Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: What steps do you take to protect yourself and your family online?
135 points by akudha 59 days ago | hide | past | favorite | 105 comments
This week, I found out that someone opened a bank account in my name. I was able to block the account, but I am not receiving any help from the bank. They don't even have a phone number to let me talk to someone. Everything is done via email :(

What steps can I take, to protect myself online? By now, it is safe to assume that my SSN, address, employment info are in multiple databases somewhere. Given this scenario, any advice?




Sorry to hear it.

# Here are some of the things that I've done. Here's to hoping it's effective.

1) Everyone uses Bitwarden[0] to store their passwords. We have an Organisation account which makes sharing passwords easy. I check master passwords against HaveIBeenPwned, and ask they use the generated Bitwarden passwords for their accounts.

2) The least tech-saavy amongst my family either get Chromebooks (which I despise because Google), or they get a Windows machine that I lock down pretty hard [1]. The lock-down may look draconian to power users, but they've yet to mention they can't do something they want to.

3) Its listed in the link in (2), but I make sure everyone runs uBlock Origin. It's far more useful than an antivirus.

4) I have a few catch-all emails I encourage my family to use for subscriptions. When asked for an email, use [website name]@[family member code].[domain].[tld]. That way, unless spearfished, you're likely to know the true providence of an email.

5) We have a NAS that is 3-2-1 backed-up, and encourage everyone to keep sensitive information there. Hopefully this is enough to avoid cryptolockers extorting us.

# Things I want to do

5) It would be better if we used one of those self-hosted random email generators to prevent maliciously constructed email domains at our catch-all instilling false confidence.

6) I'd like to install PiHole [2].

7) I have a Twilio number that goes straight to voice mail and sends me the audio files and forwards SMS. I'd like to create these for my family (maybe using extension numbers?) so they can use them on forms.

[0] https://bitwarden.com/

[1] https://noteaureus.org/post/tutorials/sysadmin/win4unsavvy/

[2] https://pi-hole.net/


If you can’t find time to getting Pi-hole going, check out NextDNS, which is only $1.99 a month and very configurable (if you want. It also has sensible defaults.)

https://nextdns.io

I believe the fellow who runs NextDNS is on HN.


You don’t even need to pay. I’ve been using the free version on 3 devices and I’ve never gotten to max out the number of requests


> The least tech-saavy amongst my family either get Chromebooks (which I despise because Google), or they get a Windows machine that I lock down pretty hard

Sounds reasonable, Installing alternate OS on Chromebooks is also an option[1]. This is especially useful since Chromebooks are often subsidized and portable laptops capable of running Linux (or even Windows) often cost at least 2x more.

Note: Alternate OS on Chromebooks doesn't guarantee bypassing hardware level data collection if any.

> I'd like to install PiHole

Add NETDATA[1] to the same device you're installing PiHole in and set up alerts on Netdata. This way you can get an notification when there's weird activity on the network(not just silent blocking), e.g. You'll see apps from your phone, tablet calling out their analytics mama during midnight to push out data.

[1] https://mrchromebox.tech/

[2] https://learn.netdata.cloud/guides/monitor/pi-hole-raspberry...


Interesting! Now I have extra reason to set-up that Pi-Hole :) Thanks!


Also go here https://identitytheft.gov and make sure to follow the steps they have.


The problem with Twilio numbers (or any other VoIP) is that most websites don't accept them for account creation.


If you're really going to go down this rabbit hole (and this is HN, after all) you should consider creating and maintaining a "2FA Mule":

https://news.ycombinator.com/item?id=28251107


Interesting! This honestly does not seem that awful to set up at all.


This is pretty cool, but it adds flexibility rather than security.


I seem to be on a continual quest for better backup/storage. I'd love to hear more about your NAS setup.


I doubt it's the perfect backup set-up, but I've been able to do regular restore tests.

I have a Synology NAS which has a Borg community package. I use BorgBase for remote backups, and have another local backup on one of the volumes in the NAS. I keep dailies for a week, monthlies for a year and three yearlies, with automatic pruning.

