A recent report from LexisNexis Risk Solutions reveals a concerning trend in password attacks, highlighting that as many as one in four password reset attempts via desktop browsers are fraudulent. Researchers identified approximately 70,000 weekly password reset attacks in the UK, a significant escalation attributed to "detail change" attacks, which surged by 232% in 2023. These attacks typically involve fraudsters altering users' passwords and phone numbers to gain unauthorized access to online accounts, particularly in sectors such as media streaming, e-commerce, and mobile services. The report also highlights that the increase in password reset attacks also poses risks to enterprises, especially those that have not moved towards stronger authentication methods or taken steps to protect their password reset tools.
The sharp rise in attacks corresponds to a staggering 1680% increase in bot-driven exploitation, highlighting the increased use of more advanced tactics and AI by attackers. The report points out that desktop users are at a greater risk due to the absence of security features that are typically built into mobile applications. To mitigate these risks, experts recommend the following:
- Activate two-factor authentication on accounts.
- Secure password reset functionalities in corporate environments to prevent vulnerabilities similar to those in login interfaces.
- Provide education and training on secure password practices for both organizations and individuals to better navigate the increasing threat landscape.
Fundamental 6: Enforce Access Controls from WaterISAC’s 12 Cybersecurity Fundamentals for Water and Wastewater Utilities provides crucial guidance on password security that can play a significant role in securing against password reset attacks.
Access the full report at LexisNexis, and for more information, visit Infosecurity Magazine.