Super cookies threaten bank security by exposing both customer data in ways that are more discreet than ever before.
What are super cookies?
Super cookie are sometimes called zombie cookies. The most typical type of super cookie is called flash cookie because it is a cookie from Adobe Flash plug-in. Cookies are little bits of code websites leave on your browsers cookie folder so that it can remember your preferences and, should you choose to do so, account information and password. Basically, when you turn on your browser and you can get to your email or Facebook without having you login, the website has a cookie in your browser cookie folder. It is pretty convenient.
The usual threat
If this bit of code contains personal information, then of course your identity is threatened by anything that is going to try to retrieve it when it is not supposed to. The codes need to be deciphered, usually. There are lots of websites and phone applications known to have very security on their cookies, making it very simple to decipher. On a consumer level, this is dangerous because most consumers are not all that creative with their passwords, using the same one for all of their accounts.
The banking relevance
For banks, the threat is more real than ever. Transactions are usually legitimized in multiple ways: correctly identifying the transaction parties, correctly using the transaction accounts, correctly using passwords, matching payment sender and receiver, matching banking institutions and on and on. Most of these matches have been nearly eliminated because the banking system has taken care of most of them, having the consumer contact points reduced to the point of sale.
The primary banking threat
Now that the whole purchasing process can take place online, a digital path can be created for transactions. Here’s how it works: Jaco wants to purchase a bass guitar. He goes to SuperBassGuitarGlobalMarket.com and looks around. Jaco looks are strings and pick-ups and amplifiers along with bass guitars. He purchases a rare Flea Bass and nothing else. SBGGM keeps a cookie on his computer so that when he returns the website can present him with suggestions based on his purchase and his surfing history. If Jaco deletes the SBGGM cookie, then his return visit will not have any suggestions based on his surfing history. If SBGGM uses Adobe Flash on its website and creates a cookie in Adobe Flash, it keeps the cookie in an Adobe folder rather than a browser folder. Jaco’s return visit, will show him suggestions based on his previous visits even if he deleted SBGGM’s browser cookie. A cyber criminal can hack into Jaco’s computer, get onto SBGGM’s website, get on Jaco’s account, make purchases from the website suggestions, have them shipped to another address. From there, bought items could be sold for money. To add an additional layer of stealth, the cyber criminal can make purchases that are small every month to go undetected, especially if Jaco tends to just pay for all of the credit card balance at the end of each month. As long as the consumer does not pay attention to every transaction, consumer is paying for these transactions. Banks have been flooded with small fraudulent transactions. These transactions make banking more expensive for everyone.
Because super cookies circumvent a consumer’s deliberate attempt to erase information trails, it poses a super threat.
About the Author: Marcus Maltempo is a compliance professional with more than a decade of experience helping banks, law firms and clients manage investigations and regulatory responses.