>they cannot reach out into my real life and actually harm me
I would be careful with that assumption. The reason you are not hurt is mostly because people don't want to hurt you. The reward is not high enough.
I'm not trying to diminish your importance, for all I know you could be facebook employee #17 or have gold bars buried in your yard.
But any of the top security guys will tell you safety is a function of an attacker's motivation and resources.
It's not theoretical either, you can google people who took lots of time building up their protections and then challenged a pen test. We're talking people with good above average safety practices, that got owned within 24hrs. Social media, banking accounts, everything.
How would they do this? Access to my bank account requires a password I never use for any other service, and a physical non-internet-connected 2FA token I keep on my person.
Using other information they have acquired they would phone the bank’s customer service line, convince them that they were you & gain control of the account. How hard this is depends on the bank. The fact that you have a strong password & two factor authentication is irrelevant.
I guess it's plausible that they could phone my bank and convince them they were me, even though the bank asks several control questions like "what was the amount on your recent bill to Company X?". But assume they've gotten past that, how do they then "gain control of my account"? If they ask for a new 2fa chip or a new debit card, that gets sent to my address by registered letter, so I have to go to the local post office and present photo ID to get it. I don't have any other ways of accessing my account than by internet bank or debit card.
You should not assume an attacker would walk in through the front door like you do. There are more components in the stack, all of which could be a worthy target.
I would be careful with that assumption. The reason you are not hurt is mostly because people don't want to hurt you. The reward is not high enough.
I'm not trying to diminish your importance, for all I know you could be facebook employee #17 or have gold bars buried in your yard.
But any of the top security guys will tell you safety is a function of an attacker's motivation and resources.
It's not theoretical either, you can google people who took lots of time building up their protections and then challenged a pen test. We're talking people with good above average safety practices, that got owned within 24hrs. Social media, banking accounts, everything.