In the course of his DefCon 23 presentation, Australian security expert Chris Rock demonstrates how fake death or birth records can be created these days.
DefCon host: When I was going through the schedule trying to see what speakers we’re going to be watching, I saw this description and said “Oh yeah, I got to come check this out!” This is Chris Rock, and he is going to talk to us a little bit about messing with identity. Let’s give him a big hand.
Chris Rock: Okay guys, my name is Chris Rock. I’m not the black comedian, but it will explain the big audience that we have. Today I’m going to talk to you about the death industry – I’m a little bit gloomy, aren’t I? But I’ll make it a little bit lighter and we’ll talk about the birth industry. And then we’ll make it a little bit gloomier again and I’ll talk to you about how you can combine both of those, both death and the birth, to look at the vulnerabilities to actually make some money out of virtual people.
Okay, this is a global problem that we have (see left-hand image). This is not an American problem, this is not an Australian problem. I originally did my research in the Australian system and, obviously, adapted this presentation for American audience, but it also works in other countries. I refer to this as an End of Life (E0L) Vulnerability. It’s not so much a vulnerability, it’s just a fuckup, and it’s a global fuckup. Anyone with this knowledge can kill another person, multiple people, or even yourself. I have not contacted any vendor for fixes. This is a definition of irresponsible disclosure.
So, why do I research the death industry? I was watching the news one night and I noticed that a hospital in Northern Victoria, Australia – where I’m from – announced the death of 200 patients (see right-hand image). They sent out 200 death notices instead of 200 discharge notices. I thought, how could that possibly happen? They have obviously moved into the Internet world, where you can kill 200 off very quickly with a tick of the button on a mouse. So, then I started looking into the death industry in Australia.
Here is a global view of the death process (see left-hand image), where at step 1 someone dies, then the doctor fills out what’s called in America the “Certificate of Death”, they have 24 hours to fill out this certificate. This certificate contains details such as the cause of death, the name of the victim, and next of kin. That document then passes down to the funeral director. The funeral director then has seven days to dispose of the body. This is a signed document in America; in Australia it’s two separate documents. Once those documents have been completed, they pass on to the registrar, or Births, Deaths and Marriages department, and then they will issue the death certificate to the next of kin. So, in terms of a security process, we can see that we really need to compromise Step 2 and Step 3.
The first thing we are going do is have a look at the doctor’s component. Here is a traditional Certificate of Death (see right-hand image), this is what you guys use in the States. The top part of the form is filled out by the funeral director, it includes where the person is actually buried and the details of the victim. And the bit that we are looking at is down at the bottom of the document, which is the medical practitioner. The medical practitioner will fill out the details such as cause of death.
In Australia, we have moved to an online system. Here’s a snapshot of an Internet accessible portal that doctors can use (see left-hand image). You can see the doctor needs to put in their first name and last name, the license number, where they are from, and submit. And once they submit that form, then all the details of that form will be available to the doctor.
In America, you are using a system called EDRS, Electronic Death Registration System. It was rolled out in 2005 and it’s nearly rolled out to all states (see right-hand image), so you all now moved online as well.
When a doctor logs on to fill out the Certificate of Death, not paper-based anymore, they’ll get a screen like this (see left-hand image). This is an example of the Californian EDRS. You can see there are some security protections there, where there’s a username and password required for the doctor.
Here’s an example of what EDRS looks like once the doctor has logged on (see right-hand image). You can see the sort of drop-down boxes which are pretty easy to fill out, such as autopsy details, place of death, or next of kin details. This is a snapshot of the Californian system. One thing to note there, you’ll see “Was an Autopsy Performed?” field. It’s important to note that, because when we talk about killing people later on down the track, it’s probably not a good idea to put “I am a smoker” in your life insurance policy and then die of lung cancer – you are not going to get your payout, they will actually refuse to pay it out.
EDRS is actually used for mass mortality surveillance (see right-hand image). Here’s an example of Hurricane Sandy in 2012, and you can see actually where the deaths occurred, obviously, from drowning. The government love EDRS, because it has the ability to get accurate death records quickly, so instead of waiting for a doctor to fill out that paper-based system with the signature, they can get death records very quickly. It also shows what the person died of. This is important for when the government is planning, whether it’s anti-cancer, whether it’s kids wearing bike helmets – they can do the lookups to make it easy to fix.
