As many as one in four password reset attempts from desktop browsers are fraud, according to security researchers.
The fraud attempts are part of a rapid growth in password reset attacks, according to the annual LexisNexis Risk Solutions Cybercrime Report. (LexisNexis Risk Solutions is owned by RELX, the parent company of Infosecurity.)
Researchers found that there are 70,000 password reset attacks in the UK every week, with fraudsters aiming to take over individuals’ online accounts.
This includes changing users’ passwords and phone numbers, locking them out of services. These “detail change” attacks rose by 232% in 2023, according to the report. Criminal hackers then use the personal information from accounts for further fraud.
Media streaming, e-commerce and mobile services are the most commonly targeted accounts.
Bots Driving Password Reset Attack Rise
LexisNexis Risk Solutions found that the number of password reset attacks has increased four-fold over the last year. The researchers believe that the increasing use of bots is driving the rise, with bot-based password reset attacks up 1680%. According to the researchers this reflects “the increasing sophistication of fraudsters using technology to target the UK public.”
Read more about bot-based attacks: Bad Bots Drive 10% Annual Surge in Account Takeover Attacks
Desktop Users More At Risk
According to the research, desktop computer users appear more at risk of password reset attacks. This makes groups such as the elderly, or those who struggle to use smartphones, more vulnerable.
In part, this is because desktop devices and browsers lack the additional security protection measures built into mobile apps. Furthermore, improved security in areas such as online banking has forced fraudsters to rely on human error instead, according to Rob Woods, director of fraud and identity strategy at LexisNexis Risk Solutions.
“Switching on extra security measures such as two-factor authentication, as well as utilizing the security measures built into mobile apps are easy and yet highly effective ways for the public to protect themselves from password reset attacks,” he added.
The increase in password reset attacks also poses risks to enterprises, especially those that have not moved towards stronger authentication methods or taken steps to protect their password reset tools.
“Companies are putting increasing efforts into securing their login interfaces, but often forget about the requirement for a secure password reset functionality,” Holly Grace Williams, CREST fellow and managing director at pen testers Akimbo Core told Infosecurity.
“We’re seeing progress being made to educate users on choosing better passwords and encouraging, or enforcing, the use of multi-factor authentication – but we’re not always seeing the same level of effort applied to forgotten password functionality. Multi-factor authentication helps here, but not if it can be disabled easily as part of the reset process," she noted.
“The password reset functionality needs to be as secure as the main login interface; otherwise, you’ll find many of the same vulnerabilities apply there too.”