Once a year, I do my best to back-up my most important stuff on DVDs, but I'm not a very disciplined person. I keep them on a spindle, which is also probably bad practice.


Yes, me too. I've got a unraid nas at home and I've really struggled to figure out a no hassle backup solution.


Not very familiar with self hosted emails, could you explain how the subscription emails work? How does putting the website before the @ work? Does your email server then forward those emails to the corresponding family member since I’m guessing the email address doesn’t exist before subscribing.


i use mailinabox on a cheap vps. 10-20 minutes install no problem. what the poster meant was hackernews@12.familyname.xyz here 12 is family member code and hackernews is the actual website where that person is trying to get registered.

this is pretty awesome setup because if you get spams from anyone, you can simply see which family member signed up for which website and which one is leaking data. the next step, if required would be to delete that account/email and be done with it. no more spam, no more going back. If you do need that email in future, recreating it would be trivial, like if you need to get back into an old account or the like


Each family member has a subdomain all to themselves. The website before the @ allows them to know where the sender got the email address from. You can have catch-all addresses on emails, so anything without a mailbox is sent to the default mailbox that's configured.

It need not be self hosted to do this. Most email providers provide this functionality.


That's exactly right. I don't self-host the email (you can use any service that takes catch-alls like mailbox.org).

anything '@subdomain' gets forwarded to its respective family member's email.


your tutorial for locking down windows is super useful, thanks! Any recommendations for remote administration? I would like to set this up for my parents but need to be able to address any issues they might have w/o a transatlantic flight ;-)


My parents have different levels of technical skills but I help both. My Dad is a nerd - I didn’t see it coming but I’m planning on stealing his lunch money the next time I get to see him. My Mom really hates computers and though I know this isn’t technically possible, they seem to hate her back.

Despite their differences, I can use Quick Assist with both. And between my Dad’s sudden turn towards becoming me in high school and my Mom’s innocent transgressions, I’ve never run into anything I couldn’t fix with it.

Worst case scenario, my Dad and I have talked about a volunteer based group of people who help other cats around his age. If your parents are on the same side of the ocean as we are, we can help in a closer timezone. My Dad is a retired police officer (you can trust him) turned nerd (you maybe shouldn’t trust him) and I’ve been drafted into the odd role of his nerd supervisor. If you’re worried about your folks, he’ll give them his phone number.


You should blog about this. Super relevant now w booming boomer demo.


Glad you liked the tutorial :)

I don't have a lot of experience with remote administration, but I use Tailscale with RDP/VNC/SSH to access my own machines when I'm away from them.

I like to avoid TeamViewer/AnyDesk/etc... because the GUI makes it too easy for folk to get scammed (watching Kitboga all these years makes me want to avoid them like the plague).


AnyDesk is free for personal use, as long as you're not for some reason domain joined.


>I check master passwords against HaveIBeenPwned

How?

I'm just imagining the wallet inspector from that episode of the Simpsons


haha, yah there's a deal of trust in managing systems like this. Luckily they can also check the passwords themselves, but I try to teach them not to input their master password into websites that aren't on the bitwarden domain.

I use the website directly https://haveibeenpwned.com/Passwords


Has no one wrapped up the above into a business?


For your specific issue, you can do a credit freeze (or whatever it’s called). These have pros and cons, and there are different levels of freezes (all called different things iirc). Research them and use them if it makes sense.

Signup for regular credit score reports. I get a monthly email from one of the credit score companies, plus immediate emails if my credit gets checked.

I use 1password and Fastmail with my own domain, and privacy.com. With those three (and their integrations) I can easily create unique debit cards, unique email addresses, and unique passwords each time I register for another site/service. This doesn’t help your specific issue but it helps with a lot of things.

Use NextDNS on your router and devices and set it up to use dns-over-https. Block ads etc.

Links to above mentioned sites which may benefit me and/or you:

- https://nextdns.io/?from=k6bqh5rg

- https://ref.fm/u26310488 (fastmail)

- https://privacy.com/join/JCPFN


I have done a credit lock, is that enough? Or do I need a credit freeze?


