10 Aug Just how easy is it to digitally fake a death?
Killing someone is easier than you might think, or at least getting them legally declared dead might be.
With just a few easy steps, most of them online, a bad guy could “kill off” someone for fun — or profit, according to one researcher.
“The process is quite lax in terms of security in the U.S.” says Chris Rock — an Australian hacker, not the comedian — who has been studying security flaws in what he calls “the death industry” for the past year.
Rock said his curiosity was piqued when an Australian hospital accidentally sent out 200 death notices instead of 200 discharge notices last year. “Since then, I’ve found out that nearly all Western countries have moved to online systems,” he said.
In the U.S., most states use electronic death registration (EDR) systems to help certify that someone has died. For someone to be declared dead, a medical professional needs to fill out a form affirming the cause of death and a funeral director must fill out another explaining what happened to their remains.
“Universal implementation of EDR has the potential to virtually eliminate death-reporting errors and would ensure that our death records — whether pertaining to current beneficiaries or other persons — include the most accurate and most current information,” Social Security Administration spokesman William Jarrett told The Washington Post. The agency has been advocating for a switch to such systems since 2002, he said.
Electronic systems are much faster than the traditional manual certification processes and are “highly accurate” because state officials verify the names and Social Security numbers of a deceased person against the government records before a death certificate is issued, according to Jarrett.
But Rock worries people may be able to fake their way into the EDR systems by hijacking the identities of people normally involved in submitting the death-certificate applications. In some cases, there appears to be nothing stopping someone from finding a doctor’s name, medical practice and license number online. Rock’s concern is that someone could take the legitimate information about medical professionals and combine it with contact information like a burner phone and an anonymous e-mail address to submit fraudulent applications for access to the systems.