What steps do you take to protect yourself and your family online?

Sorry to hear it.

# Here are some of the things that I've done. Here's to hoping it's effective.

1) Everyone uses Bitwarden[0] to store their passwords. We have an Organisation account which makes sharing passwords easy. I check master passwords against HaveIBeenPwned, and ask they use the generated Bitwarden passwords for their accounts.

2) The least tech-saavy amongst my family either get Chromebooks (which I despise because Google), or they get a Windows machine that I lock down pretty hard [1]. The lock-down may look draconian to power users, but they've yet to mention they can't do something they want to.

3) Its listed in the link in (2), but I make sure everyone runs uBlock Origin. It's far more useful than an antivirus.

4) I have a few catch-all emails I encourage my family to use for subscriptions. When asked for an email, use [website name]@[family member code].[domain].[tld]. That way, unless spearfished, you're likely to know the true providence of an email.

5) We have a NAS that is 3-2-1 backed-up, and encourage everyone to keep sensitive information there. Hopefully this is enough to avoid cryptolockers extorting us.

# Things I want to do

5) It would be better if we used one of those self-hosted random email generators to prevent maliciously constructed email domains at our catch-all instilling false confidence.

6) I'd like to install PiHole [2].

7) I have a Twilio number that goes straight to voice mail and sends me the audio files and forwards SMS. I'd like to create these for my family (maybe using extension numbers?) so they can use them on forms.

[0] https://bitwarden.com/

[1] https://noteaureus.org/post/tutorials/sysadmin/win4unsavvy/

[2] https://pi-hole.net/

For your specific issue, you can do a credit freeze (or whatever it’s called). These have pros and cons, and there are different levels of freezes (all called different things iirc). Research them and use them if it makes sense.

Signup for regular credit score reports. I get a monthly email from one of the credit score companies, plus immediate emails if my credit gets checked.

I use 1password and Fastmail with my own domain, and privacy.com. With those three (and their integrations) I can easily create unique debit cards, unique email addresses, and unique passwords each time I register for another site/service. This doesn’t help your specific issue but it helps with a lot of things.

Use NextDNS on your router and devices and set it up to use dns-over-https. Block ads etc.

Links to above mentioned sites which may benefit me and/or you:

- https://nextdns.io/?from=k6bqh5rg

- https://ref.fm/u26310488 (fastmail)

- https://privacy.com/join/JCPFN

There is really no reason to use your real name and address for anything online - perhaps only airline tickets and government agencies (eftps, ftb.ca.gov, etc.).

Remember: Visa/MC cannot verify cardholder name. They pretend that they can and merchants believe that they can but there is no mechanism to do so.[1] If the numbers match up, you can use "Mickey Mouse".

No online retailer/merchant/provider has ever seen our real name (or real address). We created a pseudonym and attached it to a PO BOX in our town and a twilio phone number.

This doesn't solve every problem but it does solve the simple issues of identity theft and impersonation or (very low level) attackers correlating our activity to other activities.

YMMV. IANAL.

[1] There is some weird "verified by visa" thing that does attempt to confirm identity but I've only seen it once in the last 12 years ...

https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-Li...

It's a pain to do, but it really helps to opt out of data broker lists. I have a reminder to do this once per year, and only the "diff" of my life updates show up (e.g. address reappears because I moved, changed voter registration as a result, etc).

There are also services you can pay to do this, but they are usually priced extremely high or are straight up scams (i.e. they'll take your PII and then scam you with it).

It's better to just do it yourself so you know there's no middlemen to be forced to trust.

Its a tough question to answer, with so many "if's" and "maybes". There have already been some good suggestions here which I won't repeat.

But one I would suggest is minimising the number of places with your "real" information, i.e. if "real" information is not required by law (e.g. financial services, health services, insurance, billing etc.), then train yourselves to use pseudo information.

For example, if a website asks for your date of birth. Ask yourself, is it required by law or is it just for user profiling. If the latter, then just invent a date of birth (and if the date of birth may be required for password recovery, make a note of it in your password manager).