Credit "locks" are kind of a scam. You definitely want to put a 1 year fraud alert on your credit report where a lender is supposed to call the number you include to verify that you applied for credit. You can also freeze your credit if you have no plans to apply for any credit cards or a mortgage in the immediate future.

Get the fraud alert on Chex, too. They're the equivalent of the credit rating agencies for bank accounts. If you don't need to switch banks soon, I'd definitely freeze that one.

https://www.chexsystems.com/web/chexsystems/consumerdebit/pa...

https://www.chexsystems.com/web/chexsystems/consumerdebit/pa...

If you have a credit card through Chase, AmEx, or CapitalOne you can get free credit monitoring where they'll email you or send you a push notification as soon as a lender does a hard-pull against either your Tranunion or Experian reports.

Have you filed a police report? I've had my identity stolen and helped some of my friends resolve identity theft issues so I speak from experience: you will get so much further if you can fax or email people copies of a police report

Hmu if you need any help resolving this.


That’s where I’m not sure and you’ll need to do some research. It’s been a while since I knew these things and even then I didn’t know them well. But I am aware that banks don’t always check your credit right away when you open a new credit card, so even with a credit lock or credit freeze someone else could still open a credit card in your name. Or at least that was true once upon a time, regulations may have change by now.


You probably want the credit freeze. These companies are required by the US law to provide the service for free. Credit locks usually require payment to get.


Anyone know if these are possible in Canada?


1Password is based in Canada. However Privacy.com you can only use a US-based funding source (ie bank account or debit card). Fastmail is Australian-based and works worldwide. NextDNS I think is available everywhere.


There is really no reason to use your real name and address for anything online - perhaps only airline tickets and government agencies (eftps, ftb.ca.gov, etc.).

Remember: Visa/MC cannot verify cardholder name. They pretend that they can and merchants believe that they can but there is no mechanism to do so.[1] If the numbers match up, you can use "Mickey Mouse".

No online retailer/merchant/provider has ever seen our real name (or real address). We created a pseudonym and attached it to a PO BOX in our town and a twilio phone number.

This doesn't solve every problem but it does solve the simple issues of identity theft and impersonation or (very low level) attackers correlating our activity to other activities.

YMMV. IANAL.

[1] There is some weird "verified by visa" thing that does attempt to confirm identity but I've only seen it once in the last 12 years ...


For card payments, yes there is no verification but for bank transfers, at least here in the UK, "confirmation of payee" is a thing and wrong names are rejected [1].

[1] https://www.ukfinance.org.uk/confirmation-of-payee


How is this relevant?


> There is really no reason to use your real name and address for anything online

> wrong names are rejected

How isn't it? Unless you're saying 'there is really no reason to participate in e-commerce', which is... true I suppose...


No, I also thought that this was somewhat irrelevant ...

None of my e-commerce involves bank transfers. I would decline it as a payment method. I have no idea why anyone would be doing this.


Maybe the comment changed or I just skim-read it, but I'm not sure I understand now.

Anyway, in the UK billing name & postcode are/can be verified on card payments.

Bank transfers no basically never happen, too manual; exception being something like (Transfer)Wise - you set it up online, then transfer to their account in local currency, they transfer out of their account in another country to your intended recipient account in that local currency.

Direct Debits are a common ~'bank transfer' but recurring way of paying for utilities & subscriptions here though. Can (and these days normally would) be set up online.


It's probably very dependent on your local e-commerce environment.

Here in Germany I linked my bank account to Amazon, PayPal, local mobility service providers, etc.

Maybe 90% of my online transactions are bank transfers, 10% are debit card transfers.


> No online retailer/merchant/provider has ever seen our real name

Is there some way to extend this idea to physical goods delivered to your home? Occasionally something happens that requires you to go to the post office, or UPS depot, or FedEx depot to pick up your package. And they always want to see ID that matches the name on the package. Even if you have the delivery notice, it’s not enough. They still want ID.


https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-Li...

It's a pain to do, but it really helps to opt out of data broker lists. I have a reminder to do this once per year, and only the "diff" of my life updates show up (e.g. address reappears because I moved, changed voter registration as a result, etc).

