Ask HN: What steps do you take to protect yourself and your family online?
This week, I found out that someone opened a bank account in my name. I was able to block the account, but I am not receiving any help from the bank. They don't even have a phone number to let me talk to someone. Everything is done via email :(
What steps can I take, to protect myself online? By now, it is safe to assume that my SSN, address, employment info are in multiple databases somewhere. Given this scenario, any advice?
114 comments
[ 4.6 ms ] story [ 188 ms ] threadSignup for regular credit score reports. I get a monthly email from one of the credit score companies, plus immediate emails if my credit gets checked.
I use 1password and Fastmail with my own domain, and privacy.com. With those three (and their integrations) I can easily create unique debit cards, unique email addresses, and unique passwords each time I register for another site/service. This doesn’t help your specific issue but it helps with a lot of things.
Use NextDNS on your router and devices and set it up to use dns-over-https. Block ads etc.
Links to above mentioned sites which may benefit me and/or you:
- https://nextdns.io/?from=k6bqh5rg
- https://ref.fm/u26310488 (fastmail)
- https://privacy.com/join/JCPFN
Get the fraud alert on Chex, too. They're the equivalent of the credit rating agencies for bank accounts. If you don't need to switch banks soon, I'd definitely freeze that one.
https://www.chexsystems.com/web/chexsystems/consumerdebit/pa...
https://www.chexsystems.com/web/chexsystems/consumerdebit/pa...
If you have a credit card through Chase, AmEx, or CapitalOne you can get free credit monitoring where they'll email you or send you a push notification as soon as a lender does a hard-pull against either your Tranunion or Experian reports.
Have you filed a police report? I've had my identity stolen and helped some of my friends resolve identity theft issues so I speak from experience: you will get so much further if you can fax or email people copies of a police report
Hmu if you need any help resolving this.
It's a pain to do, but it really helps to opt out of data broker lists. I have a reminder to do this once per year, and only the "diff" of my life updates show up (e.g. address reappears because I moved, changed voter registration as a result, etc).
There are also services you can pay to do this, but they are usually priced extremely high or are straight up scams (i.e. they'll take your PII and then scam you with it).
It's better to just do it yourself so you know there's no middlemen to be forced to trust.
This bothered me so much that I actually started a company to solve the problem of continuous opt-out from data brokers. I think we’re priced pretty reasonably given how important this stuff is ($99/yr).
As far as trust goes, we went through YC W21 (as RoundRobin) and I’m happy to answer any questions people have. www.crowdshield.com
Here's the question: Does crowdshield pay these data-brokers some kind of "discount rate" to delete stuff?
Data-broker companies are very slimy and to be able to do this in bulk, I think, would require paying off these low-lifes or perhaps some kind of legal threat.
I am inclined to suspect that the data-brokers would merely temporarily remove names for crowdshield and then just bring them back after some time interval. That way both the data-brokers and crowdshield "get paid" over and over again. Is that how it works?
It required a frustrating ~15 minute phone call (the number is somewhere on their website) to an Indian call center where they tried to upsell me a dozen times or so. But I was polite and persistent and asked to have my name removed over and over. That was almost 2 years ago. It seems to have worked. My name doesn't show up anymore if I search on mylife and no mylife pages appear on google searches for me.
I still do get emails EVERY DAY from these MF'ers. It's just bullshit about how there's a "negative" item in my reputation and that "7 people are looking at my reputation". AFAIK, it's just automated junk, because my name doesn't come up any more on mylife.
The most important thing you can do too prevent things like Bank Accounts, Credit cards, etc opened in your name is to lock your Credit History. Without access no one can open up any kind of account. You might also want to lock down your SS Account.
Here are some links to get you started.
https://www.consumer.ftc.gov/topics/identity-theft
https://www.consumer.ftc.gov/articles/what-know-about-credit...
https://www.consumer.ftc.gov/articles/how-stop-junk-mail
But I guess an upgrade of systems will cost hundreds of millions of dollars...
Use content blocker (I use Wipr) in Safari, and ublock origin Firefox/chrome. And then don’t download or install random software. Check your credit report every year at each credit reporting agency every 4 months by going to annualcreditreport.com
Paper forms ask for it all the time, leave it blank. In fact, leave as much blank on any form as possible (I have never been asked for info that I've left blank).
Cell phone companies and utility providers ask for it, instead offer to pay a deposit or go post-paid.
I haven't tried this before, but my understanding is that U.S. law requires banks to have a unique personal identifier number for its customers. Banks default to SSNs, but the law does not specify it has to be a SSN. Try to create an account in-person and use a Driver License number.
