Tuesday, March 3, 2009

Digging up the Dead?

What happens when you die? OK, so that's a classic question that philosophers and theologians have been trying to answer for millennium now. But seriously, in this digital world, what happens when you die?

If you're like me, you've probably heard the terrible stories about fraudsters that scan the obituary columns of the local news paper and create new bank accounts and take out loans in the name of the recently deceased - only to scarper with the cash while family members are mourning the loss. It's a terrible crime - no doubt about it - but what about the the cyber aspects?

A couple of months aback a journalist asked me how family members of the recently deceased could recover the passwords of email accounts, and that got me thinking more about the subject.

Hijacking an Identity
Since we already know that people conduct this fraud in the physical world, what would it take to do the scam in the cyber world? Would it be easier or tougher? Are there more or less opportunities to get away with the crime?

Normally I'm game for a bit of tinkering to prove a point, but this time I won't - so lets just go through the theory - the last thing I want to do is prove how doable it would be by hijacking (or creating afresh) the cyber identity of someone that's just died.

A) Finding the deceased...
Well, that proves to be extraordinarily easy. Instead of having to wait for the morning's delivery of dead tree and scanning the columns, there are Web sites that automatically collate obituaries from multiple national papers (e.g. Obituaries.com) and even allow you to search for keywords.

B) Selecting the deceased...
The type and volume of information contained within obituary write-ups can vary considerably, but more often than not there's enough information there to be 'dangerous' and helpful from an identity theft perspective. For example, the first obituary I came across had the following data nuggets:
  • Full name
  • Birth date
  • Home Address (the wake attendees were to meet there)
  • List of family members and siblings (including all the grandparents names - i.e. Mothers Maiden Name)
  • Schools (a list of schools and colleges attended)
  • Favorite sports
  • Home phone number
  • Parents email address
  • Dogs name
C) The cyber deceased...
Armed with a full name, address and general age-group information, it's pretty easy to Google your way around and uncover more relevant cyber information. Social network profiles, blogs, photo sharing sites and other posting forums can provide a wealth of new information - although the fraudster is probably better off targeting a deceased person with a slightly unique name if they don't want to spend ages sifting out unrelated material.

D) Going after the email...
Frankly, the most useful piece of information (that's going to reap the most rewards the fastest) is probably going to be the deceased main email account. Armed with that, it'll become almost trivial to recover the authentication information from any other related and interesting sites - i.e. through the typical "I've forgotten my password" which responds with an email verification. It's not like anyone's going to be watching the email account are they?

Hijacked Identity
Armed with a hijacked cyber identity, the fraudster/criminal can do all the normal badness we'd expect - except that he's got a window of time with a much higher probability of successfully making money. While family members are bereaved and otherwise occupied, the fraudster can be making merry and escaping with their ill gotten gains.

Which leads me to my next question. If someone dies, how do you legitimately gain access to their cyber identity/accounts?

Take myself as an example, I have several online bank accounts in multiple countries (I know, it's a bit extreme, but I've lived and worked in multiple countries over the years) - each with different account credentials and passwords, a dozen regular email accounts and Web sites, several social network accounts, about two dozen physical service portal accounts (e.g. cable TV, Electric Utilities, etc.) for bill payment, and probably another 50-80 online accounts that I use regularly for various things (e.g. blogging, Work VPN, online shopping, etc.). No two accounts share the same passwords, but lots of them store my credit/debit card details, and I don't have any of that written down.

So, if I was to kark it tomorrow, would my family be able to recover the accounts - either transferring them over to their own account names (for bill payments) or shutting them down to prevent misuse? Frankly, I think the answer would be a colossal No. And, the more I think about it, that's probably going to be a problem.

With more and more "cyber identities" out there, and more and more of our day-to-day lives being conducted online, if you do croak, how do friends and family recover the important accounts - and how can they do that quickly? (yeah, I'm one of those folks with the slightly unique names).

Armed with the content of a typically verbose obituary, any automated dead-like-me equivalent to "forgotten my password" is probably going to be pretty useless. Not to mention the fact family members are probably going to be rather occupied for the first few weeks. Also, lets say family members never uncover a particular account (e.g. a social network page/micro-site) - how long will it stay there? Should it stay there?

More Questions than Answers
This is one of those security blog entries that raise more questions than answers. And, even then, I think I'm only just scratching the surface of questions. However, I know from my own pentesting and passive information gathering experience that stealing online identities based upon obituary write-ups is going to be pretty easy - I'm you can guarantee that someone figured this out a while back and is probably already making a lot of money from this cyber vector.

I'd welcome any comments and thoughts from readers below...


  1. That's a very interesting post. I would think that a "next of kin" could access any of this info with a valid death certificate if there is a physical location (such as a bank). I won't go into the ease of forging such a document, but at least there may be a way. (I can only think of the Seinfeld episode where George tries to get free airfare by obtaining a death certificate)

    Online, though, That's a whole new mess...

  2. An immediate question that comes to mind is Hotmail. If I needed to get access to a deceased relatives hotmail email account (say my Grandfather's) because there lots of info in there like his friends email addresses (so I could inform them of the death), how would I do that? "Please Mr Hotmail Helpdesk, I'm a relative and I need to access this email address" probably isn't going to cut it.

    No doubt there are some kinds of procedures for this for the larger online service providers - I just don't know what they are - and I suspect that they're probably more vulnerable to abuse than standard password-reset techniques.

    Food for thought.