How to stop data breaches online from affecting you

I was recently watching an incredibly great talk by Mike Aldy (@dgbsocal) who opens talking about data breaches.

This, coupled with some other recent emails I’ve been getting have got me thinking of some other global examples, and got me thinking “I need to explain to people how this works”.

I’ve been getting a bunch of emails lately showing up in my spam, from “me”:

My email spam-folder is littered with these emails

They’re really juicy when you open them:

They want money, go figure…

All the emails are identical except for the “password”, which changes depending on what they’re trying to convince me they know about me. Anyways, let me explain to you a bit about how this works.

If you look at the above email, “chilling_silence” is what they’re trying to convince me my password is. This one was wrong, obviously, that’s my username on some sites, however the other emails *did* have some of my older passwords.

These emails contain actual passwords that I’ve used, they’re legit, they’ve got my password, but it’s definitely not through the method in which they describe in the email.

So… How did they get them then?

Through breaches where I’d used that password elsewhere.

If you’re the kind of person who uses just a single password for everywhere, you’ll no doubt panic because they’ve basically got *everything*.

Get your password for your Heroes of Newerth account compromised, LinkedIn, MySpace, NeoPets or your Target online password exposed, and an attacker would also hypothetically have your email password, Facebook, online banking, all of that sort of thing.

So how do they get your details?

Through existing breaches.

Some of the breaches from an old email of mine

You can look up and see if you’ve had any breach you’ve been involved in:

https://haveibeenpwned.com

Try any email address you’ve ever previously used. Does that email come up?

If it does, then your username and password are likely out there as public information. That means anybody can see the combination of that email address // username and the corresponding password.

If you’ve re-used that same username // email and password anywhere else, then you’re fair game for somebody to try and log in as you, change your password, find out more personal information about you, subsequently stealing your identity. They could then open credit-cards in your name, rack up debt, and do a bunch of other things that would cause you an insane amount of grief and trouble.

What can you do about it?

Easy: Don’t re-use your username / password anywhere

If you’ve not re-used your username & password, then people can’t use that information of yours elsewhere.

I’ve had it happen to me, my brother-in-law told me “Hey I’m getting messages from you on Skype sending me to buy fake Oakleys”.

It turned out it was an insanely old account I’d not used in 7+ years that had a password I’d used a decade ago that had been breached. I’ve long-since stopped re-using passwords and randomly generate a password for every single website, but you get the point.

Somebody had my username / password and they were able to re-use it

So how can DigiByte help you with this?

Through the power of Digi-ID!

Digi-ID generates you a unique ID for every website you log in with. In addition, there’s no password for you to ever use (Or, re-use), so it really decreases the incentive for a hacker to try and attack a website to get your details.

Sure if you’ve gone and purchased from Target and put in your Credit Card details, they could still potentially get those details from trying to attack another website, but the impact would be limited to just the website that the breach occurred on. They can’t use your Digi-ID on another website to try and log in, because of the way that Digi-ID works.

Explain how Digi-ID works then!

Sure, let’s try and make this easy for anyone to understand:

You go to a website such as https://digibyteforums.io

You’re given a QR code, which has a link back to DigiByte Forums and also a unique code known as a “nonce” (Number-once):

A login QR code which is generated uniquely for each user who wants to sign in

This nonce is a randomly generated number that is unique just for this time that you want to visit the website.

The URL that the QR code points to looks like this:

The above QR code points to here

You can even run that QR code through a “reader” and it will show you the same URL.

So you open up your DigiByte Wallet and scan the QR code:

Scanning a QR code with my DigiByte app

It’s going to show you the URL that you’re signing into and ask if you are sure this is the right place you want to sign into, and to confirm nobody has stolen your phone by asking for your PIN or your fingerprint (Or even FaceID on iOS).

After I’ve scanned my fingerprint, it gives me a nice tick to indicate success

You confirm and it sends a special message back to the above URL, the one with the long callback=7e7….

The message is formulated in a special way that it uses your DigiByte “private key”, the same one that keeps your DigiByte safe from being spent by anybody else, and sends a long message back to the website you are trying to log into.

If the message was sent with your private key, that matches your public address, and also matches the “nonce” (callback=7e7d…) that is unique for your visit, then you are allowed in and greeted with a message like this:

What I see once I’m logged in with my Digi-ID to digibyteforums.io

Now, this “address” is unique, JUST to this website. It’s never re-used anywhere else in the world so can’t be used to link to me unless I choose to give the website operator a whole lot of additional information.

If I go to another website, even if I use the same DigiByte wallet on my phone, I’m greeted with something entirely different:

That address looks completely different

Now you’ll note that the first address is different from the second address, but yet I’m promising you that I’ve used the same application. So how is this different?

It’s different because the URL of the server is included in the way that your Digi-ID is generated to give to the server.

So if you were to sign in to a website, say hotmail.com vs hotmail.co.uk then both websites would get a totally 100% unique and independent address for you. One that is impossible for a server / website operator to link back to another, unless you also give them a bunch of other additional information.

This is the first major step towards reclaiming your online privacy, because you don’t have to use the same “username” anywhere. Your username now becomes your Digi-ID address, which is unique to every website, and you don’t have a password.

This means where LinkedIn gets breached, NeoPets, and MySpace, because your Digi-ID is unique everywhere, your details could not be ever used to match you to another website, nor can the attacker log in as you because they need your DigiByte wallet to log you in every single time.

An attacker *cannot* then log in as you. Ever!

That’s not just powerful, that’s world-changing.

That’s a perfect way to reclaim some online privacy, all while making yourself more secure, and without having to remember ridiculously long and unique passwords for every website you’ve ever signed up for.

That’s the amazing cyber-security issue-solving sort of goal that DigiByte was created with.

Right from the beginning, this was written into the Genesis Block (The first ever block for DigiByte):

USA Today: 10/Jan/2014, Target: Data stolen from up to 110M customers

Proving right from the get-go a focus on cybersecurity and a use-case over and above just transferring of value from one person to another.

Let’s stop and think about that for a minute, a solution to the most painful element of data breaches.

DigiByte has that solution: Digi-ID