Cookie scraping: How data thieves could steal your personal information online

You've seen the pop-ups, where a website alerts you that it's using cookies.

Cookies are data files that help sites track your activity and remembers the last time you visited a page to provide a more personal experience.

There are two different types of cookies:

Session cookies are used by e-commerce sites to keep track of what you put in your shopping cart. Those are temporary and essentially vanish once you close out your browser.

Persistent cookies allow websites to remember settings like login or account information. But there's a warning about some of those cookies falling into the wrong hands.

IT expert and forensics investigator Colman Ryan says cookie scraping is where a hacker is able to copy code from your cookie, and login to the site you're using.

While the cookie doesn't display your password, it contains a hash that's equivalent to your password.

"And when you go to the website, it's matched to a hash on the server side. And it's basically equivalent to your password," Ryan said.

In worst case scenarios, he says banking or social media sites could be affected. So how are the bad guys getting this cookie data? There's a few things to watch out for.

"If you've ever been to a website and it pops up and appears to be running a virus scan and states you have viruses, these could be legitimate sites that have been compromised, so they can scrape your cookie that way," Ryan explained.

Other techniques include technical support alerts. If you let them remote into your computer, they can very quickly get all your cookies in a matter of seconds.

Attacks through public WiFi are also common.

"Now there is a way you can sanitize your stolen cookies," Ryan said.

Simply go to your browsing history and clear all. Be sure to change your passwords frequently as well.

If your cookies are compromised and copied, Ryan says a password change can protect you.

Another option: Create extra login protections to your most valuable assets, like online investment and banking accounts by using 2-step verification as well as 2-step authentication.

"Every time I log into my bank account now or my investment fund, I get a new pin number sent to the phone," Ryan explained.

Be sure to avoid using auto-fill features that web browsers promote. Ryan says hackers can easily obtain that information, too.

Finally, look into a strong VPN to protect your mobile devices.

Follow Erik Barajas on Facebook and Twitter.
Copyright © 2022 KTRK-TV. All Rights Reserved.