[doctoboggan]

First I “locked” my phone number disabling transfers (although I suspect this is vulnerable to social engineering attacks).

I have also frozen my credit with the three credit bureaus (the attacker also opened a new line of credit in my name)

I am also closing the bank account that was compromised. They aren’t giving me any info but I suspect the attacker got my debit card via social engineering. It was a new account and I hadn’t even received my debit card yet.

I have a subscription to a credit monitoring service as well which has proven its worth in this situation.

Otherwise honestly I am not sure what to do. It sucks to know this person has my name, social, phone, and other info. I basically plan to keep my credit frozen indefinitely. I am also disabling text based 2FA for me and my wife wherever possible.

[ajhurliman]

You need to give your ssn to so many people over your lifetime and you’re essentially trusting that all of them will be trustworthy and secure with it.

This could be easily solved with public key cryptography, but it would also confuse so many people it would be hard to implement.

If there’s an upside to the crypto craze, maybe it’s teaching people about cryptography basics.

[Gigachad]

We will literally never teach the whole world to use current crypto tech safely. It needs better UI.

At the root of the problem, people will forget passwords and lose physical tokens and will need some other way to restore access.

[ajhurliman]

If this were being used for SSNs, you'd have a central authority to restore access. If you lose your passport, they can issue you another one and mark the old one as lost/stolen. You can do the same thing for key pairs.

The main problem it solves is giving a sketchy client your SSN on your I9 without allowing them to use it/leak it to scam groups to spin up a credit card on your behalf.

[voakbasda]

The main problem with the “key escrow” scenario is that the government can access your private key, so this solution is still not meaningfully secure. What do you think is more likely: that this new institution will be magically invulnerable? Or perhaps you will have just created an irresistibly valuable target for social engineers and hackers that inevitably will fall?

[ajhurliman]

Not magically invulnerable, just a lot less vulnerable than a plain text 9 digit number that you hand out to hundreds of people over your lifetime.

[hyperman1]

Good news. A good chunk of the world already uses crypto for identification. My eID card is just that, i can auth with a chip and pin. This is normal in a lot of the EU.

[WirelessGigabit]

I don’t want my identity to be linked to many of those accounts. So I’ll take a yubikey. Second, I’m glad I don’t live in a country where I’m required to carry id.

[MaKey]

Just because a country has IDs doesn't mean you have to carry it all the time. Where I'm from (Germany) you don't have to.

[nier]

You don’t have to but in situations where you are unable or unwilling to show your ID and a peace officer wants to check your identity, they’re entitled to take you to the precinct.