There are also services you can pay to do this, but they are usually priced extremely high or are straight up scams (i.e. they'll take your PII and then scam you with it).

It's better to just do it yourself so you know there's no middlemen to be forced to trust.


I was able to do it with a particularly annoying bottom-feeding data-broker, "mylife.com". Their latest scheme was to assign people a bullshit "reputation score". I found this really offensive and it made me angry enough to try to get my name out of their database. Some youtube video showed how to do it.

It required a frustrating ~15 minute phone call (the number is somewhere on their website) to an Indian call center where they tried to upsell me a dozen times or so. But I was polite and persistent and asked to have my name removed over and over. That was almost 2 years ago. It seems to have worked. My name doesn't show up anymore if I search on mylife and no mylife pages appear on google searches for me.

I still do get emails EVERY DAY from these MF'ers. It's just bullshit about how there's a "negative" item in my reputation and that "7 people are looking at my reputation". AFAIK, it's just automated junk, because my name doesn't come up any more on mylife.


I tried this about a year ago but it was pretty futile. The issue is that data brokers repopulate your info every ~6-8 weeks. It's designed to be nearly impossible to keep up with.

This bothered me so much that I actually started a company to solve the problem of continuous opt-out from data brokers. I think we’re priced pretty reasonably given how important this stuff is ($99/yr).

As far as trust goes, we went through YC W21 (as RoundRobin) and I’m happy to answer any questions people have. www.crowdshield.com


I remove myself from data broker websites as a hobby, and I don't find it futile at all. They haven't repopulated my data whatsoever, and they actually take GPDR/CCPA threats pretty seriously. (Sometimes you do need to email the executives directly- fun fact, you can just look them up on other data broker sites!) I've removed myself from every one, for free, with a minimal time commitment. You may just be plugging your company, no offense


I am glad they posted. I'd rather spend my time not removing myself from these sites as I have other things I'd rather be doing.


Yes I'm so glad this guy posted, as I think removing myself from brokers is somehow less fun than doing my taxes, bordering on trying to negotiate a car deal during 'rona times!


I think it's a good idea, but there's more than just "trust" to consider.

Here's the question: Does crowdshield pay these data-brokers some kind of "discount rate" to delete stuff?

Data-broker companies are very slimy and to be able to do this in bulk, I think, would require paying off these low-lifes or perhaps some kind of legal threat.

I am inclined to suspect that the data-brokers would merely temporarily remove names for crowdshield and then just bring them back after some time interval. That way both the data-brokers and crowdshield "get paid" over and over again. Is that how it works?


Is it strictly 99/person/year? Or is there a family or couple option?


Its a tough question to answer, with so many "if's" and "maybes". There have already been some good suggestions here which I won't repeat.

But one I would suggest is minimising the number of places with your "real" information, i.e. if "real" information is not required by law (e.g. financial services, health services, insurance, billing etc.), then train yourselves to use pseudo information.

For example, if a website asks for your date of birth. Ask yourself, is it required by law or is it just for user profiling. If the latter, then just invent a date of birth (and if the date of birth may be required for password recovery, make a note of it in your password manager).

The same goes for your "real" name. Do you need to give them your real name as shown on your government ID ? Or can you give an abbreviation or even pseudonym ?

The same goes for answers to "security questions", just invent stuff, don't give the "true" answer.

You can take all the technical countermeasures you like, but sometimes it's easier to KISS ... if a service doesn't need your details, don't give it to them in the first place.


> The same goes for answers to "security questions", just invent stuff, don't give the "true" answer.

Invent plausible stuff. Do not use random characters or nonsensical words, because then you make it easier for a social engineer to bypass that when talking with customer service.

For example, "What was your first pet's name?"

Make up something like "Mister Bubbles", something childish that could actually be a pet's name.


This is a very important point. Many customer service agents will let people in if they just say “I dunno I just kinda mashed the keypad” or “oh it was just some random letters”.

Once you beef up your security, social engineering is the weak link that always remains.


I have an easy to remember scheme I use for those annoying security questions that alleviates the need to write them down. I came up with this idea because everytime I am asked for these stupid questions I get very annoyed and my default reflex was to internally curse profusely. So I thought I would leverage this reaction.