How does a doctor get access to EDRS, or how does a hacker get access to EDRS? Here is a form that the doctor will fill out (see right-hand image), with the obvious details such as first name, last name, email address, and you’ll also see things like license numbers. This is a paper-based form, obviously. This just gets sent in to the Department.
Now they have also moved on to a DIY registration – again, first name, last name, license number, issuing state, and some other personal details (see left-hand image). This is what the doctor would use to register for the first time. Not all doctors use EDRS. When somebody dies in a hospital, that job is done by the medical examiner. When someone dies in, for example, a prison or in a hospital, the medical examiner takes that; or if it’s not a natural death, then the medical examiner will look after that. But a doctor, such as a doctor who looks after old-aged patients, where dying is normal, will use the EDRS system.
You see here some of the questions on another States based system (see right-hand image), where it’s asking you for those details again. You can see the doctor can choose their own username and password, and they can also choose the phone number and address details. When you use this system, it will do a lookup against license details, and as long as every detail matches except for the email address and phone number, you can then register yourself as a doctor. That’s not good.
So, how do you get these details? Well, lucky enough, there is a system in place to find out whether your doctor is real or fake (see left-hand image). So, if you want to go find the doctor, google “doctor database”, and you will find one for every country, and that will give you all the license details and office details. I’ve just put some examples up there.
These are quite difficult to fill out for a hacker or someone malicious. Obviously, doctors had six years of study, and we may have not, maybe in different areas. So you can see here from the Cause of Death certificate, we’ve actually got from “a” to “d” the actual cause of death (see right-hand image). In this example, the “a” is what the person actually ended up dying of – pulmonary embolism. Down at the bottom is the line about liver cancer, and then acute hepatic failure – that’s liver failure, and then thrombosis in left thigh – this is a blood clot.
As I said, the important detail to look for is down at the bottom here on 33 – whether an autopsy was performed (see image above), we will talk about that in a minute. If you don’t understand what that means, if a doctor thinks it’s an unnatural death, it has to get referred to a coroner or a medical examiner. There are guides online on how to fill these documents out (see left-hand image), with a lot of use case examples. It’s produced by the CDC. So, you can learn this information really quick.
The role of the medical examiner, or coroner: a medical examiner is a doctor with qualifications such as forensics and pathology. “Coroner” is a word for a representative of the Crown that might not necessarily have any medical skills at all and is actually elected into the role. It’s very important that you look at this chart here (see right-hand image) when you are actually filling out the Cause of Death certificate, because you don’t want that case to go to coroner. For example, as I talked about before, using this flowchart you can see which cases go to the coroner or medical examiner, such as dying in a hospital, dying in a prison, and also an unnatural death, like if somebody died on the street from a gunshot, whatnot.
Another important thing to look out for is what we call a “reviewable death”, it’s the orange box on the right. If more than one child dies from a single parent, then you will go to the coroner. In other words, if you are going to kill your kids off, when we talk about that later on – I don’t mean real kids, I mean virtual kids – don’t be greedy and kill more than one.
Okay, so that’s the doctor bit of the EDRS facility: that’s how to get access and that’s how to fill out the form. The next phase is the funeral director (see left-hand image). Once the doctor has filled out their components of EDRS, the funeral director takes over. This will be, for example, the next of kin choosing the funeral director, the funeral director will log on to EDRS and complete that form.
Here’s an example of the Death Certificate (see right-hand image). For the Australians, I have actually included the separate document called DRS, or Death Registration System. Australians use two separate documents, not a single one. So, what we are looking at now is that top section of the document, the funeral director component.
How does a funeral director get access? It’s the same as the doctor. They’ll fill out all the details: the license number again, first name, last name, desired username, and of course they have DIY registration as well.
This (see right-hand image) is an example of registering a new user as a mortuary practitioner.
And where are you going to get the details of the license of a funeral director? Again, they are online as well (see left-hand image). Just do a Google search on funeral directors in each state, and it will give you details such as license numbers,
office addresses, which is what you need to get EDRS registration access.
Once a funeral director gets access to EDRS, they can do things like, obviously, check the doctor’s details that they submitted, they can work with the next of kin, and also apply for burial permits (see right-hand image above). And if you have difficulties filling these out, there is an idiots’ guide for funeral directors as well (see left-hand image).
