When Your Identity Is Gone - And There's No One To Call
~11 min read
You wake up, reach for your phone, and the first sign that something is wrong is small: a login that doesn’t work. Then another. By the time you reach your banking app, the balance reads zero, and the transfer history shows money moving to places you have never been. Your email will not open, and someone has changed the recovery number. A lender's letter congratulates you on a credit line you never opened. When finally, after several hours, you reach a human being at a bank, they ask you to prove that you are who you say you are, and you realize, horrifyingly, that you might not be able to. The information that would confirm your identity is the same information now working against you.
The instinct is to ask who did this to you, but that is the wrong question. Almost nobody with the technical capability to unmake a person's financial identity has any reason to do so to you specifically. The likelier truth is that you were never the target at all, but one record among millions in a database that was breached, and the systems meant to make you whole afterward were never built to handle you — or anyone — at that scale.
How plausible is the total unraveling of your digital financial identity, in an age of AI-accelerated fraud and looming quantum decryption? And if it happened, is there anyone whose job it is to put it back together? Conversations with a cryptographer, a standards-setter, a global bank, a fraud analyst and a victims' advocate suggest total catastrophe remains unlikely — but paint a grim picture of what happens after even a partial identity takeover.
Already a “9.9” Problem
Let's start with the good news of your personal doomsday scenario, because there is some. The catastrophic version of the scenario — every account, every record, gone at once — is, in the judgment of the people who understand the underlying cryptography best, improbable as a single event.
Bruce Schneier, the leading security technologist and Harvard Kennedy School lecturer, pushed back strongly against the scenario. Financial crime is rational, patient and incremental; the criminal who opens a fraudulent account in your name wants to string it out for as long as possible, not trigger instant discovery by erasing everything at once. The threat of something like Q-Day — when quantum computers become powerful enough to break traditional cryptographic protocols — only marginally adds to an already massive, pre-existing problem, according to Schneier.
“On the scale of one to ten, the [cybersecurity] problem is like a 9.9. When adding quantum, it's like a 9.91. So what? Who cares? It's [already] a real problem — I don't need quantum for it to be a real problem.”
Bruce Schneier - Security Technologist and Lecturer, Harvard Kennedy School
Dustin Moody, who leads the post-quantum cryptography standardization project at the U.S. National Institute of Standards and Technology (NIST), says the scenario is "not out of the realm of possibility" — but he considers an all-encompassing catastrophe as "a very low probability event."
As a leading cryptographic expert, Moody pushes back against the most common misconception that quantum computers will crack all encryption at once. The bulk of stored financial data, he explains, is protected by symmetric encryption of the AES family, which quantum machines do not meaningfully threaten. The genuine exposure sits in the public-key layer — the key exchanges that establish secure sessions — where an adversary who records encrypted traffic today might decrypt it years later: the so-called “harvest now, decrypt later” (HNDL) problem.
Source: Federal Reserve of Philadelphia, 2024
HNDL reframes the danger from an explosion into a slow leak. The most exposed material, Moody notes, is long-lived data and cryptography embedded in hardware that cannot easily be updated, like the code inside payment terminals, ATMs and other devices that stay in service for decades.
“There are so many places cryptography is used that it's really hard to discover everywhere where cryptography is being used... each one of those is going to have its own migration path and timeline… Finding all the different uses that you have, and then making sure there's a migration path to all of them… that's where I think most [institutions] are. We're not too much past that at all.”
Dustin Moody - Lead, Post-Quantum Cryptography Project, NIST
The Illusion of Progress
If the cryptographers offer qualified comfort about the far horizon, the fraud data describes a nearer and messier reality already unfolding.
In Javelin Strategy & Research's 2026 identity fraud study, “The Illusion of Progress”, researchers found traditional identity fraud losses held steady at $27.3 billion, scam losses fell 45% to just under $11 billion, and the combined victim count dropped by four million.
Source: Javelin Strategy
But Suzanne Sando, the lead fraud-management analyst who authored the report, cautions against mistaking the dip for positive trends.
“Reduced losses do not mean reduced risk. A 45% drop may look like progress, but scammers are increasingly stealing information instead of money, setting up future fraud that doesn't show up in today's loss figures.”
Suzanne Sando - Lead Analyst, Fraud Management, Javelin Strategy & Research
It is the fraud world's own harvest-now, exploit-later scheme, and its timeline is deliberately unknowable. Breached data, Sando notes, "could literally be used right after, or it could sit there for years."
