14 DAY TRIAL // Australian security expert Chris Rock has demoed two methods through which he managed to issue death papers for a real person, and birth certificates for a fake one, at the DEF CON Hacking Conference that's going on these days in Las Vegas, as AFP reports.
Mr. Rock came about to discover flaws in the digital systems used by Australian hospitals to report births and deaths while researching for his book "The Baby Harvest: How virtual babies become the future of terrorist financing and money laundering."
As Mr. Rock eloquently puts it, "You could kill anyone you want. No one is off limits."
The problem lies in the lack of any proper security procedures when recording a death online.
As the Internet has spread more and more, besides our homes, it has also entered our lives by helping reduce bureaucracy in our dealings with government officials.
While in most cases this is a good thing, sometimes, when the implementation of official procedures into an online environment is done with no regards to the data's safety, something like this can happen, which puts citizens in uncomfortable situations.
According to Mr. Rock, a lot of governments use a simplistic procedure for reporting the death of a person.
While this usually implied filling in some documents, with the Internet's proliferation, this only requires a doctor and a funeral home director to fill in an online form to confirm someone's death.
Faking deaths is as easy as selecting options from a drop-down
By simply searching online for a doctor's personal details, usually available to allow patients to research their practitioners, Mr. Rock was able to register a fake doctor's account in the system used to report deaths online in Australia.
To verify his deaths, he then moved on to create a website for a fake funeral home, which he used to prove the existence, and then register an account for a funeral home director on the same system.
With no other further verification, he was approved in one day, allowing him to report the death of any person he chose to.
Since the entire process of reporting someone dead in Australia is fully automated, all he was required to do was fill in some boxes with the name and details of the person he was reporting, and then select some medical terms from a drop-down list for the cause of death.
At no point did he have difficulty filling in the form with medical jargon, nor did anyone verify if the reported person was truly dead.
Because nobody calls the family of the deceased to confirm a death, the victim of such an attack will never know death papers were issued to their name until they have any type of interaction with state of financial officials.
Virtual babies can be created as burner identities for criminals
The same simplistic procedure and lack of verification steps were present in the electronic system used to record the birth of new babies as well.
Mr. Rock said he only had to register a fake doctor account and then enter personal data for the parents, being able to "birth" any number of babies he would have wished.
As he puts it, this flaw can prove very attractive for criminals, who can utilize it to create fake identities for their organizations, which they can use in two or three decades, as the virtual babies age in real life.
But that's Mr. Rock opinion on the matter. If I had discovered this flaw, I would have created two automated scripts and used them quite differently. One would create a virtual baby every day, and another script would kill it after a few weeks. This way I would be the most effective serial killer mankind ever saw by the end of the year. Too bad Mr. Rock lacks my imagination.