Instead of doing the fraudulent case of a funeral director, I actually thought it would be fun to find out how to become a funeral director myself (see right-hand image). I always had this interest in the death industry. So, I set up a website, the name of my company and just “funerals” at the end of it, stuck up some caskets and some flowers (see leftmost image below). And then I applied online to become a funeral director (see middle image below). Three days later, I got an automated response that I was a funeral director (see rightmost image below).
Here’s some research on becoming a funeral director in the U.S. (see left-hand image). In California, for example, you need an Arts degree. In Colorado, you need nothing. In Nevada, you’ll need 375 bucks and an exam. And one thing, you’ll need to use EDRS for death registration. The reason is, if you want to commit insurance fraud,
it’s easier if there’s a tombstone sticking out of the ground, so you’ll get that death insurance policy if there’s an audit. In the UK, there’s no licensing requirement (see right-hand image), so it’s just as easy to kill somebody off in the UK.
So, that completes the two parts of fraud to get the Death Certificate. Once those documents are complete, the Registry then just issues the Death Certificate. Then they’ll send that certificate to the next of kin (see left-hand image). And you might ask: “How am I going to get that Death Certificate if I kill somebody off?” You’re filling out the form, you can put anyone you want as next of kin. I know it’s not in good spirit to kill the host, but there’s the Death Certificate of Jeff Moss (see right-hand image).
He doesn’t know he’s dead, he’s walking around, but on paper he’s dead. Now there’s going to be a problem for him when he travels, and it’s just a general pain in the ass. Okay, Jeff is dead, that was fun. I know Jeff has got a lot of money, so I want some of it.
What do we need to do now? I have a Death Certificate. I’ll fill out a will online. Now, to be recognized as an executor of a will, you need to do something called “probate petition” (see left-hand image). That’s saying to the court I have a Death Certificate, I have a will, I want access to Jeff’s accounts. It’s just the document you are sending to the court to say that you have the right to shut this person down. You then use accompanying letters just like what I’ve just put up there. It’s just a standard template on a free website, where I’m writing to the bank to say “Shutting down”. The bank then will give me access to the money.
A normal executor of a will would do what they are supposed to do – they’ll shut the victim down, so they’ll pay out the debts, give the money to the next of kin and stuff. But if you want to do it maliciously, you just take all the money and run. Of course, that system is now moving online as well (see right-hand image). You can now do a petition for probate online. The beauty of that is it’s completely remote and you don’t have to go to court.
Okay, why would you want to kill somebody? Financial – killing yourself if you want to enjoy your life insurance money while you’re alive (see left-hand image). The other one is kill your parents. Parents are not dying as quick as they used to, and they are handing out money very slowly. Better off killing them taking their funds and do a runner. Revenge – revenge on your ex-wife/girlfriend/partner. The beauty is they are dead and they don’t even know it. Down shut their bank accounts down; when they go get a new password or a new license – oops. Kill your boss if he’s an asshole.
Hinder – if you are under investigation. Dead people find it difficult to travel. If you are also committing this sort of crime against somebody, they are more interested in protecting their own lives in terms of getting their financial history intact than chasing you. Kill your opposing lawyer or the judge.
Okay, this is a bit of a problem for the law, because the law is not really ready for this stuff here (see right-hand image). There’s a case in 2013, where a legally dead man must stay dead even though he’s alive. Donald Miller was declared dead in 1994 after he skipped out on his family. He was declared dead after missing for five years. Obviously, his wife wanted to move on – he’s not coming home. Now the 61-year-old has come back, he wants to be reinstated. The judge said “Too late,” setting a three-year window to bring him back to life. The Judge said “Even though you’re sitting in my courtroom in front of me and, obviously, you’re alive, there’s nothing I can do, you’re dead.” So you heard of someone being stateless – this one is bodiless.Demo of a virtual kill
I put a video together of my first kill (watch demo above). It wasn’t a clean kill. It’s a bit like Dexter Morgan and Harry, I didn’t have Harry in the back of my head saying “You’ve got to kill in a certain way.” This is an Australian-based kill.
Okay, I’ve been given the wrap-up, so I’m going to go through this quickly. Now that we’ve killed somebody, what about birthing? It’s nearly the exact same process, but we don’t need the funeral director, so we need to commit fraud on one side (see left-hand image).
So, step 1 – baby is born. Step 2 – the doctor or midwife fills out a form. Step 3 – the parents fill out their details. Again, it goes to the Registry, and a Birth Certificate is issued.
