PayPal Patent Tracks Stolen Cookies to Keep Log-in Secure

The filing could add another layer of protection at a lower cost than AI-based cybersecurity measures.

Photo of a Paypal patent
Photo via U.S. Patent and Trademark Office

Sign up to uncover the latest in emerging technology.

PayPal is cracking down on stealing from the cookie jar. 

The company filed a patent application for “super-cookie identification for stolen cookie detection.” A super-cookie is a data file containing tons of user information, such as browsing behaviors, history and preferences. These store more information than the conventional browser cookie and are reproduced in multiple data storage locations on a user’s device, even after the original cookies are deleted.

Cookies that are stolen in this manner can present major security risks, PayPal noted. For example, “The attacker can use a web browser on the attacker’s computer to impersonate the user (or authenticated device thereof) and gain access to secure information associated with the user’s account without having to manually login or provide authentication credentials.”

PayPal’s plan to stop this would evaluate the vulnerability of each of the different cookie storage locations (i.e. within your web browser, on your device itself, or attached to certain websites). When a person attempts to log in via a web browser, the system uses what it calls sequential encryption to tell whether they’re a new visitor, a returning one, or using stolen cookies. This kind of encryption links “cookie values,” or the data that’s stored in each cookie, to one another to create a unifying identifier among the data. 

In order to determine fraud risk, the system uses this linking encryption to essentially compare data between the storage vaults to come up with an “expected value.” If that expected value doesn’t match up with the actual value of the data within one vault, it’s labeled as high risk. 

Finally, if it turns out that a person received their credentials from a highly vulnerable storage location, additional security measures may kick in. 

PayPal has filed plenty of patents that aim to grow its cybersecurity prowess. For example, its patent history includes ways to determine user trust via their “peer-to-peer interactions,” practicing data minimization with unstructured personal user data, and using machine learning to detect fraud attempts

While many cybersecurity innovations tend to involve AI for monitoring and detection of fraud, that kind of tech can cost a lot in terms of time and resources, said Ali Allage, CEO of BlueSteel CyberSecurity. “AI has to be taught,” he said. “There is a cost factor. You have to put in the time and effort to make sure that it operates and understands what your context is, and that it does so consistently well.” 

The method in PayPal’s patent, however, could serve as an added layer of security “without additional costs,” working on top of the systems they already have in place for authentication that takes place in web browsers, he said. “Typically, something like this is just a layer that’s combined with something else.” 

With the millions of transactions a day that get processed between PayPal and its subsidiary Venmo, there’s no such thing as being too many layers when it comes to identity security. And after a credential-related data breach in late 2022 led to the sensitive information of more than 35,000 customers being leaked, the company may be looking at ways to be even more careful.