Imagine finding your credit cards canceled, your medical benefits discontinued and that your driver’s license can’t be renewed, because you’ve been declared dead.
“It’s not difficult at all,” said Australian security researcher Chris Rock.
Rock discovered a security weakness in the online death registration process that allows him to have someone who is alive declared dead. To prove it, he killed me. He did it not once, or even twice, but three times, in three different states.
“It’s not just an American problem,” said Rock. “It’s a worldwide problem.”
The Government created the Electronic Death Registration System or EDRS – in order to store all death records in a central database. That means doctors and funeral directors are able to electronically enter information about the dead and generate death certificates. Each state develops its own EDR system, with different security mechanisms. But Rock says he was able to pose as a doctor and then a funeral director in multiple states.
“It’s scary on so many levels on how easy this type of attack is,” said Louis McHugh, cyber security expert and adjunct professor at the Illinois institute of Technology.
McHugh points out that one reason the Government-run EDRS is potentially vulnerable is because users are not required to provide the very basic two-factor authentication at log-in. Most big companies like Facebook, Twitter, Amazon, Google and Microsoft require that in addition to username and password, users provide an extra piece of information as authentication.
“We’re finding in the security area the systems are outpacing, the security is outpacing even the laws that govern them,” McHugh said.
The Illinois Department of Health told NBC 5 Investigates that its state-wide system is secure and that its IT department reviews each request before an account can be created. But Rock told NBC 5 Investigates he was granted access within a minute through an automated response.
More than 2 million death certificates are filed in the United States each year. There’s no way to tell how many of those are legitimate deaths.
“I was declared dead,” Sarah Jewell said. “And I was like, ‘Well I’m alive.’”
Sarah Jewell has no idea why the Government declared her dead. But what followed was a logistics nightmare.
“One of my credit cards was canceled,” she said. “When I tried to renew my driver’s license it came up that I was deceased. My benefits from work sent me a letter saying that my social security number comes up and says I’m deceased.”
Sarah is not alone. Last year an Australian hospital sent out death notices for 200 patients that were very much alive.
Donald Miller was declared dead in Ohio after he disappeared from the state in the 80s. Unfortunately, when Miller resurfaced a few years ago, a judge told him he could not reverse the ruling. And to this day, Miller is still walking around legally dead.
“Once your life’s been shut down I couldn’t think of anything worse than having to create everything from scratch.”