My scheme is this, for any security question there is usually a primary noun you can key off of. So I just construct the following string: "fyour" + PRIMARY_NOUN. The "f" is spelled out to be the more profane form of fornicate but thought I would keep it clean for HN.

This allows me to always have an easy to remember answer to all security questions where I can satisfactorily express my complete disdain for them. I have had to say these out loud many times to CSR's and it usually gets a chuckle.


And have separate e-mails. I have three tiers of them - one is for official matters, the other for semi-official, the third for the rest. I almost always use garbled usernames as well.


> And have separate e-mails

Absolutely ! But that aspect is not just a security thing, its an anti-spam thing.

Infact I'd almost consider the security aspect a bonus, the ability to kill off email addresses if you start getting spammed is the primary benefit (for me at least!).


It is a security thing since you use your emailaddress for logging in and resetting passwords. If somebody gains access to your email it can be troublesome.


It can also prevent phishing attacks (the address isn't out there anywhere).


> For example, if a website asks for your date of birth. Ask yourself, is it required by law or is it just for user profiling. If the latter, then just invent a date of birth

I opened YouTube, clicked on a video that requires age verification... Google told me to provide a credit card or a government ID.

F*** Google.


F*k Google indeed.

These days I use FreeTube: https://freetubeapp.io/


I'm assuming you're in the USA.

The most important thing you can do too prevent things like Bank Accounts, Credit cards, etc opened in your name is to lock your Credit History. Without access no one can open up any kind of account. You might also want to lock down your SS Account.

Here are some links to get you started.

https://www.consumer.ftc.gov/topics/identity-theft

https://www.consumer.ftc.gov/articles/what-know-about-credit...

https://www.consumer.ftc.gov/articles/how-stop-junk-mail


It seems like there needs to be a political push to fix the easily exploited systems that just use SSN, etc. E.g. make laws that require banks, etc. to need some other form of authentication.

But I guess an upgrade of systems will cost hundreds of millions of dollars...


I was given some good advice a decade ago by my father inlaw. Every time you are asked for personal info, give as little as possible (need to know/least privilege). When filling out forms, just the necessary fields (ex: no middle name/initial, home phone, etc). Do they really need a copy drivers lic at the doctors office? You can even call your Medical Insurance company and get a code that the dentist or doctor can put in instead of your SS number, that way you're not giving it out as much. There are plenty of things that require little effort that can go a long way. Opt out of CC/Insurance/Junk mail. Reduce the paper trail is good practice, bills should be handled online, direct deposit, etc. And I shouldn't have to say this but never use your real name online and refrain from all social media unless you can participate anonymously. I go as far as using a VPN and Private browsing as a minimum/baseline. At Thanks Giving, I would duck and hide every time someone took a photo so my face wouldn't end up on FB or other social media. My goal is to one day disappear from having any online presence or a minuscule foot print, no email, dumb phone, services, etc.


I generate random passwords and use my browser’s password manager cause I didn’t like the way other password managers integrated with my browser. I just keep the passwords I need manually in sync between devices. I have a Yubikey for for some really important accounts and I’ve thought up a way to generate unique passwords that I have to remember (like work passwords) that aren’t just upping the number at the end by 1 like “pepperoni4” to “pepperoni5”. If I can pick an alternative to phone-based 2FA, I’ll do it, otherwise I’ll just roll with the phone-based stuff cause it’s way better than nothing.

I have a fake life that I made up like a different grandfather, first car, or first job, and I add a number between -10 and 10 to every digit of my birthday to get a new one for signing up for password recovery.

I block 3rd party cookies and delete other cookies weekly. I have an ad blocker and I don’t use the default DNS from my ISP, and I keep things updated for my modem and router. I don’t hit up sketchy sites so I don’t feel like I need a JavaScript blocker. Most of the crap I’ve seen has been through malicious ads. I use a container for Google.

I went through the tedious process of having my info deleted from the biggest data brokers and wiped out from some online databases. They pop up again now and again but usually an email takes care of it. I had my identity stolen in the past so I just cite that reason.

