ARTIFICIAL INTELLIGENCE [AI] IS NOT USED, IN WHOLE OR IN PART, IN PREPARING NYPPL SUMMARIES OF JUDICIAL AND QUASI-JUDICIAL DECISIONS

November 12, 2024

Cybercriminals are stealing cookies to bypass multifactor authentication

Federal Bureau of Investigation [FBI], Atlanta Division, Public Affairs Specialist Jenna Sellitto has advised the public that cybercriminals are gaining access to the email accounts of their victims by stealing a "cookie" from their victims' computer. 

A “cookie” is a small piece of data, typically referred to as a “Remember-Me Cookie", that a website sends to the computer, allowing the website to remember certain information about its encounter with the computer, such as login details, preferences, or items in a shopping cart. 

“Remember-Me cookies” are tied specifically to a user’s login and often last for 30 days before expiring. This type of cookie helps a user login without having to keep putting in the username, password, or the user's multifactor authentication (MFA). This type of cookie is usually generated when a user clicks the “Remember this device” checkbox when logging in to a website. 

If a cybercriminal obtains the Remember-Me cookie from a user’s recent login to the user's web email, it can be used to sign-in as the user without requiring the username, password, or multifactor authentication (MFA). For these reasons, cybercriminals are increasingly focused on stealing Remember-Me cookies and using them as their preferred way of accessing a victim’s email. Victims unknowingly provide their cookies to cybercriminals when they visit suspicious websites or click on phishing links that download malicious software on to their computer.

Here are some tips to protect the user from such a risk: 

            Regularly clear the cookies from the computer's Internet browser. 

            Recognize the risks of clicking the “Remember Me” checkbox when logging into a website. 

            Do not click on suspicious links or websites. 

            Only visit sites with a secure connection (HTTPS) to protect the computer's data from being intercepted during transmissions. 

            Periodically monitor the device's login history.

Ms. Sellitto suggested that a victim of an account takeover or Internet scam contact the FBI Internet Crime Complaint Center [IC3] by clicking on www.ic3.gov.


CAUTION

Subsequent court and administrative rulings, or changes to laws, rules and regulations may have modified or clarified or vacated or reversed the decisions summarized here. Accordingly, these summaries should be Shepardized® or otherwise checked to make certain that the most recent information is being considered by the reader.
THE MATERIAL ON THIS WEBSITE IS FOR INFORMATION ONLY. AGAIN, CHANGES IN LAWS, RULES, REGULATIONS AND NEW COURT AND ADMINISTRATIVE DECISIONS MAY AFFECT THE ACCURACY OF THE INFORMATION PROVIDED IN THIS LAWBLOG. THE MATERIAL PRESENTED IS NOT LEGAL ADVICE AND THE USE OF ANY MATERIAL POSTED ON THIS WEBSITE, OR CORRESPONDENCE CONCERNING SUCH MATERIAL, DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP.
NYPPL Blogger Harvey Randall served as Principal Attorney, New York State Department of Civil Service; Director of Personnel, SUNY Central Administration; Director of Research, Governor’s Office of Employee Relations; and Staff Judge Advocate General, New York Guard. Consistent with the Declaration of Principles jointly adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations, the material posted to this blog is presented with the understanding that neither the publisher nor NYPPL and, or, its staff and contributors are providing legal advice to the reader and in the event legal or other expert assistance is needed, the reader is urged to seek such advice from a knowledgeable professional.
New York Public Personnel Law. Email: publications@nycap.rr.com