If I have any incorrect understandings, please reply with your knowledge; or if you have any further ideas, please reply with your advice. Thank you.
Edit: removed idea about not getting a SSN for kids. Sounds like way more hassle than any potential benefit.
At a Social Security office: If you wait to apply for your child’s number, you must: • Complete an application for a Social Security card; and • Show us original documents proving your child’s: — U.S. citizenship; — Age; and — Identity. • Show us documents proving your identity and your relationship to the child.
[0] https://www.ssa.gov/pubs/EN-05-10023.pdf
Anyway, I removed that part of my comment because I am not fully knowledgeable about that, and don't want spread any false information, and it probably won't help with security that much.
https://www.reddit.com/r/legaladvice/comments/578jm8/19m_hom...
It's really sad. Get your kid an SSN. If you really want to be safe, don't announce their birth on facebook until like 6 weeks afterwards and ask family not to post birthday pictures until way later
Additionally my birth certificate isn't digitised. It was handwritten with a fountain pen by the local register office. For most intents and purposes, the central government didn't know I existed until I hit 16 and signed up for a National Insurance number.
# Here are some of the things that I've done. Here's to hoping it's effective.
1) Everyone uses Bitwarden[0] to store their passwords. We have an Organisation account which makes sharing passwords easy. I check master passwords against HaveIBeenPwned, and ask they use the generated Bitwarden passwords for their accounts.
2) The least tech-saavy amongst my family either get Chromebooks (which I despise because Google), or they get a Windows machine that I lock down pretty hard [1]. The lock-down may look draconian to power users, but they've yet to mention they can't do something they want to.
3) Its listed in the link in (2), but I make sure everyone runs uBlock Origin. It's far more useful than an antivirus.
4) I have a few catch-all emails I encourage my family to use for subscriptions. When asked for an email, use [website name]@[family member code].[domain].[tld]. That way, unless spearfished, you're likely to know the true providence of an email.
5) We have a NAS that is 3-2-1 backed-up, and encourage everyone to keep sensitive information there. Hopefully this is enough to avoid cryptolockers extorting us.
# Things I want to do
5) It would be better if we used one of those self-hosted random email generators to prevent maliciously constructed email domains at our catch-all instilling false confidence.
6) I'd like to install PiHole [2].
7) I have a Twilio number that goes straight to voice mail and sends me the audio files and forwards SMS. I'd like to create these for my family (maybe using extension numbers?) so they can use them on forms.
[0] https://bitwarden.com/
[1] https://noteaureus.org/post/tutorials/sysadmin/win4unsavvy/
[2] https://pi-hole.net/
Despite their differences, I can use Quick Assist with both. And between my Dad’s sudden turn towards becoming me in high school and my Mom’s innocent transgressions, I’ve never run into anything I couldn’t fix with it.
Worst case scenario, my Dad and I have talked about a volunteer based group of people who help other cats around his age. If your parents are on the same side of the ocean as we are, we can help in a closer timezone. My Dad is a retired police officer (you can trust him) turned nerd (you maybe shouldn’t trust him) and I’ve been drafted into the odd role of his nerd supervisor. If you’re worried about your folks, he’ll give them his phone number.
I don't have a lot of experience with remote administration, but I use Tailscale with RDP/VNC/SSH to access my own machines when I'm away from them.
I like to avoid TeamViewer/AnyDesk/etc... because the GUI makes it too easy for folk to get scammed (watching Kitboga all these years makes me want to avoid them like the plague).
I have a Synology NAS which has a Borg community package. I use BorgBase for remote backups, and have another local backup on one of the volumes in the NAS. I keep dailies for a week, monthlies for a year and three yearlies, with automatic pruning.
Once a year, I do my best to back-up my most important stuff on DVDs, but I'm not a very disciplined person. I keep them on a spindle, which is also probably bad practice.
It need not be self hosted to do this. Most email providers provide this functionality.
anything '@subdomain' gets forwarded to its respective family member's email.
this is pretty awesome setup because if you get spams from anyone, you can simply see which family member signed up for which website and which one is leaking data. the next step, if required would be to delete that account/email and be done with it. no more spam, no more going back. If you do need that email in future, recreating it would be trivial, like if you need to get back into an old account or the like
https://nextdns.io
I believe the fellow who runs NextDNS is on HN.
https://news.ycombinator.com/item?id=28251107
How?
