won’t be able to continue using your started session because the website knows that the conversation was over. Just like when you hang up, you would have to dial again, or in this case, you would have to login again.

Why should you care?

Session hijacking is a relatively easy form of attack that requires the use of a stolen cookie. The attacker can use three different approaches: a hardware, software and/or by data transmitted through the air approach. The hardware approach refers to someone stealing the physical device. The software approach is achieved by installing malware in your system and “listening” in when you connect. The last approach, the one achieved by air, happens when your WiFi connection is intercepted by the attacker allowing them to capture the data that it is being transmitted; this is the easier of the three attack approaches mentioned. All these approaches can provide an attacker with the session cookies needed to impersonate your bank or social media session.

Many financial institutions have session expiration times that will prevent this to happen, but many other websites we normally use do not. Remember, just as a sinking boat doesn’t need all patched holes to fail, an intruder doesn’t need all approaches to work, just ONE.

I know this is not something that is a big risk for the normal users but it is a completely free solution that can minimize your chances of getting your private and financial information stolen.