In the Javelin study, the primary category of fraud that rose during the survey period was new-account fraud, rising 31%, to 5.4 million victims and $7 billion in losses in the U.S., with account takeover climbing a further 18%. These are precisely the identity crimes AI is democratizing and accelerating, allowing criminals to submit fraudulent account applications at a volume that defeats traditional identity checks through sheer scale.
“You're going to hit enough issuers that it doesn't even matter if a few applications get thrown out. It's just become this great way to industrialize fraud.”
Suzanne Sando - Lead Analyst, Fraud Management, Javelin Strategy & Research
Source: 2025 Consumer Impact Report
Systemically, the most worrying casualty is trust itself. Javelin found that 55% of consumers who received a genuine fraud alert from their bank did not act on it — unable to distinguish the real warning from the scam. Consumers are coached never to click a link or read back a one-time code, Sando notes, but then their own institutions ask them to do exactly that.
“Trust is the foundation of a good relationship between a customer and their bank, and that trust effectively doesn't really exist anymore.”
Suzanne Sando - Lead Analyst, Fraud Management, Javelin Strategy & Research
In the face of vanishing trust in basic institutional and personal identity, the sector has been building shared defenses. The Financial Services Information Sharing and Analysis Center (FS-ISAC), which connects institutions representing $100 trillion in assets across 75 countries, has evolved from informal person-to-person intelligence exchange into automated, real-time threat feeds. Commercial fraud consortiums — including Unit21’s network, which now covers over 100 million US adults across more than 100 financial institutions — propagate fraud signals instantly when a bad actor is confirmed at one member. FINRA launched its Financial Intelligence Fusion Center this year specifically to accelerate that kind of collective response. The same real-time detection these systems enable makes a clean sweep of every account less likely because suspicious activity increasingly triggers a response before the contagion spreads entirely.
But the coverage is uneven, adoption is voluntary, and — as analysts note — shared signals introduce their own vulnerability: a fraudster who maps one institution's detection logic can potentially apply that knowledge across the entire network.
A Broken System, Turbocharged
So in your quest to regain your most valuable 21st century possession — your digital identity — what does that process look like? Mona Terry is Chief Operating and Programs Officer at the Identity Theft Resource Center (ITRC), a nonprofit that guides victims through the aftermath of identity crime. By Terry's account, in the U.S., there is no single number to call, and no central authority that owns the problem. The victim becomes, in effect, "an unpaid project manager" — cataloguing the damage account by account, re-proving their identity to each institution in turn, all while, as Terry put it, their "rational brain is not online" amid their digital identity being stolen and abused.
When a criminal opens a new account in your name, the institution has no prior relationship with you to fall back on — and, increasingly, AI-driven identity checks lock the real person out before they can reach a human at all. Worse, identity thieves have learned to bolt the door behind them.
“Thieves are setting up MFA in their name. Once multi-factor authentication is set up with someone else's number or email — that's it. Game over.”
Mona Terry - Chief Operating & Programs Officer, Identity Theft Resource Center
The recovery process is where the financial system begins to break down. Because none of it is coordinated, a victim whose identity is scattered across dozens of services must fight the same battle dozens of times in parallel, with no unified mechanism to lean on. That is why digital identity recovery in the U.S. can now stretch on for months, by Javelin's and ITRC’s surveyed results.
The reality is that once your identity is compromised, it is hard to erase the contagion completely — leading to upticks in repeat identity thefts over time, according to ITRC data.
Source: 2025 Consumer Impact Report
Terry describes victims suffering worsening disillusionment over time, as trust collapses so completely that some callers to the ITRC's own helpline aren't sure who they’re speaking to.
“They just happen to find us, and they first say, 'wait, are you a real person? Are you AI?' And then second: 'I can't believe I found you, and you actually answered the phone.'”
Mona Terry - Chief Operating & Programs Officer, Identity Theft Resource Center
Terry says that account takeover is handled comparably well at the large banks, where a prior relationship gives both sides something to work with. But regarding new-account fraud — the fastest-growing category — the picture is bleak. "It's the same across the board," she said. "Victims are running into the same issues whether it's a bank or any other type of company." The burden falls back, always, on the person who was wronged.
