Security authorities are currently warning that that attackers can even use online sessions, that are protected by two-factor authentication could take over online sessions by stealing  cookies. You should therefore look for the correct procedure with the web browser.

Prescribed: Increased protection for access to data.

Online stores must comply with the Strong Customer Authentication (SCA) requirements of the EU’s second Payment Services Directive (PSD2). The EU regulations on strong customer authentication (SCA) state that customers must prove their identity via at least two of three possible, independent security factors when transacting on the web and in apps, i.e., for example, via a password (security factor knowledge) and biometrics (such as fingerprint). This so-called two-factor authentication (2FA for short) is also known from online banking. Apparently, it can be used to provide increased access protection. Even if a data thief captures a user’s password, he cannot log in with it alone. The user’s fingerprint is then missing, for example, to confirm his identity.

But even strong protection can be circumvented

But unfortunately, two-factor authentication does not automatically lead to secure access. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently reported that attackers have bypassed strong access protection to attack online accounts. In doing so, online criminals have exploited the fact that successful login via the two security factors in a browser is stored within so-called session cookies, so that one does not have to log in again for each new page of an online store. However, it is possible to steal or hijack such session cookies. If an attacker can take over the session cookie in a web browser, they also take over the current session and the identity of the logged-in user. So despite two-factor authentication, access to an online service can be hijacked if you don’t take further security precautions.

It all comes down to the right user behavior

To better protect your online access and prevent cookie hijacking if possible, make sure that session cookies are stored for as short a time as possible. It is therefore important that you not only log out of the online store or online bank, but also close the browser completely. Once the browser is closed, the session cookie becomes invalid. Many users never log out, or they do not close a browser. However, this increases the risk of cookie theft.
But now you know: just using 2FA is no guarantee of strong access protection. For online access, for example, attackers could steal the cookies that are set as proof of successful login. Therefore, always remember the time limit for session cookies and thus closing the browser after logging out.

Are you protecting your online access properly? Take the test!

Question: If a fingerprint is added to my password when I log in, no one can take over my online access to the web store or online banking. Is that true?
No, even two-factor authentication in the browser can be circumvented, for example by hijacking the session cookie.
Yes, because who should be able to forge my fingerprint?

Solution: Answer 1. is correct. Unfortunately, attackers can steal and misuse session cookies to hijack existing online sessions. The theft of the cookie is thereby the theft of the digital identity. Therefore, after logging out of an online service, always exit the browser as well.

Question: If I block all cookies via the browser, this increases access protection. Is that true?
Yes, because without cookies in the browser, cookies cannot be stolen. This way, I can avoid the access protection from being undermined.
No, because the browser needs the session cookies to function as it should. So-called technical cookies (for example for the shopping cart function) should not be blocked.

Solution: Answer 2. is correct. Complete blocking of cookies can indeed prevent hostile takeover of session cookies and ongoing online sessions. But then web browser, online store and online bank will not work as desired and required.

Session cookies prevent you, as a user, from having to continuously log in to the online store during a shopping transaction. Without cookies, you cannot collect products in the online shopping cart and pay together. Therefore, you need to better protect session cookies by using the web browser in the right way. It does not help to simply block all cookies.