You're probably accustomed to hearing about – and may have been affected by – data breaches that provide hackers with oodles of usernames and passwords to people's sensitive accounts, such as banking, shopping, and social networking. (A recent analysis we wrote about revealed a billion exposed usernames and passwords.)
But we often get into our favorite websites without having to enter a password. That's thanks to session cookies – little text files stored in your browser that allow sites to "remember" you without requiring a login for each visit. However, a type of cyberattack called cross-site scripting (XSS) can sometimes allow a hacker to make a copy of your session cookies and also access your accounts without a username and password.
After falling prey to XSS in the past, major web destinations have gotten better at blocking hackers from slipping malicious code into their sites. They’ve also added protections to the cookies themselves that prevent scripts from accessing them.
But vulnerabilities persist, and there's nothing to protect you from a fake site you land on through a phishing email or text message attack. Fortunately, five easy steps can substantially lower the risk of your session cookies being hijacked and other information being stolen. Much of this is standard security advice, but it bears repeating.
Step 1: Keep Your Browser and Operating Systems Up to Date
New vulnerabilities of all types are constantly being discovered, and software makers are constantly issuing patches. Newer browsers make XSS much harder by isolating websites from each other, blocking risky cross-site behavior, and making it harder for malicious scripts to run undetected. Browsers that are tightly integrated with the operating system – like Safari on Apple devices and Chrome on Android – also gain extra protections from the OS, including secure storage for sensitive data.
Step 2: Avoid Phishing Attempts
Stop me if you've heard this before, but it's never a good idea to click a link in an email, text message, DM, or other communication. Even if you feel certain it comes from a reputable source, it's hard to be totally sure. Instead, go to your browser and directly visit a site such as PayPal – one of the most popular phishing targets. Fake versions of major shopping sites like Amazon and eBay proliferate during the holiday season. Be extra wary, especially of promises of unbelievably good deals.
Step 3: Log Out of Accounts
After you log out of a site with good security policies, your old session cookie is no longer valid, rendering the hacker's copy useless. Logging out deletes only your session cookie, not other cookies that record items such as your language or appearance preferences for sites. It's much more surgical than deleting all your cookies. Logging back in every time is a bit more work, but using a password manager (see below) makes it almost as easy as relying on session cookies.
Step 4: Use a Password Manager and Passkeys (Where Offered)
Password managers can autofill your username and password, sparing you the typing every time you log in. And they work only on the site you created them for. If you land on a phishing site, the web address will be different, and your password manager will not fill in your information. You may still have to receive and enter a two-factor authentication (2FA) code, but it’s better for your account security.
Many larger sites (such as Amazon, Apple, eBay, and Google) offer an easier alternative with encrypted passkeys. Activating passkeys to log in typically requires just a fingerprint or face scan on devices with biometric tools – or entering a password or PIN. You generally don't need 2FA codes with passkeys, either.
We use and recommend 1Password and Dashlane at Techlicious.
Step 5: Use Reputable Mobile Apps
You can often skip the web browser completely on phones and tablets by installing the mobile apps for accounts such as your bank or a social media network. These apps don’t rely on browser cookies and generally use more secure, app-level authentication methods instead. With biometrics being nearly universal on mobile devices, logging into these apps is a snap.
[Image credit: Sean Captain/Techlicious via Google Nano Banana Pro]