I'm just imagining the wallet inspector from that episode of the Simpsons
I use the website directly https://haveibeenpwned.com/Passwords
Your password will be in plain text in their logs. Ridiculous.
Didn't have I been owned recently get sold to someone as well?
Sounds reasonable, Installing alternate OS on Chromebooks is also an option[1]. This is especially useful since Chromebooks are often subsidized and portable laptops capable of running Linux (or even Windows) often cost at least 2x more.
Note: Alternate OS on Chromebooks doesn't guarantee bypassing hardware level data collection if any.
> I'd like to install PiHole
Add NETDATA[1] to the same device you're installing PiHole in and set up alerts on Netdata. This way you can get an notification when there's weird activity on the network(not just silent blocking), e.g. You'll see apps from your phone, tablet calling out their analytics mama during midnight to push out data.
[1] https://mrchromebox.tech/
[2] https://learn.netdata.cloud/guides/monitor/pi-hole-raspberry...
Most if not all vulnerabilities on up-to-date iOS/Android are used for targeted attacks (people with power, journalists, etc.) and not to reach regular people.
AFAIK most malware is still delivered when users install some software, so it would be nice if Windows would become a bit more locked down by default, and only allow installing from approved stores (i.e. Microsoft Store, Steam, and similar.)
But one I would suggest is minimising the number of places with your "real" information, i.e. if "real" information is not required by law (e.g. financial services, health services, insurance, billing etc.), then train yourselves to use pseudo information.
For example, if a website asks for your date of birth. Ask yourself, is it required by law or is it just for user profiling. If the latter, then just invent a date of birth (and if the date of birth may be required for password recovery, make a note of it in your password manager).
The same goes for your "real" name. Do you need to give them your real name as shown on your government ID ? Or can you give an abbreviation or even pseudonym ?
The same goes for answers to "security questions", just invent stuff, don't give the "true" answer.
You can take all the technical countermeasures you like, but sometimes it's easier to KISS ... if a service doesn't need your details, don't give it to them in the first place.
Absolutely ! But that aspect is not just a security thing, its an anti-spam thing.
Infact I'd almost consider the security aspect a bonus, the ability to kill off email addresses if you start getting spammed is the primary benefit (for me at least!).
Invent plausible stuff. Do not use random characters or nonsensical words, because then you make it easier for a social engineer to bypass that when talking with customer service.
For example, "What was your first pet's name?"
Make up something like "Mister Bubbles", something childish that could actually be a pet's name.
Once you beef up your security, social engineering is the weak link that always remains.
My scheme is this, for any security question there is usually a primary noun you can key off of. So I just construct the following string: "fyour" + PRIMARY_NOUN. The "f" is spelled out to be the more profane form of fornicate but thought I would keep it clean for HN.
This allows me to always have an easy to remember answer to all security questions where I can satisfactorily express my complete disdain for them. I have had to say these out loud many times to CSR's and it usually gets a chuckle.
I opened YouTube, clicked on a video that requires age verification... Google told me to provide a credit card or a government ID.
F*** Google.
These days I use FreeTube: https://freetubeapp.io/
Interesting.
Assuming this is to take out loans in your name, it is the bank who are being defrauded, not you. Registered snail-mail to the banks fraud/legal team reiterating this often works wonders.
I say snail mail as it gives you a legal trail, goes directly to the department responsible and (at least in this part of the world) gives very cheap next day delivery. This is much easier and less stressful than being kept on hold indefinitely, only to speak to a clueless fuckwit in a call centre.
Assuming this is to take out fraudulent loans, the 'theft' is occurring from the bank, not OP. Calling this "identity theft" is an attempt to put the onus of blame on OP for the failure of corporations to protect personal information and combat fraud. My point is that OP needs to strongly push back against this.
This is for the bank to fix, and OP should put a legal claim into the bank (aka bill them!) both for their time and any financial losses they suffer due to the banks negligence.
Regards email vs snail mail; a recipient cannot claim registered snail mail was not received, unlike the case with email. This is a reason legal departments use registered snail mail :-)
Second point: this absolutely is identity theft and that isn't a strike against op at all. Someone impersonated op to open an account. You're correct that the bank is liable for the fraud, but op is still the victim of a crime and has to jump through hoops to fix it. And the bank isn't going to pay a dime to op. For all we know, someone submitted a really good fake driver's license (or a copy of the real one) and SS card and opened the account.
