Killing someone is easier than you might think, or at least getting them legally declared dead might be.
With just a few easy steps, most of them online, a bad guy could “kill off” someone for fun — or profit, according to one researcher.
“The process is quite lax in terms of security in the U.S.” says Chris Rock — an Australian hacker, not the comedian — who has been studying security flaws in what he calls “the death industry” for the past year.
Rock said his curiosity was piqued when an Australian hospital accidentally sent out 200 death notices instead of 200 discharge notices last year. “Since then, I’ve found out that nearly all Western countries have moved to online systems,” he said.
In the United States, most states use electronic death registration (EDR) systems to help certify that someone has died. For someone to be declared dead, a medical professional needs to fill out a form affirming the cause of death and a funeral director must fill out another explaining what happened to their remains.
“Universal implementation of EDR has the potential to virtually eliminate death-reporting errors and would ensure that our death records — whether pertaining to current beneficiaries or other persons — include the most accurate and most current information,” Social Security Administration spokesman William Jarrett told The Washington Post. The agency has been advocating for a switch to such systems since 2002, he said.
Electronic systems are much faster than the traditional manual certification processes and are “highly accurate” because state officials verify the names and Social Security numbers of a deceased person against the government records before a death certificate is issued, according to Jarrett.
But Rock worries people may be able to fake their way into the EDR systems by hijacking the identities of people normally involved in submitting the death-certificate applications. In some cases, there appears to be nothing stopping someone from finding a doctor’s name, medical practice and license number online. Rock’s concern is that someone could take the legitimate information about medical professionals and combine it with contact information like a burner phone and an anonymous e-mail address to submit fraudulent applications for access to the systems.
There appear to be similarly weak checks on the sign-up process for funeral directors, he said.
But states run their EDR systems themselves, so there is a lot of variation from state to state and it is difficult to test their security without potentially breaking the law, Rock acknowledged, so it’s hard to say just how real the threat from that kind of fraud might be.
Idaho verifies license numbers and will ask for a copy of the license if something about the application raises additional concerns, said Idaho Department of Health & Welfare public information officer Niki Forbing-Orr. The agency’s staff also looks into the contact information and may take additional measures if there are questions about an application, she said.
But Idaho has an advantage: The state’s small population means the agency’s staff basically knows everyone who is involved in the process, she said.
But the process may be less personal in larger states. Washington’s system verifies an applicant’s name and license status, but not their contact information, according to Jean Remsbecker, a vital records manager with the state’s Department of Health. “I’m not sure we have access to that information,” she said.
But if Rock is right, the risks for victims of a digitally faked death may be severe. With a death certificate in hand, a person could potentially collect life insurance on someone who is still alive or get control over a person’s financial accounts if they take the extra step of faking them a will, according to Rock. It may also create problems for the still living when it comes to collect things like Social Security benefits, he said.
Plus, it’s actually pretty hard to “come back to life” after being declared legally dead — and people may not necessarily know if the government thinks they’re dead until it’s too late.
Take the example of Donald E. Miller, an Ohio man who was declared legally dead in 1994 — years after disappearing on his family. He showed up alive around a decade later and went to court to try to get the decision reversed in 2013. But the judge ruled he was still legally dead because the legally deceased only have three years to contest the decision under Ohio law.
However, it’s not clear anyone’s actually doing this right now — although Rock figures if he can think it up, someone else probably already has.
But digitally faking a death may just be the start. Rock claims there are similar issues in the way births are registered in the U.S. and elsewhere — leaving open the possibility that someone could essentially “harvest” identities by making up fake babies.
“I call them shell babies,” he said. “You could use them to hide your identity, to get a new Social Security number, for money laundering — or kill it off for life insurance.”
Rock has a new book exploring the topic, called the “Baby Harvest,” and gave a talk about the issue at DEF CON, a recent hacker conference held in Las Vegas.