I don’t give out my SSN except to banks, employers, and the government. I use my passport if someone needs to establish my citizenship. Utilities are the most pushy but if you give them like a $50 deposit or set up autopay they’ll skip that part. Again, saying I’m the victim of identity theft goes a long way. I set up accounts with Social Security and I have an IRS pin so no one beats me to it.

I have 7 year fraud alerts and froze my credit for the three bureaus, and I do free credit monitoring (useful before I froze my credit). I did the same for Chex, Innovis, LexisNexis and NCTUE. I froze my info from the Work Number. I asked my bank for additional security measures and they happily obliged. I use my AmEx for near everything online and contactless payment for paying at gas stations or if I’m worried about skimmers. I never use my debit card for anything except to get cash out of the ATM and I have a daily limit set up.


Since there are probably young people reading this, or parents of young people (teach them this): Do not give out you SSN to anyone except the government, and try every possible way to avoid giving it out to anyone else.

Paper forms ask for it all the time, leave it blank. In fact, leave as much blank on any form as possible (I have never been asked for info that I've left blank).

Cell phone companies and utility providers ask for it, instead offer to pay a deposit or go post-paid.

I haven't tried this before, but my understanding is that U.S. law requires banks to have a unique personal identifier number for its customers. Banks default to SSNs, but the law does not specify it has to be a SSN. Try to create an account in-person and use a Driver License number.

If I have any incorrect understandings, please reply with your knowledge; or if you have any further ideas, please reply with your advice. Thank you.

Edit: removed idea about not getting a SSN for kids. Sounds like way more hassle than any potential benefit.


Reddit has a bunch of posts by 19 year olds asking for help sorting out their lives because they don't have a social security number and the government basically doesn't know they exist

https://www.reddit.com/r/legaladvice/comments/578jm8/19m_hom...

It's really sad. Get your kid an SSN. If you really want to be safe, don't announce their birth on facebook until like 6 weeks afterwards and ask family not to post birthday pictures until way later


I used to have a housemate who is one year older than me and still doesn't have an SSN. He got away with avoiding it because he wanted to be off the grid but he's only had one job his entire life— working for his Dad's business. But it's a really bad idea and if anything ever happens to that business he's going to be in for a lot of serious problems.


Interesting, thank you for sharing. I've also removed that part from my original comment.


I didn't have a choice w my 3 kids. In fact I was forced to give my second child a name (we waited a couple of weeks deciding on a name) otherwise the name was going to be "Baby" in the birth certificate. We received SSN cards which laughably they had to sign. Interesting since I didn't get a SSN until I was a teenager.


Not really relevant to the topic at hand, but interestingly the UK doesn't really have any national ID number valid for both children and adults. The only one is the NHS Number but that's not used outside of a medical setting.

Additionally my birth certificate isn't digitised. It was handwritten with a fountain pen by the local register office. For most intents and purposes, the central government didn't know I existed until I hit 16 and signed up for a National Insurance number.


It is vastly easier to apply for the SSN at the hospital at time of birth. If you don't, there are many non-trivial hurdles to jump through later[0]:

At a Social Security office: If you wait to apply for your child’s number, you must: • Complete an application for a Social Security card; and • Show us original documents proving your child’s: — U.S. citizenship; — Age; and — Identity. • Show us documents proving your identity and your relationship to the child.

[0] https://www.ssa.gov/pubs/EN-05-10023.pdf


Sounds like that's pretty easy, except you have to do it instead of the hospital doing it. Sounds like they just need a birth certificate.

Anyway, I removed that part of my comment because I am not fully knowledgeable about that, and don't want spread any false information, and it probably won't help with security that much.


Skipping setting up a SSN for your child seems like it’s going to set them up for major headaches once they’re older.


Edited my original comment to remove it. I do not have enough info to give adivice. Sorry.


No, if someone is eligible for an SSN, they are not eligible for an ITIN.


> I found out that someone opened a bank account in my name...... but I am not receiving any help from the bank.

Interesting.

Assuming this is to take out loans in your name, it is the bank who are being defrauded, not you. Registered snail-mail to the banks fraud/legal team reiterating this often works wonders.