I'm not blaming op at all—I had my identity stolen twice and the most you can blame me for is not putting fraud alerts on my credit reports, including one I didn't even know about—but the balls in their court to fix this
Did you put in a claim to the bank for your losses (your time sorting this out and quantifiable financial loss)? This would be a simple thing to do in the UK [1] as the bank was clearly at fault not you, no matter how convincing the fake ID was.
[1] You can fill out this online government form in a few minutes to take them to small claims for a small fee (which you add to your claim) https://www.gov.uk/make-money-claim
My identity theft didn't (directly) involve a bank. It was a major retailer where someone opened and maxed out a credit card in my name, a cell phone company where they opened up a new family plan and made off with 4 unlocked iphones, and (later) the Small Business Administration where someone applied for a covid relief loan that got approved for about $100k. Luckily, my credit monitoring instantly caught it and I was able to call and stop dispersal
All-in-all I was out a few hours of my time and the cost to make copies and send faxes
I have a fake life that I made up like a different grandfather, first car, or first job, and I add a number between -10 and 10 to every digit of my birthday to get a new one for signing up for password recovery.
I block 3rd party cookies and delete other cookies weekly. I have an ad blocker and I don’t use the default DNS from my ISP, and I keep things updated for my modem and router. I don’t hit up sketchy sites so I don’t feel like I need a JavaScript blocker. Most of the crap I’ve seen has been through malicious ads. I use a container for Google.
I went through the tedious process of having my info deleted from the biggest data brokers and wiped out from some online databases. They pop up again now and again but usually an email takes care of it. I had my identity stolen in the past so I just cite that reason.
I don’t give out my SSN except to banks, employers, and the government. I use my passport if someone needs to establish my citizenship. Utilities are the most pushy but if you give them like a $50 deposit or set up autopay they’ll skip that part. Again, saying I’m the victim of identity theft goes a long way. I set up accounts with Social Security and I have an IRS pin so no one beats me to it.
I have 7 year fraud alerts and froze my credit for the three bureaus, and I do free credit monitoring (useful before I froze my credit). I did the same for Chex, Innovis, LexisNexis and NCTUE. I froze my info from the Work Number. I asked my bank for additional security measures and they happily obliged. I use my AmEx for near everything online and contactless payment for paying at gas stations or if I’m worried about skimmers. I never use my debit card for anything except to get cash out of the ATM and I have a daily limit set up.
2) no Windows
How did you find out that?
i can probably find at least half a dozen people sharing the same first and last name as me.
how does someone opening a bank account with the same name as you enable them to affect you?
if it does, then there is a system that is seriously broken.
Remember: Visa/MC cannot verify cardholder name. They pretend that they can and merchants believe that they can but there is no mechanism to do so.[1] If the numbers match up, you can use "Mickey Mouse".
No online retailer/merchant/provider has ever seen our real name (or real address). We created a pseudonym and attached it to a PO BOX in our town and a twilio phone number.
This doesn't solve every problem but it does solve the simple issues of identity theft and impersonation or (very low level) attackers correlating our activity to other activities.
YMMV. IANAL.
[1] There is some weird "verified by visa" thing that does attempt to confirm identity but I've only seen it once in the last 12 years ...
[1] https://www.ukfinance.org.uk/confirmation-of-payee
> wrong names are rejected
How isn't it? Unless you're saying 'there is really no reason to participate in e-commerce', which is... true I suppose...
None of my e-commerce involves bank transfers. I would decline it as a payment method. I have no idea why anyone would be doing this.
Here in Germany I linked my bank account to Amazon, PayPal, local mobility service providers, etc.
Maybe 90% of my online transactions are bank transfers, 10% are debit card transfers.
Anyway, in the UK billing name & postcode are/can be verified on card payments.
Bank transfers no basically never happen, too manual; exception being something like (Transfer)Wise - you set it up online, then transfer to their account in local currency, they transfer out of their account in another country to your intended recipient account in that local currency.
Direct Debits are a common ~'bank transfer' but recurring way of paying for utilities & subscriptions here though. Can (and these days normally would) be set up online.
Is there some way to extend this idea to physical goods delivered to your home? Occasionally something happens that requires you to go to the post office, or UPS depot, or FedEx depot to pick up your package. And they always want to see ID that matches the name on the package. Even if you have the delivery notice, it’s not enough. They still want ID.
I am sure this isn't the first time the idea has popped up.
Should LocalCDN be a built-in feature in Browser?
2. Noscript, ublock, privacybradger, vpn ad network
3. No Google, facebook for kids
4. Limited youtube
5. Privacy dns settings, dnsdec over tls
6. Encrypted backups
7. Password manager
8. Paranoid security auto updates