DEF CON 23 Most of us have had occasional fantasies about killing someone. Now, as governments demand more personal information from citizens online, it has apparently become surprisingly easy to turn that fantasy into a reality, at least on paper – courtesy of some glaring loopholes.
Or so says infosec bod Chris Rock, who presented his findings at DEF CON in Las Vegas this week.
The Australian chief of security firm Kustodian showed just how easy it could be to kill people, register a fake birth, and set up a new identity, all with the power of the internet.
"I call it an end of life vulnerability," he said. "it's a global fuck up and I have not contacted any vendor about fixes."
As governments move to online forms there are a number of loopholes that have opened up, he explained, and with the wealth of information out there it's not hard to get into the death business. It's not advised, he added, but it's certainly possible.
In order to register someone as dead, a form detailing the cause of mortality typically needs to be filled out by a doctor. A funeral director needs to countersign the form, and then the death certificate can be issued to the family.
In the US this is handled by the Electronic Death Registration System (EDRS) and it's all done online. Doctors need to publicly provide their licence number, address details and other identifying information, all of which can be easily found on the interwebs.
Those doc details have to check out with existing records before access to the EDRS system has been granted, but crucially – Rock noted – email addresses aren't checked, allowing a hacker to add a new email address and get access by stealing a legitimate doctor's details.
One point to remember, he said, was to make the cause of death uncontroversial, otherwise a coroner would get involved and there would have to be a formal investigation. A coroner is also called in if more than one child in a family dies. "So be careful killing your kids," he darkly joked.
The same system applies for funeral directors, and again their details are all stored in a searchable database online. there are also handy "How to" leaflets online to explain the process.
As an added bonus, Rock managed to get himself signed onto the Australian government's database as a legitimate funeral director. He explained how he set up a website, sent in an online application, and three days later was granted official government registration as a qualified handler of corpses.
In the US, individual states make their own rules, so in Colorado anyone can be a funeral director, in Nevada you need to pay $345 and take an exam, and in California you need an arts degree or equivalent.
After the forms have been filed, the registrar sends a death certificate to the next of kin, which can be anyone the attacker puts on the forms. This could apparently be used – with a phony will – to empty someone's bank account under the guise of wrapping up their affairs, or to commit insurance fraud.
"Why not enjoy your life insurance payout while you're still alive?" he asked.
Six feet under dot-com
Even if you don't go that far, faking someone's death will cause them serious problems. Passport applications and driving licences get blocked, credit ratings are zeroed and the law isn't equipped to handle such situations, he said.
Rock cited the 2013 case of Donald Miller, an Ohio man who abandoned his wife and children and disappeared in 1986 after losing his job. His family had him declared dead in 1994. IN 2005 he tried to apply for a driving licence and went to court to prove he was still alive, but the judge rejected his claim.
"We've got the obvious here. A man sitting in the courtroom, he appears to be in good health," the judge said, the BBC reported at the time, adding that rescinding a death certificate was illegal after three years had passed from time of death under local law. "I don't know where that leaves you, but you're still deceased as far as the law is concerned."
It's even easier to register a fake birth, Rock claimed, since that only needs the doctor and parents to sign off on the forms. Doing so would have many benefits since it, for example, could be used to collect social security payments for a dependent child.
Obviously, such behaviour is illegal. But it seems, based on Rock's insight, that governments around the world might want to rethink their move to online form filling with so few security safeguards in place. ®