I say snail mail as it gives you a legal trail, goes directly to the department responsible and (at least in this part of the world) gives very cheap next day delivery. This is much easier and less stressful than being kept on hold indefinitely, only to speak to a clueless fuckwit in a call centre.


They should start by filing a police report for identity theft, and emailing things to customer service or faxing can give a faster and better paper trail


I agree with you in principle, however calling it "identity theft" is to be discouraged.

Assuming this is to take out fraudulent loans, the 'theft' is occurring from the bank, not OP. Calling this "identity theft" is an attempt to put the onus of blame on OP for the failure of corporations to protect personal information and combat fraud. My point is that OP needs to strongly push back against this.

This is for the bank to fix, and OP should put a legal claim into the bank (aka bill them!) both for their time and any financial losses they suffer due to the banks negligence.

Regards email vs snail mail; a recipient cannot claim registered snail mail was not received, unlike the case with email. This is a reason legal departments use registered snail mail :-)


You're right, I missed when you said registered snail mail, I didn't see that (I need new glasses, it's getting too hard to read) and I thought you just meant normal mail.

Second point: this absolutely is identity theft and that isn't a strike against op at all. Someone impersonated op to open an account. You're correct that the bank is liable for the fraud, but op is still the victim of a crime and has to jump through hoops to fix it. And the bank isn't going to pay a dime to op. For all we know, someone submitted a really good fake driver's license (or a copy of the real one) and SS card and opened the account.

I'm not blaming op at all—I had my identity stolen twice and the most you can blame me for is not putting fraud alerts on my credit reports, including one I didn't even know about—but the balls in their court to fix this


Thanks for your input.

Did you put in a claim to the bank for your losses (your time sorting this out and quantifiable financial loss)? This would be a simple thing to do in the UK [1] as the bank was clearly at fault not you, no matter how convincing the fake ID was.

[1] You can fill out this online government form in a few minutes to take them to small claims for a small fee (which you add to your claim) https://www.gov.uk/make-money-claim


I wish I could put in a claim but I'm in the US :|

My identity theft didn't (directly) involve a bank. It was a major retailer where someone opened and maxed out a credit card in my name, a cell phone company where they opened up a new family plan and made off with 4 unlocked iphones, and (later) the Small Business Administration where someone applied for a covid relief loan that got approved for about $100k. Luckily, my credit monitoring instantly caught it and I was able to call and stop dispersal

All-in-all I was out a few hours of my time and the cost to make copies and send faxes


Freeze children’s SSN with all 3 credit reporting agencies. Open irs.gov, social security, and other government accounts before someone else can. I use Strongbox with Keepass databases to keep track of it all stored in iCloud so spouse can access TOTP it for shared items.

Use content blocker (I use Wipr) in Safari, and ublock origin Firefox/chrome. And then don’t download or install random software. Check your credit report every year at each credit reporting agency every 4 months by going to annualcreditreport.com


There's a fourth credit agency now that it's recommended to put a freeze on, but I don't remember the name off the top of my head.


You're probably thinking either Innovis or NCTUE (which does utilities and telecom stuff). Innovis makes it real easy to freeze or put a fraud alert on your report with them


Innovis?


Bitwarden, Adguard-Home/NextDNS, UBlock Origin, Privacy Badger, Disable Flash, LocalCDN(Replacing Decentraleyes), Selfthosted Paperless-ng and Nextcloud instances for storage and documents with seperate accounts for each family member secured behind authelia with 2FA. Docker-Mail-Server instance with catchall emails for each family member. Enabled 2FA for every sensitive account. Private Selfthosted Wireguard tunnel to access local network services publically (behind a CGNAT network). Non technical family members have been instructed to never use real names while signing up for trivial services online. Guacamole to provide remote assistance when required.


>LocalCDN(Replacing Decentraleyes),

I am sure this isn't the first time the idea has popped up.

Should LocalCDN be a built-in feature in Browser?


Ideally, going by the cancerous nature of the internet in 2021, web browsers should ship with ublock origin, automatic https upgrades, an usable js-blocking toggle and LocalCDN-esque features out of the box. Chrome would never do something like that but maybe firefox could. Improves privacy and usability overall.


