First I “locked” my phone number disabling transfers (although I suspect this is vulnerable to social engineering attacks).
I have also frozen my credit with the three credit bureaus (the attacker also opened a new line of credit in my name)
I am also closing the bank account that was compromised. They aren’t giving me any info but I suspect the attacker got my debit card via social engineering. It was a new account and I hadn’t even received my debit card yet.
I have a subscription to a credit monitoring service as well which has proven its worth in this situation.
Otherwise honestly I am not sure what to do. It sucks to know this person has my name, social, phone, and other info. I basically plan to keep my credit frozen indefinitely. I am also disabling text based 2FA for me and my wife wherever possible.
You need to give your ssn to so many people over your lifetime and you’re essentially trusting that all of them will be trustworthy and secure with it.
This could be easily solved with public key cryptography, but it would also confuse so many people it would be hard to implement.
If there’s an upside to the crypto craze, maybe it’s teaching people about cryptography basics.
If this were being used for SSNs, you'd have a central authority to restore access. If you lose your passport, they can issue you another one and mark the old one as lost/stolen. You can do the same thing for key pairs.
The main problem it solves is giving a sketchy client your SSN on your I9 without allowing them to use it/leak it to scam groups to spin up a credit card on your behalf.
The main problem with the “key escrow” scenario is that the government can access your private key, so this solution is still not meaningfully secure. What do you think is more likely: that this new institution will be magically invulnerable? Or perhaps you will have just created an irresistibly valuable target for social engineers and hackers that inevitably will fall?
Good news. A good chunk of the world already uses crypto for identification. My eID card is just that, i can auth with a chip and pin. This is normal in a lot of the EU.
I don’t want my identity to be linked to many of those accounts. So I’ll take a yubikey. Second, I’m glad I don’t live in a country where I’m required to carry id.
I’ve “locked” my number and it requires a transfer PIN. I hope Verizon’s systems won’t allow a transfer without that pin even with a malicious employee, however I wouldn’t be surprised if they are able to override it.
Apparently my attacker had a fake ID with my name and their photo. It’s possible a store employee could override the transfer lock if they are sufficiently convinced it’s really me.
I've heard many cases of transfer locks being broken. From what I understand, it is even possible to simjack at a higher level than the individual telco.
Thus, I don't even bother with stuff like this, the only solution in my eyes is to not rely on SMS 2FA and if you absolutely have to, at least use a GV number. While GV isn't totally secure either, at least it is disconnected a tiny bit from my cell number and doesn't have humans backing it (we all know that Google never answers the support phone).
I have also frozen my credit with the three credit bureaus (the attacker also opened a new line of credit in my name)
I am also closing the bank account that was compromised. They aren’t giving me any info but I suspect the attacker got my debit card via social engineering. It was a new account and I hadn’t even received my debit card yet.
I have a subscription to a credit monitoring service as well which has proven its worth in this situation.
Otherwise honestly I am not sure what to do. It sucks to know this person has my name, social, phone, and other info. I basically plan to keep my credit frozen indefinitely. I am also disabling text based 2FA for me and my wife wherever possible.