Here’s the traditional paper based certificate (see right-hand image), half filled out by the doctor, half filled out by the parents. That’s moving online too, referred to as EBR, or Electronic Birth Registration.
I’ve got an example of a Canadian one, and an Australian one as well (see left-hand image). At the bottom there’s a link to the U.S. one. Again, for online birth registration it’s the same as death: you just need to register yourself as a doctor or midwife,
these are in those online databases (see right-hand image). Again, it’s the same database.
Once you log on as a midwife or doctor, it’s just a matter of putting in the baby’s details of where they’re born (see left-hand image).
This is not identity theft, you are actually creating a new ID (see right-hand image). So, then I got the idea of: now that I can kill someone and now that I can actually birth somebody, can I combine the two together to make some money?
I assume you guys know what a shell company is. For those who don’t, it’s an entity that doesn’t do any business but actually is a legal or an accounting term used to protect assets or identities of an owner.
I saw an episode of The Blacklist, where a concept of something called a “shelf company” came up, which took that “shell company” a little bit further (see left-hand image above), where the shelf company actually pays taxes, files annual returns, and builds up a credit rating. Why would you want to do this? To get around heuristics. It can be used for money laundering or terrorists financing. So, why can’t I do the same with my baby? I’ll create a baby, good for clean SSN, the Social Security Number, tax benefits, or take it a little bit further (see right-hand image above). I’ll call it the “Virtual”. The Virtual can have home loans, it pays taxes, multiple life insurances, social media pages, and it can also do stock trading.
Why would you want to do all this? You can borrow millions of dollars and then not pay back (see left-hand image). The most important one is a “Do Over” identification, so if you really fuck up, get a new ID. Not a fake ID – a real ID. Again, life insurance policies: do an online life insurance policy, and when you’ve had enough of that baby, just kill it off and take the money.
The one that I’ve really done some research in is buying leveraged derivatives. If you have done currency trading before, you borrow lots of money, you bet the U.S. dollar is going to go up, or the Euro is going to go up. If it goes up, you’re rich; if it goes down, you’re poor. So use two Virtuals: one is going to be a winner, one is going to be a loser. The loser can be bankrupted and put back on the shelf, who cares? Also, obtaining firearms or getting drugs – don’t do it with your own ID, that’s stupid. Do it with the Virtual.
It’s just an extra layer of anonymity (see right-hand image). Not only do you have to protect yourself by IP, payments and company, one step further is to protect yourself and use a virtual ID.
Okay, why is it so vulnerable? Obviously, the doctor / midwife DIY portal – that’s just shit (see left-hand image). At least you guys have a portal, we don’t even have one of those. Birth registration is exactly the same. They’re a little bit behind on the EBR, but they’re heading the same way as the EDRS. Also, having the physicians’ medical license numbers online – they need it, because if you are a doctor and you are getting a job in another hospital, you need that information to check whether you are actually a registered doctor or not. The funeral director – as you have seen, there’s no basic licensing around the world, and again, they are using DIY service portals.
Why is it Swiss cheese? The Government want accurate, centralized birth and death records (see right-hand image). Believe it or not, birth and death records have actually been lost in smaller registries through fire or flood. EDRS fixes all this. It’s centralized and you don’t have to put up with doctors’ handwriting. Everything is accurate. The Government is struggling to have, believe it or not, babies being registered. At my home town, about 2.5% of all babies are not registered, for whatever reason. I don’t know whether it’s because of remote people or disadvantaged people on drugs. They get this estimate of the 2.5% based on when the kid starts school at the age of five, they need the Birth Certificate. So they do a retrospective Birth Certificate. And you might think “Who cares?” It’s important to note that you can take five years of the shelf baby by registering a bit later along in life.
The Government historically have used the premise that you need two parties in collusion, the doctor and the funeral director, to bury somebody, to get rid of the body. But you can see here you can become both those persons. If you are going to do any of this stuff, I don’t advise you to die. But if you did, use a Virtual, don’t use your own ID. And moving from the paper based system to an online system, obviously, requires security controls.
I have written a book on this topic for more information (see right-hand image). I’ve done an extensive research on this and I thought it would great to put it into a book on how to raise your virtual, how to use the stock market to your advantage, how to kill your baby off or bankrupt your baby. If you want to get that you can buy the book on Amazon. Thanks for your time guys, that’s it.