I used to consider myself pretty knowledgable about the cyber-world, but then I started learning about cyber-security and reading reports by companies like Shape Security, IBM and Snyk. I couldn’t have been more wrong. Only it was happening long before I was even born. In 1983 Ronald Reagan saw the movie and proposed to enact a law that would prevent from unauthorised computer access. . WarGames In 1984 the first law regarding cyber-security was brought to life (Note: I will add references at the end of the article ⭐️) So, I’m a little bit late for the security train. Nevertheless, each year, cyber-crimes are becoming an increasingly bigger threat to everyone. The made a . This report focuses on . Center for Strategic and International Studies (CSIS) Significant Cyber Event report that spans from 2006 to September 2019 “cyber attacks on government agencies, defense and high tech companies, or economic crimes with losses of more than a million dollars” Based on this report I made a rough accumulation of some data points: (Full report accumulation can be downloaded here ) Some of these incidents are truly scary. February 2019. European aerospace company Airbus reveals it was targeted by Chinese hackers who stole the personal and IT identification information of some of its European employees. December 2018. North Korean hackers stole the personal information of almost 1,000 North Korean defectors living in South Korea June 2017. Russian hackers used an updated ransomware program to target Ukrainian infrastructure, including power companies, airports, and public transit. All of these are pretty big cyber-crimes. You might think that for smaller companies and simple mortals like me it’s not a problem. Wrong. “Ignorance is Strength” —1984 by George Orwell , it talks about the problem of credential spills and credential stuffing in 4 major industries — retail, hotel, airlines and banking. In a 2018 report about Credential Spills by Shape Security (i.e. stolen credentials) (i.e. automation of trying out different combinations of logins and passwords until you get a working combination) In retail credential stuffing attacks makeup, on average, 80–90% of an online retailer’s login traffic 90%. That’s nine zero. I couldn’t believe it at first, but the more I read the report the more this number made sense. The main reason retailers are attacked in such amounts is because of us — customers. In the era of Amazon and 1 day deliveries, we are getting increasingly impatient about waiting — be it in a queue or while a website is loading. Numerous articles have been written on the importance of reducing friction for customers such as improving website load times. Neil Patel shows with surgical precision the time a consumer is willing to wait before a website loads An article on Time.com says that the time for a website to hold a consumer's attention is about 15 seconds A study by Google says that “53% of mobile site visits leave a page that takes longer than three seconds to load” Thus, while we strive to make the web faster and more user friendly we are also inevitably making it more criminal friendly. Such studies make a website focus on the immediate problem — getting users to their website as fast as possible and making the number of steps necessary to make an action as little as possible. Therefore, most websites are unwilling to introduce additional security measures that increase friction for a user. However, by omitting things like 2 factor authentication (2FA), not enforcing strong passwords, allowing to use passwords that have already been reported as compromised ( ), etc., businesses compromise the trust of billions of people. The latter this point was also mentioned in the 2017 study by NIST [In 2017] over 2.3 billion credentials from 51 different organizations were reported compromised Even if you think that you usually don’t specify a lot of information about yourself on the internet, what cyber-criminals do is create something like a person's identity file. . In the end, some cyber-criminals would know you better than your mom. All the information that they could get on a specific account is linked with other spilled data about that user This is called a Personally Identifiable Information or PII. With PII a hacker could then, for example, completely takeover your phone company’s account. Watch this video on how easily Vishing (phishing via phone) can be performed: What should we do? There are many things to consider and it might feel overwhelming. I get it. However, to quote the Shape Security report, it’s a “collective defense” that is required for the good guys to stand up against the bad guys. We can’t be passive. Not anymore considering that cyber-crimes affect all countries. Politics are shaped, elections tampered with, military blueprints and classified information leaked, your family’s photos used, people fleeing dictatorships discovered, your car hacked. For Software Developers Know how to process passwords and reasons to follow those. Educate yourself about the real state of vulnerability in software development. Companies like Snyk are actively blogging about these things. Learn about attack types (or vectors, as they are frequently called) from projects like OWASP Read about (2017) The Ten Most Critical Web Application Security Risks Check out https://github.com/danielmiessler/SecLists For Everyday Users Consider using a password manager like or LastPass 1Password If possible, don’t store more personal information than necessary on any website Don’t save card data on websites Use 2FA wherever possible If your password doesn’t look like gibberish — — change it! 8@U^K%fsGA85V*uP Don’t use public WiFi for handling any sensitive dataIf you do use a public WiFi, use a VPN service. Educate yourself about the cyber-crimes of today like (probably my favourite name) and others. Phishing, Vishing, Smishing For Everybody Please follow your company’s security policies to not become an accidental attacker. I know it’s frustrating and sometimes feels redundant. However, IBM study shows that 55% of attackers are insiders. From those 23.5% are people with no intention to harm the company e.g. they lose their company laptop. in a 2015 Cyber Security Intelligence Report If you liked this article and would like to hear more in detail about this topic or get more tips, feel free to share that in the comments. Also, I suggest that you check if a website, your email or password have been compromised via the links below. Email — https://haveibeenpwned.com/ Password — https://haveibeenpwned.com/passwords Company — https://haveibeenpwned.com/PwnedWebsites References https://en.wikipedia.org/wiki/WarGames https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act https://www.csis.org/programs/about-us https://www.csis.org/programs/technology-policy-program/significant-cyber-incidents https://info.shapesecurity.com/rs/935-ZAM-778/images/Shape_Credential_Spill_Report_2018.pdf https://time.com/12933/what-you-think-you-know-about-the-web-is-wrong/ https://neilpatel.com/blog/loading-time/ https://www.crazyegg.com/blog/why-users-leave-a-website/ https://www.thinkwithgoogle.com/marketing-resources/data-measurement/mobile-page-speed-new-industry-benchmarks/ https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/what-do-hackers-do-with-your-stolen-identity https://dev.to/nathilia_pierce/how-to-process-passwords-as-a-software-developer-3dkh https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/ https://www.owasp.org/index.php/Category:Attack https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf https://github.com/danielmiessler/SecLists https://www.lastpass.com/ https://1password.com/ https://thebestvpndeals.com/eu/best-vpn/?gclid=CjwKCAjw9L_tBRBXEiwAOWVVCRUqlZ787rcGufgKiV_hUp92y31qAa4dZ-lv6MpPMPxhza_oRRIhnRoCofUQAvD_BwE# https://blog.syscloud.com/types-of-phishing/ https://essextec.com/wp-content/uploads/2015/09/IBM-2015-Cyber-Security-Intelligence-Index_FULL-REPORT.pdf