An illustration picture shows a projection of binary code on a man holding a laptop computer, in an office in Warsaw June 24, 2013. REUTERS/Kacper Pempel (POLAND - Tags: BUSINESS TELECOMS TPX IMAGES OF THE DAY) - RTX10ZB5
© Reuters

The “virtual baby” may sound like a cute Tamagotchi-like infant substitute but the reality is far darker: it is a security threat.

That hackers have been hoarding millions of records from retailers, banks and health insurers to try to steal the identities of real people for financial fraud is well-documented. But security researcher Chris Rock has shown how easy it is to create a “virtual baby” that can grow up, take out loans, trade stocks and eventually be killed off for the life insurance.

To obtain a fake birth certificate in jurisdictions in the US and Australia, he said, all you need is the signature of the parents — who could in reality be anyone — and a doctor. Creating an online account to sign off birth certificates as a doctor is easy as long as you have a doctor’s name and registration number. These are freely available on Google.

Before an audience of hundreds of hackers at last week’s Def Con conference in Las Vegas, Mr Rock showed why the move to do-it-yourself online birth and death registers for medical professionals risks creating, as the title of his new book puts it, “a baby harvest”.

Security researchers such as Mr Rock come to Def Con each August to highlight vulnerabilities in computer systems, with most of them probing networks to try to encourage the owners to fix the flaws, and a few hacking for no good reason.

While “birthing” fake babies seems bizarre, it is the logical next step as organised criminals add cyber crime to their arsenal. They are taking advantage of a push for convenience in both government and company databases, which have sacrificed certainty about identity for speed and cost-savings.

Mr Rock was inspired by the concept of a “shelf company”. Like a shell company, a shelf company can be made to look like it has employees and conducts business but, unlike a shell company, it is left for years to build a pristine credit rating, sometimes used by money launderers. So he showed how to create a “shelf baby”. “The shell baby only ap­pears on paper; it can be used to get government benefits and a clean social security number,” he said. “But the virtual shelf baby can get bank loans, credit cards, pay taxes and have multiple life insurance policies.”

While advising hackers not to do this, he explained why people might want a virtual or shelf baby.

“You can borrow millions of dollars and not pay it back,” he said. Moreover, it could be a “do-over ID” if people make a mess of their real lives and want to start again with a new identity. “Or you can load it up with life insurance policies for the death benefits. When you’re done with it you can kill it off and take the money.”

Killing off a virtual identity — or even a real one — is as simple as giving birth to one because of the rise of online death registration systems, where you only need the sign-off of a doctor and a funeral director. Mr Rock showed that he could fake the doctor’s part of the electronic form.

He could have faked his funeral director registration in a similar way to faking the doctor’s but he chose to see if he could register to be a funeral director in his native Australia. One fake website filled with pictures of caskets and flowers, one email and three days later and he was officially a funeral director, listed in an online database.

Perhaps the biggest risk for the whole process was that a fake death could be referred to a coroner as suspicious. To avoid this, Mr Rock read a guide to filling out death certificates highlighting which conditions may be referred.

Once you have a death certificate, you can fill out a will online, write to banks and shut down the accounts of your virtual baby. “You could just take the money and run,” he said.

Get alerts on US & Canadian companies when a new story is published

Copyright The Financial Times Limited 2022. All rights reserved.
Reuse this content (opens in new window) CommentsJump to comments section

Follow the topics in this article