Session stealing: another route to identity theft

Listen to this article

00:00
00:00

On any given weekend, a typical internet user might log on to a social networking website to catch up with friends. Or, having received an e-mail from an online retailer or cinema, they might wish to find out more about a forthcoming sale or new film.

As seasoned internet users, we are scornful of those who fall for the grammatically poor ”phishing” e-mails we all receive from crooks urging us to log in to our bank accounts. We are careful how and where we log on to check our bank statement online and know better than to give out security information to an unknown caller.

But while we’re catching up with cyber-friends or debating Bond versus art-house movies for Saturday night, could a third party be looking in? And what could they do if they were?

When a user logs on to a website using their log-in details and password, a session identity “cookie” (a parcel of text that identifies a user) is sent to their computer which recognises them as an authenticated user.

It is by using these “sessions” that the website allows people to access their account, perhaps giving access to address, credit card information or order history until they log out or close the web browser. That then ends the session, destroying the session cookie. Or at least it is supposed to.

If the hacker can steal or guess a user’s session cookie value, then they can usually get into their account, just as if they had stolen their username and password.

There are several ways to achieve this. One technique is known as “cross-site scripting”, which allows attackers to inject malicious code into a web page. If a website is vulnerable to this attack, then the attacker can send the user an e-mail with a link to the website. If clicked and activated, then when the user next logs in, their session cookie is automatically sent to the attacker.

Session cookies should have random, long, complex values. If they do not – if, for example, they are numbered sequentially – then the attacker can simply guess them. Finally, some websites let the user log in over an unencrypted connection, so the session cookie can simply be picked up – or “sniffed” – from the connection to the website.

The most likely places to have sessions stolen are when browsing the internet at a wireless hotspot or even at work, because these are the places where internet traffic is most likely to be exposed to others on the same network. Take extra care logging in to sites when in these environments.

Web application security is improving. However, there are still some reputable online retailers that allow users to log in over http, instead of the encrypted https.

Further, numerous websites allow “cross-site scripting” attacks and
some still have weaknesses in session cookie ”randomness”.

In all these cases it is the customer, not the website itself, that is under attack – it is the customer’s session cookie that is stolen, not the retailer’s website that is hacked – and so there is less motivation for the retailer to put up defences.

So how can users avoid becoming victims?

Although these techniques are used to attack the user, attacks are only possible where technology allows it. Websites that encrypt log-in and password information over a secure link are generally safer than those that do not – although no website is completely secure. Users should look for the padlock symbol and “https” rather than “http” at the start of the website name, or URL, in the browser.

Websites should also ensure that cross-site scripting cannot be used and that session ID authentication is sufficiently robust and protected. And owners of e-commerce sites should give serious consideration not just to functionality and usability, but also to security, particularly web application development procedures.

Pressure is mounting that may well prompt websites to invest further in securing their sites. Until then, it’s every user and hacker for themselves.

Ken Munro is managing director, SecureTest (www.securetest.com)

Copyright The Financial Times Limited 2017. All rights reserved. You may share using our article tools. Please don't copy articles from FT.com and redistribute by email or post to the web.