Sando, who once wrote code for a bank, describes an industry running on ageing systems and carved into silos so rigid that fraud signals on a customer's debit card may never reach the team monitoring the same customer's credit account at the same institution. "This was already a broken system," she said. "AI is accelerating a system that's already broken." Schneier makes the identical case in blunter terms harkening to a broken regulatory system.
“The companies creating these devices are doing it as cheaply as possible, and the cost of the insecurity is borne by society, not by the company… Whenever you have that kind of collective action problem, regulation is how you fix it in a democratic society.”
Bruce Schneier - Security Technologist and Lecturer, Harvard Kennedy School
Changing The Language While Still Speaking It
One critical remedy for the problem lies in coordination, especially when it comes to staying ahead of the looming quantum decryption threat.
Jaime Gómez García, global head of Santander's Quantum Threat Program, says that the sector is "among the most advanced in terms of awareness and preparation." Santander launched its quantum security program in 2020, and since the first quarter of 2026 has extended quantum-safe protection across most of its critical websites. The bank has also learned, the hard way, that the once-standard counsel to begin with an exhaustive cryptographic inventory can become a resource-intensive exercise generating "vast amounts of information but little clarity on where to act first." Prioritizing business-critical use cases instead proved more effective.
Source: World Economic Forum
Beyond its own walls, Santander founded and chairs the Europol Quantum Safe Financial Forum, now more than 70 organizations strong, on the premise that the migration is a collective undertaking rather than a competitive one.
“Cryptography is the common language that enables trust and security in the digital world. The challenge is that we must change that language while continuing to communicate. That makes coordination critical.”
Jaime Gómez García - Global Head, Quantum Threat Program, Santander
When it comes to building out that post-quantum cryptography, institutions must rebuild the foundation while the house stays occupied, as Mondato has discussed before. Schneier, for his part, wants from the migration effort not quantum resistance, but "crypto agility" — systems designed to swap out algorithms efficiently whenever the need arises, for whatever reason.
But Moody's candid assessment is that a lot of organizations are “not too much past getting started” on post-quantum migrations, and that Q-Day may not even be announced: a government that built such a viable quantum computer, he suspects, would stay quiet about it for a while.
The Missing Safety Net
Which returns us to you waking to the zeroed accounts. The reassurance is that your total erasure, as a single catastrophic event, remains improbable — protected less by any master plan than by the very fragmentation that makes identity recovery feel utterly Sisyphean.
Victims' advocate Terry believes some kind of cross-industry alert should be implemented — a shared flag that a given identity has been compromised, so that every institution downstream applies extra scrutiny. But as the ITRC’s own 2025 report described, there is "no common definition of these crimes, no central reporting, no mandatory investigation or required information sharing of the type that is needed to develop comprehensive solutions."
Countries that have invested in unified digital public infrastructure have at least the architectural foundation for coordinated identity recovery that Terry seeks. Estonia’s e-ID system— which tells citizens which agencies have accessed their records and when, and underpins all government and private sector services for 1.4 million cardholders — provides exactly the kind of identity anchor that allows a compromised commercial layer to be checked against an authoritative state record. Singapore’s Singpass, covering 97% of citizens and facilitating some 300 million annual transactions, creates a similar "tell-us-once" architecture in which MyInfo can push verified identity data directly to financial institutions. India’s Aadhaar, the world's largest biometric identity system, serves as a verification anchor for over a billion residents, providing a cryptographically verifiable confirmation of who someone is, even if it does not reconstruct what they held.
But hard lessons come about nonetheless. When a 2017 code-library flaw left more than 750,000 Estonian ID cards cryptographically compromised, the country suspended and reissued all affected credentials simultaneously — a demonstration of exactly the crypto-agility that Santander's Gómez García and Harvard's Schneier describe as the essential long-term approach, but which also saw masses of people frozen out of bank accounts, government portals, and even prescription refills during the reissue. Aadhaar’s 2018 breach exposed the personal records of over a billion people through compromised access credentials, with no official tool for individuals to check their own exposure status. And Singapore, despite 97% Singpass penetration and 300 million annual transactions over its integrated identity rails, still lost $822 million to scams in 2024 alone.
Unified identity infrastructure may ease the reconstruction problem, but it does not immunize against it completely. Hanging in the balance of solving these issues is the most fundamental requirement of our financial system: trust between institutions, and you.
Image courtesy of FlyD
Click here to subscribe and receive a weekly Mondato Insight directly to your inbox.

Device Financing: The Phone Is Not The Product