The same goes for your "real" name. Do you need to give them your real name as shown on your government ID ? Or can you give an abbreviation or even pseudonym ?

The same goes for answers to "security questions", just invent stuff, don't give the "true" answer.

You can take all the technical countermeasures you like, but sometimes it's easier to KISS ... if a service doesn't need your details, don't give it to them in the first place.

I generate random passwords and use my browser’s password manager cause I didn’t like the way other password managers integrated with my browser. I just keep the passwords I need manually in sync between devices. I have a Yubikey for for some really important accounts and I’ve thought up a way to generate unique passwords that I have to remember (like work passwords) that aren’t just upping the number at the end by 1 like “pepperoni4” to “pepperoni5”. If I can pick an alternative to phone-based 2FA, I’ll do it, otherwise I’ll just roll with the phone-based stuff cause it’s way better than nothing.

I have a fake life that I made up like a different grandfather, first car, or first job, and I add a number between -10 and 10 to every digit of my birthday to get a new one for signing up for password recovery.

I block 3rd party cookies and delete other cookies weekly. I have an ad blocker and I don’t use the default DNS from my ISP, and I keep things updated for my modem and router. I don’t hit up sketchy sites so I don’t feel like I need a JavaScript blocker. Most of the crap I’ve seen has been through malicious ads. I use a container for Google.

I went through the tedious process of having my info deleted from the biggest data brokers and wiped out from some online databases. They pop up again now and again but usually an email takes care of it. I had my identity stolen in the past so I just cite that reason.

I don’t give out my SSN except to banks, employers, and the government. I use my passport if someone needs to establish my citizenship. Utilities are the most pushy but if you give them like a $50 deposit or set up autopay they’ll skip that part. Again, saying I’m the victim of identity theft goes a long way. I set up accounts with Social Security and I have an IRS pin so no one beats me to it.

I have 7 year fraud alerts and froze my credit for the three bureaus, and I do free credit monitoring (useful before I froze my credit). I did the same for Chex, Innovis, LexisNexis and NCTUE. I froze my info from the Work Number. I asked my bank for additional security measures and they happily obliged. I use my AmEx for near everything online and contactless payment for paying at gas stations or if I’m worried about skimmers. I never use my debit card for anything except to get cash out of the ATM and I have a daily limit set up.

I'm assuming you're in the USA.

The most important thing you can do too prevent things like Bank Accounts, Credit cards, etc opened in your name is to lock your Credit History. Without access no one can open up any kind of account. You might also want to lock down your SS Account.

Here are some links to get you started.

https://www.consumer.ftc.gov/topics/identity-theft

https://www.consumer.ftc.gov/articles/what-know-about-credit...

https://www.consumer.ftc.gov/articles/how-stop-junk-mail

Since there are probably young people reading this, or parents of young people (teach them this): Do not give out you SSN to anyone except the government, and try every possible way to avoid giving it out to anyone else.

Paper forms ask for it all the time, leave it blank. In fact, leave as much blank on any form as possible (I have never been asked for info that I've left blank).

Cell phone companies and utility providers ask for it, instead offer to pay a deposit or go post-paid.

I haven't tried this before, but my understanding is that U.S. law requires banks to have a unique personal identifier number for its customers. Banks default to SSNs, but the law does not specify it has to be a SSN. Try to create an account in-person and use a Driver License number.

If I have any incorrect understandings, please reply with your knowledge; or if you have any further ideas, please reply with your advice. Thank you.

Edit: removed idea about not getting a SSN for kids. Sounds like way more hassle than any potential benefit.

> I found out that someone opened a bank account in my name...... but I am not receiving any help from the bank.

Interesting.

Assuming this is to take out loans in your name, it is the bank who are being defrauded, not you. Registered snail-mail to the banks fraud/legal team reiterating this often works wonders.

I say snail mail as it gives you a legal trail, goes directly to the department responsible and (at least in this part of the world) gives very cheap next day delivery. This is much easier and less stressful than being kept on hold indefinitely, only to speak to a clueless fuckwit in a call centre.

