The internet is widely known to be misused to commit identity theft, vandalism, blackmail, revenge porn and worse. Imagine if revenge-seekers and other criminals were also able to terminate your digital identity entirely and abscond with all of your resources? Has your wife or girlfriend cheated on you? Revenge is yours. Terminate her (and/or her paramour’s) digital existence and collect the ill-gotten gains. Duped by a business partner? No problem. Digitally kill him and/or her and collect from the walking dead’s assets that which you think should have been yours.
It is far more advantageous to digitally off someone than it is to steal their identity. Digital murder is harder to trace than is identity theft. With a digital virtual death, it is also is easier to quickly cash in on the misdeed and disappear, before the victim even knows what has happened. Digital suicide is also an expedient fix to your self-imposed problems. Virtually kill yourself. Escape prosecutors and debt collectors; enjoy your life insurance while you are alive.
These are the types of real-life, frighteningly easy scenarios laid bare by professional “hacker” Chris Rock, Chief Executive Officer of Kustodian Pty Ltd at DEF CON® 23 in Las Vegas earlier this month. Rock’s presentation, entitled I WILL KILL YOU, was attended by nearly 3,000 conference attendees and was based on his book. In his book and presentation Rock details the system he created to virtually kill someone and collect their assets. This article is a how-to, of sorts, based on his presentation and book.
The global digital death registration security chasm
In his session Rock explained how, by exploiting a flaw in the various individual global death registration systems, he was able to fraudulently create real, legally enforceable death records. His research confirmed flaws in the systems of numerous jurisdictions, including in the United States, Australia, Canada and several European countries. Rock also found weaknesses in the processes to produce, register and probate wills, enabling him to become surrogate beneficiary to these now legally dead but not literally dead persons. To put it as sharply as Rock, “this is a global problem. . .a fuck up.”
Rock’s offensive depiction of these flaws underscores his intent to expose them so they can be corrected. His goal is to bring attention to the global systemic weaknesses in the death records that enable criminals to easily take your, mine, and anyone else’s life (virtually) and assets (literally). What’s yours (mine and/or ours) are the criminals’, by their merely knowing the tricks to logging in and filling out the right forms.
As Rock points out in his speech and book, exposing the weaknesses in dramatic detail is the only hope that these weaknesses will be noticed and fixed. Rock said (in an @_Kustodian_ Twitter post), “[The] main reason hackers don’t disclose vulnerabilities to stake holders is because generally nobody wants to hear it.” Shortly after Rock’s revealing the weaknesses in the systems in detailed, dramatic fashion, one authority (Victorian Registry of Births, Deaths and Marriages) said in a statement that “[it] is always seeking ways to improve the security and timeliness of registration information for the benefit of the [its] community.” Rock’s explicit exposure of these weaknesses is already having positive effect.
Hacking death: no computer skills or experience necessary
The system Rock outlines for erasing someone’s (or your own) digital existence does not require any advanced computer skills and therefore does not technically, in the computer security sense , exploit a “vulnerability”. The simplicity of the system, and the fact that these hacks require no specialized technical skills, mean that a many more people are technically capable of utilizing the weaknesses to gain illegal access than would be able to exploit a more advanced computer or network security “vulnerability”. For that reason, it is imperative that authorities check their systems for weaknesses and fix any that are found.
Once in possession of a valid certificate of death and a fully-probated will (2-3 weeks after filing for probate), you can immediately begin liquidating the victim’s assets in your favor, for example settle life insurance and pension claims, transfer property titles, as well as apply for other death benefits.
It is now incumbent upon individuals to more closely police their financial and other records. Rebecca Herold, an information privacy, security and compliance expert, suggests requesting a credit report (at least as often as the three per year that are available for free in the U.S.) for yourself, your children and any related deceased persons, rotating a different credit reporting agency (CRA) each time. She also recommends considering using an online reputation management service for you, your children, and any other family members (alive and deceased) to identify if their information is being fraudulently used. Finally, she recommends speaking to your doctors about these systemic weaknesses to alert them of the potential for fraud in vital registry systems. Note that the public versions of death record systems such as the Social Security Death Master File that feed into searchable databases such as the Database of the Dead are not updated sufficiently often (in the case of the DMF, every three years) to be of much immediate use in checking for fraudulent death records.
It is now also long past time for authorities to begin tightening the security of the systems through which deaths are registered and legal entitlements to estate assets are transferred.
DEF CON® just released the video of Rock’s presentation, so you can fill in the details directly from the source, and/or buy his book here.
With Rock’s DEF CON® presentation and its open availability online as well as the publication of his book, the large potential for misuse of the system and the extensive potential harm resulting from that misuse is now disclosed and can be addressed by policymakers. These stark revelations also put the public on actionable notice and enable it to be more vigilent.
It should be noted that Rock’s book also contains extensive detail about the analogous weaknesses in global birth records and the extensive potential for their criminal exploitation. The full title is The Baby Harvest: How virtual babies became the future of terrorist financing and money laundering.
Permissions have been given for all excerpts contained in this article and image.