Quick access:

Go directly to content (Alt 1) Go directly to first-level navigation (Alt 2)
Logo Goethe-Institut

Max Mueller Bhavan | India

Digital Resilience
 How To Train Your Cookies

How to train your cookies
© Hailshadow from Getty Images Signature, Freepik

What is an internet cookie, and how does it reinforce our online echo chambers? This is your guide to keeping your private information secure and building digital resilience into your online experience.

By Reetwika Banerjee

Nowadays, whenever we open a web browser or an online application, a banner pops up asking for our consent regarding cookie management – accept all, reject all, customize, accept only selected ones etc. Sounds familiar, right? But how can you decide what is the best choice for you? Is your privacy getting compromised or enhanced? What should be your ideal call to action here? How can you be digitally resilient to cookie hijacks? Before sharing my safety tips to securely train your cookies, let me ask you two very simple questions for us to understand how vulnerable you are to Cookie Hijacks.

Do you own an Android supported smart device?

Do you have an account on any social media platform?

If your answer to both the above questions is yes, then bingo! You are an apple to the eyes of cookie hijackers. Well, keeping aside technical jargons, let me demystify what an internet cookie is, its importance in modern internet experience, how it can be abused (DroidSheep Attack) and security guidelines so that you can escape its echo chambers. 

Cookies are your footprint

The term ‘cookie’ in cyber technology is credited to the old programming logic of ‘magic cookies in a glass jar’ which are nothing but static files with user IDs in clear text format, that remained valid even after a web session had ended. But in modern computing practices, Magic Cookie is obsolete and has been completely replaced by HTTPS Cookies which are browser-level data packets, containing verified information that is dynamically created by virtue of a user’s footprint on the internet. They are precisely used to track, customize and save information about each valid user session.

Example of cookies can be – authenticated login credentials, a valid session ID, social media activity logs, internet browsing history, average time spent per webpage, new websites visited, messenger app metadata, VOIP call records, geo-location tracking info, frequently used alphanumeric strings, buying patterns, payment card information saved or shared during online payments etc.

This information is mostly stored in the cache memory of your computing device and remains invisible to naked eyes, unless you are a tech geek who can read through program files. It becomes even easier if you have an Android supported smart gadget.

Cookies shape online experiences

We all love a personalized experience, don’t we? Today, Cookies are highly essential to offer an ultra-tech Artificial Intelligence (AI) powered internet experience, where our browsing information is an integral feed to web/app developers that provide something that appeals to an individual user, not just a generic one targeted to a broad customer segment. At the same time, it comes with the cost of compromising your privacy.

Cookies help your browser to interact with the backend web server connected through the internet. The data saved in your cookies help to establish a quicker session as the server recalls where you had left during your last visit and opens up the same session for you. It also enables web-browsers to remember you, your social media activities, previously surfed websites, community pages, comments, likes, etc. and allow web/app developers to do a trend analysis of your internet usage behaviour.

Cookie Hijack!

I recently met my nephew after a couple of years for a family get-together. As a curious teenager, he had many questions to ask me on cybercrime. One of the questions which was particularly interesting was, “I know what an echo chamber is – it’s a virtual, digital chamber where we keep listening to the things which we love to listen to and keep seeing things that we love to look at but I heard there is something called ‘Cookie Hijacking’ which is used to create an ‘echo chamber’ around us. How can one hijack internet cookies?”

I was pleasantly surprised by his quest to understand new technology. As I paused to gather my thoughts I saw his brother, five years younger to him, playing with a replica of He-Man’s double edged sword. Pointing at the toy, I told him, “In cyber technology, there is something named ‘DroidSheep’ which is a lot like He-Man’s sword. It’s an Android based mobile application which was originally developed for security testing but unfortunately nowadays is being misused by cybercriminals for unethical interception.”

Just like an aeroplane can be hijacked by crusaders, DroidSheep app allows cyber intruders to secretly intercept and hijack your web cookies, such as your private conversations on WhatsApp. It’s such a powerful tool that can easily be exploited to perform session hijacking attempts over a wireless network. The app acts as a network router and sniffs all the available traffic within its perimeter. The sender will find his/her session as stalled (commonly termed as ‘hang’ situation or 404 gateway error), breaking the original connection and continuing uninterruptedly with the stolen session cookie to converse with the recipient.

This is just one of the many examples of ‘Cookie Hijacking’. Building ‘Digital Resilience’ is not a choice anymore; it is an absolute necessity – now, more than ever.

Security tips

To build a digital resilience system, you should have the right technical processes, security tools and practices in place to timely prevent, respond and quickly recover from cyber-attacks that can disrupt your actions.

It is equally important to know the anatomy of such probable threats so that you can identify cyber-attacks right at the source and be proactive, instead of taking corrective steps after the damage is done.

Here are my 5 simple tips to prevent cookie hijack attempts:

  1. Always use secured wireless connections (WPA and WPA2) so that the network data is not openly visible to other connected users. You can check the security protocol of the router on the device body.
  2. Android based PDA users can configure strong encryption to secure cookies, especially if you have access to information that is critical to national and public safety. Even if the session is hijacked, the hackers won’t be able to decode it.
  3. Do not blindly accept all cookies. Verify the list first and then make a decision. Else simply walk off the site if it forces you to accept all. If you administer a website or application, install a Consent Management Platform (CMP) to help you abide by global cookie regulations.
  4. Enable your security code on all messaging apps. Also verify if your receiver has his/her security code enabled. It is a good practice to have dynamic codes than never-changing static ones (this option is available in select messaging apps only), so that if the code is compromised, it will soon get replaced by a system-generated random one. When your receiver’s security code changes, you get to see a notification on his/her message window.
  5. You should always log out of your private chat rooms and delete all cookies as a practice. Remember, cookies are dead once you logout and this can prevent 90% of hijacking attempts.
During any ongoing conversation, in an unlikely scenario, if your communication window gets suddenly stalled, keep your chatting partner informed about it preferably via a different media (email, telephone, text message etc.) so that he/she becomes conscious and exits the session immediately. It could be a probable cookie hijack attempt.

Always remember, you are the key to your own resilience in a digital world.

Top