Freeze children’s SSN with all 3 credit reporting agencies. Open irs.gov, social security, and other government accounts before someone else can. I use Strongbox with Keepass databases to keep track of it all stored in iCloud so spouse can access TOTP it for shared items.

Use content blocker (I use Wipr) in Safari, and ublock origin Firefox/chrome. And then don’t download or install random software. Check your credit report every year at each credit reporting agency every 4 months by going to annualcreditreport.com

Bitwarden, Adguard-Home/NextDNS, UBlock Origin, Privacy Badger, Disable Flash, LocalCDN(Replacing Decentraleyes), Selfthosted Paperless-ng and Nextcloud instances for storage and documents with seperate accounts for each family member secured behind authelia with 2FA. Docker-Mail-Server instance with catchall emails for each family member. Enabled 2FA for every sensitive account. Private Selfthosted Wireguard tunnel to access local network services publically (behind a CGNAT network). Non technical family members have been instructed to never use real names while signing up for trivial services online. Guacamole to provide remote assistance when required.

1. Duckduckgo search engine, privacy

2. Noscript, ublock, privacybradger, vpn ad network

3. No Google, facebook for kids

4. Limited youtube

5. Privacy dns settings, dnsdec over tls

6. Encrypted backups

7. Password manager

8. Paranoid security auto updates

I understand that politicians don’t necessarily look out for the best interest of their constituents over that of powerful lobbies, like big finance. But if it were legislatively possible, would there be any down sides to society as a whole to flipping the script? Meaning make banks the ones responsible for opening an account without doing due diligence? Make credit reporting companies the ones responsible for essential libeling someone for fraudulent credit report entries… I can’t think of any, banks would have to pay to do due diligence but most businesses should have to.

names are not unique.

i can probably find at least half a dozen people sharing the same first and last name as me.

how does someone opening a bank account with the same name as you enable them to affect you?

if it does, then there is a system that is seriously broken.

- Bitwarden - Privacy.com - Fastmail - kDrive - 2-factor on all services

Using https://qubes-os.org as a daily driver. Browsing Internet in disposable VMs. Storing passwords in offline VMs.

I don't do anything specifically to protect myself online. What I have done is to move to a country where opening an account in someone else's name is really quite difficult. Of course I didn't move with this in mind. Identity theft/fraud seems less frequent here in Norway than in at least the US and UK.

This leads me to believe that in the long run it is regulation and the provision of good ways of verifying identity that are the only real solution.

1) family have had it drummed into them to never click links in emails or open attachments unless it's something they explicitly requested moments before

2) no Windows

Pi-hole as primary DNS, 9.9.9.9 as secondary DNS. All browsers with plugins uBlock, Unhook, Privacy Badger, Decentraleyes. No google services on any device, preferred open source SW. No banking apps on smartphones, all card payments need to be verified by code from SMS and PIN. Pay by cash everywhere it is possible.

Replaced my parents PCs running windows, with Linux Mint (they are very happy).

PI-hole at home for the "smart" Tv. Ofc linux and firefox (w/ublock and containers).

I'm more worries of protecting against tracking/spying than freud

> I found out that someone opened a bank account in my name

How did you find out that?

No Windows based computers. As for identity theft, it happens as well here in Europe, but not as often because there is a pretty strict KYC requirement for banks.

disclaimer: i'm a co-founder. https://joindeleteme.com/ we consistently find in our DeleteMe searches fairly "rich" profile info sold by data brokers and SEO'd on Google not just on our customers themselves but also their family. This often includes: spouse full name and age (and obviously relationship) and, more disturbingly, children's names and ages. We try to remove all this via opt-outs. The implications of such full family profile data being easily available by simple Google searches and for sale "cheap" at data brokers are not imhop awesome. Lastly, leaving privacy aside, from a security perspective, do NOT use children/family members names and years of births in ANY passwords.

Freeze your credit report with the 3 main companies.