1. Duckduckgo search engine, privacy

2. Noscript, ublock, privacybradger, vpn ad network

3. No Google, facebook for kids

4. Limited youtube

5. Privacy dns settings, dnsdec over tls

6. Encrypted backups

7. Password manager

8. Paranoid security auto updates


I don't do anything specifically to protect myself online. What I have done is to move to a country where opening an account in someone else's name is really quite difficult. Of course I didn't move with this in mind. Identity theft/fraud seems less frequent here in Norway than in at least the US and UK.

This leads me to believe that in the long run it is regulation and the provision of good ways of verifying identity that are the only real solution.


I understand that politicians don’t necessarily look out for the best interest of their constituents over that of powerful lobbies, like big finance. But if it were legislatively possible, would there be any down sides to society as a whole to flipping the script? Meaning make banks the ones responsible for opening an account without doing due diligence? Make credit reporting companies the ones responsible for essential libeling someone for fraudulent credit report entries… I can’t think of any, banks would have to pay to do due diligence but most businesses should have to.


names are not unique.

i can probably find at least half a dozen people sharing the same first and last name as me.

how does someone opening a bank account with the same name as you enable them to affect you?

if it does, then there is a system that is seriously broken.


I'm assuming they used ops SSN. They may have been trying to write bad checks or launder money through the account


- Bitwarden - Privacy.com - Fastmail - kDrive - 2-factor on all services


Using https://qubes-os.org as a daily driver. Browsing Internet in disposable VMs. Storing passwords in offline VMs.


1) family have had it drummed into them to never click links in emails or open attachments unless it's something they explicitly requested moments before

2) no Windows


Pi-hole as primary DNS, 9.9.9.9 as secondary DNS. All browsers with plugins uBlock, Unhook, Privacy Badger, Decentraleyes. No google services on any device, preferred open source SW. No banking apps on smartphones, all card payments need to be verified by code from SMS and PIN. Pay by cash everywhere it is possible.


It's there a point to using pihole of you have a secondary DNS. Your device will just do a round robin request and could end up with DNS records you want filtered?


Pi-hole require upstream DNS Servers to be set.


I always thought using apps (especially on ios) is more secure than browser. Why do you not use them?


Replaced my parents PCs running windows, with Linux Mint (they are very happy).

PI-hole at home for the "smart" Tv. Ofc linux and firefox (w/ublock and containers).

I'm more worries of protecting against tracking/spying than freud


> I found out that someone opened a bank account in my name

How did you find out that?


No Windows based computers. As for identity theft, it happens as well here in Europe, but not as often because there is a pretty strict KYC requirement for banks.


I don't understand why you single out Windows. iPhones seem to get owned by iMessage exploits regularly, every Android patch seems to include critical fixes to the media framework (if those patches even reach your device), macOS has had its fair share of exploits and viruses, and Linux is just not interesting enough at the moment.


Majority of malware (intended for average users) still primarily targets Windows, so there is just less chance you will ever encounter it on other platforms. It just makes sense to target 95% of people, and not care that much about the rest.

Most if not all vulnerabilities on up-to-date iOS/Android are used for targeted attacks (people with power, journalists, etc.) and not to reach regular people.

AFAIK most malware is still delivered when users install some software, so it would be nice if Windows would become a bit more locked down by default, and only allow installing from approved stores (i.e. Microsoft Store, Steam, and similar.)


disclaimer: i'm a co-founder. https://joindeleteme.com/ we consistently find in our DeleteMe searches fairly "rich" profile info sold by data brokers and SEO'd on Google not just on our customers themselves but also their family. This often includes: spouse full name and age (and obviously relationship) and, more disturbingly, children's names and ages. We try to remove all this via opt-outs. The implications of such full family profile data being easily available by simple Google searches and for sale "cheap" at data brokers are not imhop awesome. Lastly, leaving privacy aside, from a security perspective, do NOT use children/family members names and years of births in ANY passwords.


Freeze your credit report with the 3 main companies.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: