How this hacker can virtually 'kill' you, and what to do about it
At the DEF CON hacker conference, Kustodian CEO Chris Rock demonstrated how fraudsters could artificially ‘kill’ someone for a profit or prank due to vulnerabilities in most countries’ death registration processes.
LAS VEGAS — Anyone with a keyboard and a cause can have a living person declared legally dead by taking advantage of security weaknesses in the online death registration process, says Chris Rock, chief executive officer of Australian-based security company Kustodian.
Mr. Rock used online databases to pose as a doctor – and even registered as a funeral director – to prove he could game the system and issue death certificates for friends or enemies.
Despite concerns his research may inspire a wave of fraud, Rock detailed a how-to guide to the process to a packed room at the famous DEF CON conference in Las Vegas last Friday. “I have not contacted any vendor for fixes. Here is the definition of irresponsible disclosure,” Rock told an overflowing room of hackers. Why go this route? Because, he says, “it’s not so much a vulnerability – it’s a [mistake.] And it’s a global [mistake].”
Rock also uncovered vulnerabilities in countries’ birth registration processes, which could allow people to create a totally new virtual baby – and use its identity as a cover for illegal activity such as drug trading. Rock says it’s a lot more convenient, in some ways, for criminal hackers to try to get a totally new Social Security Number than risk stealing someone else’s or buying one off the black market.
At DEF CON, Rock spoke with Passcode about how he discovered these flaws and why a fake death and birth market could change the cybercrime paradigm. Edited excerpts follow.
Passcode: Let’s start at the beginning. How did you get interested in this?
Rock: I’m a penetration tester [who is hired to attack clients’ networks to test their security] by trade. So, normally, I wouldn’t ever touch this process.
But I was watching the news one night in Australia, and saw Austin hospital [in Melbourne] actually sent out 200 death notices instead of discharge notices. I thought, "How could that possibly happen, if it’s a paper-based system? They’ve obviously gone online and done it in a mass instance."
I then focused on the Australian system to see how it could happen, and was shocked to find [death registration] was an online system without any protection at all.
Passcode: Tell us how it works.
Rock: Essentially, when someone dies, the doctor gets called in. They’ll check your pulse, fill out a certificate of death with what you actually died of – and obviously all your personal details, like your name and that sort of stuff. The certificate of death is a two-part document. It gets passed on to the funeral director to fill out his portion of the document.
The Americans have moved on to a system called EDRS [Electronic Death Registration System]. So doctors, on the Internet, can actually register a death online, and a funeral director can actually take that case and bury the body.
The Australian system is identical. The Canadian system is identical. They’re all following, now, an online presence because governments want accurate, centralized death records. Because believe it or not, when you’re dealing with doctors and handwriting, paper has to go back and forth. Also, if there’s a disaster – such as, say, Hurricane Sandy – someone can look up where the deaths occurred, and in what area. And someone can actually direct resources to the disaster zone. So it’s like a big lookup system for deaths.
Passcode: So what are the weak points?
Rock: The vulnerable spots are both the doctor and the funeral director’s access to the online portal. They have a DIY [do-it-yourself] access.
And each country has a registration system for doctors. So if you’re a doctor, and you want to go from one hospital to another, the people at that hospital need to see you’re actually registered and verify [who] you are.
And it’s those details, from the license database, you can plug into the death registration form – and effectively become a doctor. You just take that [license] number, put in your own e-mail and cell number, and you become that doctor.
Passcode: But there’s no verification?
Rock: Zero verification.
Passcode: So all you need is the websites of these places?
Rock: Yeah. You can kill somebody in about 10 minutes.
You can be a doctor within five minutes, a funeral director within five, and then complete the death certificates.
Just to prove it was possible, I became a funeral director in Australia. So I actually went through the process to do this in real life. I’m obviously not going to get a doctor’s degree to do the research, but I could become a funeral director.
Passcode: How long did that take you?
Rock: It took me about five days. But to do the actual work it required, it took me about five minutes. I filled out an online application, got access within a couple days, and then I was a registered funeral director so I could officially dispose of bodies.
The UK has no licensing at all. America has some licensing. In Colorado, for instance, there’s no licensing. Nevada has an exam and $375 fee to become a funeral director.
Passcode: Why go through this? What would a person get from legally “killing” a person?
Rock: If I shut you down, I can get access to your bank accounts. Your real estate. I can sell all the stuff around you, to shut you down that way.
I can’t shut down your bank accounts without actually applying to the courts and saying I’m the executor of your will. You’d list yourself as the executor – then you go to the bank with your death certificate, fake will created online, petition of probate, Social Security Number, stuff like that.
Passcode: This seems to add a new dimension to identity theft. There are troves of Social Security Numbers are floating around – take the Anthem health insurance company breach, for example, that exposed personal information on as many as 80 million people. With that information, could someone could just, well, legally “kill” them all and steal the money from their bank accounts?
Rock: Yes. And there are many ways to get Social Security numbers without hacking into a database. So getting them is no hurdle.
Passcode: How could this change the cyberespionage calculus? The Office of Personnel Management breach, for instance, exposed millions of government and former government workers’ personal records. One common theory is that a nation-state, or someone with an incentive to try to blackmail to expose state secrets, had to be behind it. But if another country used that information to legally kill key people in the US government, that would also really problematic, no?
Rock: Oh yeah. A lot of people say to me, “This is probably mischievous to release this sort of information.” But we’re in the middle of cyberwars. And if the Chinese get this concept or idea, not only can they register deaths, or register births – which we’ll get to later – they can also look at records themselves. It’s a system you don’t really want them looking at. So it’s better off protecting it now.
I’ve looked at all the Western countries, and they all have the same problem. And if an idiot like me thought of it....
Passcode: Who else might take advantage of this besides other countries?
Rock: You’re under subpoena. You can kill your subpoenaing officer. You kill your judge. You kill your [Internal Revenue Service] tax agent. You kill all these people who are after you to slow them down.
You and I both know, if you’ve been a victim of social identity theft, you’ve got a lot of work to get your identity back. And if you’re dead, that’s even worse.
Passcode: Election season is coming up – maybe you target a politician you don’t like? Could this be a totally different kind of digital hacktivism?
Rock: Can you be a dead president? Can you register as being dead? No one is safe. And by killing you and taking your money, you’re the walking dead now.
Passcode: That would be … annoying.
Rock: Yes, but not just annoying. The law doesn’t look after people like you.
Passcode: Because they’re zombies?
Rock: Exactly. There was a guy called Donald Miller in Ohio in 2013. He skipped out on his family and his wife declared him dead so she could move on.
He then came back to the hometown years later and said, “I’m not dead.”
The judge said, “We have a statute of limitations. Once you’ve been declared dead, and three years have passed, that’s it. I can’t bring you back to life. So I know you’re in front of me now, but you’re dead.”
He’s now the walking dead. We talk about being stateless – but he’s body-less.
Passcode: So presumably people who are dead have no Social Security Number. Can’t get a driver’s license. Can’t travel anywhere. Probably can’t get a job. What’s the recourse for this?
Rock: I’ve actually written a book about this in great detail to get around that, [called "The Baby Harvest" that's out this week]. The law says if you’ve been misappropriated, you can actually take that to the Supreme Court to get that reversed. I got a lawyer in each of the countries – to walk me through what you’d need to do in each of the countries to bring you back to life.
Passcode: Yes, speaking of life: The other half of your talk – and subject of your book, too – is birth. Let’s talk about baby making.
Rock: Once I went through the death process, I wondered about the birth process. I’ve got four children myself. Two were born in hospitals; two were home births. So I’ve seen the process firsthand.
The doctor fills out part of the form; parents fill out the other part of the form. That goes into the registrar, and a birth certificate is issued. It’s a no brainer.
In Australia, and Canada, and in the US, [this process] is going online. It's called EBR, electronic birth registration. The parents and the doctor can put the details into the database to say, “This is a new birth.” You say what hospital, what license numbers – basically, the same license details of the doctors you can get from the database. So you can pretend to be the doctor or the midwife and register a virtual person.
Passcode: So after that, you just list a date, time, and hospital – and note that the baby weighs 8 pounds – and you have a fake birth certificate? It’s that easy?
Rock: There’s a reason for that. Because people are not registering their babies. Where I’m from, in Victoria, some 2.5 percent of people don’t register their babies … people under drug or alcohol influence or Aboriginal [Australians]. So people even can retroactively get birth certificates for their children at age five.
Passcode: But what would be the point of this? It’s not like newborns have bank accounts.
Rock: I thought, “Why can’t I birth a virtual person, wait 18 years, then kill that person off for life insurance?”
You know what a shelf company is? A shelf company takes it a little bit further, where you actually pay taxes, look like you have staff members, [and can] build up financial characteristics used for money laundering and terrorist financing.
So I thought, “Why can’t I make a shelf baby?” It sits on the shelf, has social media profiles, looks like it’s a real person, but doesn’t exist. And when they’re 18, give them a virtual job but that’s really is for money laundering – then start doing things like life insurance fraud but also more advanced functions like share trading.
Let’s say you’ve got two virtual people. One bets the US [dollar] is going to go up, one’s going to bet the Euro goes down. The one that wins, takes the profit. The one that loses, you just put into bankruptcy and put on the shelf. Because you don’t care. It takes the risk out of currency trading.
Passcode: So you could give birth to like, 1000 babies tomorrow, wait 18 years and be super rich?
Rock: Correct. Or have one – have multiple life insurance policies – and just knock him off using the death process.
Not only that, but there’s an anonymity aspect to it, too. You want to import drugs, firearms, whatever? Don’t use your ID. Use a virtual person’s ID.
A shelf company is a great asset for people who want to hide their identity. Having a virtual run a shelf company is an extra layer to prevent [law enforcement] from piecing together your true identity.
Passcode: And if this is a new identity altogether, it seems like that’s pretty hard for law enforcement to detect – maybe even a more difficult to trace crime than identity theft. People might even sell a fake baby’s identity on the black market.
Rock: You’re not stealing someone’s identity. This is a new identity; so there’s also no victim to say, “Oh, my money’s gone down in my bank account,” or, “someone’s using my medical insurance to claim for cancer treatment.”
The government is making birth certificates harder to get for identity theft. They’ll put holograms and things like that to make it a stronger document. Which actually suits the virtual babies even better – because having a stronger virtual birth certificate makes it stronger for criminals.
Passcode: Your talk at DEF CON was advertised with the idea that people should come if they want to get rid of their partner, boss, or arch nemesis. Are you worried about a lot of people suddenly “dying” tomorrow?
Rock: First of all, if you’re going to complete this task it’s illegal already. You’re committing fraud on both the doctor part and the funeral director part. Crime on crimes.
Passcode: Has anyone from the government talked to you?
Rock: I’ve kept my mouth shut until this speech. So I haven’t talked to media. Because I thought my speech could probably get cut.
Passcode: But why not just skip the talk and go straight to the source for a fix?
Rock: If it was an Australian-based system with a problem, I would just contact the Australian government and say, “Here’s the problem.”
But it’s not. It’s a worldwide problem. Everyone’s suffering from the same thing. Everyone wants centralized data records, and accurate records, and so they’ve just gone, “Let’s skip the security and go straight to making it easier for doctors.”
Passcode: So once everybody knows about this – what do you hope to happen?
Rock: The government first needs to look at it. If you’re going to unroll a system this large to doctors and funeral directors, you actually have to put some security controls around it. The message is: Before you roll something out, have some penetration testers look at it first.
I hope they shut down DIY registration for doctors and funeral directors. And I hope they have licensing requirements for funeral directors. I know the funeral industry will back exactly what I’m saying, because they’re trying to get a professional industry for body disposal … to clean up that industry and have licensing for all countries.
Passcode: What about just better verification?
Rock: A phone call would have been nice.