But unlike say murder, "identity theft" isn't some serious crime - it's in the same basket as "war on drugs" in that they both attempt to fortify a nonsensical top-down design at odds with the underlying reality. It's arbitrage against a broken authorization paradigm, and will continue as long as banks (et al) choose to just bear the cost rather than actually fix their systems.
The ways to fix it are numerous, but most of them would involve a widely used national identity card that's actually designed for identification (as opposed to social security numbers which were never meant to be used like this). Alternatively have the banks pay fines for each instance of "identity theft" they suffer, and watch how they figure out better ways to identify people (probably verifying them in person).
I've done some research around social engineering and the no. 1 thing that stopped us from getting into bank accounts etc. was that to do anything remotely dangerous, you had to present your ID card. Even if you got your hands on someone's IBAN, name, address, bday and national ID number - no card, no deal.
It's not impossible to get fake IDs, but it's a significant investment to do so, which stops the kind of drive-by identity theft I read about from the states.
The real legislation that is needed is to statutorily shore up the banks' liability for the damage their negligence causes. A person that has to deal with fall out from a bank being defrauded (eg repudiating that bank's and surveillance bureaus' libel) should receive a decent hourly wage in liquidated damages.
But while I agree that tech alone wouldn't fix much, using a single number (with no biometrics whatsoever) for identification is just asking for trouble. Even my bus pass has my picture on it!
The real problem in the US is that for any newly proposed identity system, any protections that keep the private sector from hooking into it for their own commercial surveillance will get scrapped due to lobbying. At the present, even social security and license plates are just basic government mandates, but form a foundation for unrestrained commercial actors to implement totalitarian surveillance.
So given that, the sensible freedom-preserving USian position is to be against any new identity systems until some laws have actually been passed to prohibit abuses of the current ones.
And that's generally the best case. Name, state, and birthday are considered unique in a terrifying number of settings, including traffic stops, DMV records, and voter registrations. It's baffling to me that a police officer can 'run a license' and act on the results without making use of the unique ID already provided on the license, but it apparently happens.
For example, if you have a bank account at a brick-and-mortar bank (and haven't setup online access), anybody can obtain online access to that account by going to the bank's website and entering your name, social security number, and maybe the recent account balance. This is in fact the exact process a bank rep does when you open a new account if they setup that access for you, or sometimes they even tell you to go home and do this yourself! Similarly, if you forget your online banking password, you can reset it entirely online with access to your email account, making your email account more trusted than the bank account!
In actuality, your being in the bank in person is the primary trust relationship, and that needs to be leveraged for the above scenarios. So online access should only ever be setup in a branch, and perhaps password resets should even require going down there as well.
(Obviously this is just an example and does not also apply to online-only banks. As I said, the key is to stop treating quasi-public information as a shared secret)