Printable Version of Topic
Click here to view this topic in its original format
Dumpshock Forums _ Shadowrun _ Ive come for your money chuck!
Posted by: Prime Mover Mar 12 2007, 04:35 PM
My current players have made some new charecters and former adept is now team hacker. He's come at the class with some interesting twists.
Besides useing agents for all manner of business he routinely operates in several nodes at once. (all covered by rules and good use of new tech)
Recently asked if he had complete control over anothers commlink why couldnt he access banking fuctions and make himself little extra cash.
In the bbb it mentions account info encrypted at rateing 5 and transations are rated at 6+, does hacker have to hack bank or can he find all info he needs on commlink, guess wondering if any of that encrypted info includes password,fingerprint or other needed id info. Sort of like chooseing commlink to remember log in info like you would an email acct?
Posted by: DireRadiant Mar 12 2007, 04:39 PM
Up to you, but do remember most financial transaction requrie third party authentication by default, so while the commlink may have the "account numbers" it's likely the actual account owner would have the "password".
Posted by: sunnyside Mar 12 2007, 05:04 PM
If hacking a comlink was sufficiant for getting money everybody would be broke. It's just too easy to hack those things and, more importantly, there are more ways to safely hide the money in 2070 with off shore banks that won't give up their records and the like.
Personally I use things like a seperate non wireless LED that changes numbers over time. You have to enter the numbers shown at that instant to actually perform the transaction.
In cannon it mentions using things like fingerprints, passwords, and iris scans. You could elaborate on that by having those scans be movies where the other system makes sure everything is right but also makes sure this time things are subtly different than other scans movies to prevent a hacker from replaying a saved movie.
Note that this applies to things like people with regular bank accounts and a comlink. The nature of a certified credstick makes it much much more vulnerable to that sort of thing. Though again I do the LED thing with them. Shady off shore bank acconts are also easier to manage since often people don't want them having their Iris and fingerprint info and if you're moving stuff through lots of accounts you probably are short LEDs. So people might actually go wired for those.
Posted by: Moon-Hawk Mar 12 2007, 06:12 PM
You know how (in some places) if you order fast food and the total is less than $20 you don't have to sign for your credit card?
I imagine you could hack someone else's comm to pay for your soyburger at McHugh's, but not to empty their accounts or to buy a car.
Posted by: nathanross Mar 13 2007, 02:45 AM
| QUOTE (Moon-Hawk) |
| I imagine you could hack someone else's comm to pay for your soyburger at McHugh's, but not to empty their accounts or to buy a car. |
You're 2/2 today. Same reason your mom/dad taught you never to keep all your eggs in one basket, if something happens it all goes. Not only do me and my fellow characters have multiple commlinks at varying security ratings and with varying fake ids, but we never have more than 500Y on our public comm. For a shadowrunner this much is disposable and while missed, is much worse than having your shadowbank info known.
For the funds actually on the comm (or at least available to the comm), it's open game. However, Im sure you dont keep all your money on your debit card, just as Im sure no one in 2070 keeps all their money on their comm. Its up to the GM how much Joe Average has available after his commute to work and back with meals. Maybe he only allocated himself 20Y a day (gotta save up the rent!), and has already spent 10Y of that. So for all that illegal work, poor hacker only got 10Y. Course, this is before he realizes that the citizens of wealthier districs have higher disposable income and probably keep more money on their comms.
Course, now that the character has found a business WAY more lucrative and safe than shadowrunning it is time to retire him or throw him in jail (you didnt honestly think the star wouldnt notice the increased comm theft rate and set up some traps do you?).
Posted by: Jaid Mar 13 2007, 03:18 AM
of course, you could always set up multiple small transactions to clear out a larger amount of money i would imagine...
Posted by: Jack Kain Mar 13 2007, 05:02 AM
First off banks would have among the highest security in the world after all they deal with billions of nuyen. So you can expect loads of Encypt 6+ and agents scanning everywhere.
Umm Data trails anyone? You hack into a guys comlink and manage to steal funds, that leaves a data trail from the bank account to where ever you store your nuyen. Which would flag the account or credstick as criminal.
Who ever provides you with that account won't be to happy to have a datatrail of stolen nuyen going to there account. Even credsticks leave a datatrail they just don't attach to a person.
In the cast of a bank account attached to a fake sin (or real sin if you happen to have one) That SIN is now a criminal SIN as they know "you" received stolen nuyen. A credstick is now useless as its flagged as having stolen nuyen.
The only buffer are off shore accounts and such who can launder the money. But to pay there fees you'd have to steal tens of thousands of nuyen to make it worth it.
Don't expect random nuyen thefts off comlinks to be any more profitable then mugging.
Posted by: nathanross Mar 13 2007, 06:02 AM
| QUOTE (Jack Kain) |
| Umm Data trails anyone? You hack into a guys comlink and manage to steal funds, that leaves a data trail from the bank account to where ever you store your nuyen. Which would flag the account or credstick as criminal. Who ever provides you with that account won't be to happy to have a datatrail of stolen nuyen going to there account. Even credsticks leave a datatrail they just don't attach to a person. |
Completely forgot about that part. With all these weird ass rules I keep thinking that money just floats around AR and while leaving a trace, could easily be spoofed. However, any transaction between banks would obviously require them to set up a connection and then begine the transfer, with a log of sending and recieving accounts. Of course I can see some ways in which you could possibly create a fake bank or at least a fake account, using a fake ID and yata yata. Either way, it would require a certain scale operation and dedicated group. But that is more like the syndicates and NOT shadowrun.
The only kind of theft I can see is something like electronic pick pocketing. I assume some nuyen is stored (not just linked, though im not exactly sure how you do it, Im guessing a transaction using the commlink as the end recipient before transfering it somewhere else), and that can be transfered to your own comm link before erasing the logs. I know 90% of my transactions could easily be handled between just 2 comms.
I send him 100Y through the comm while laying the picture on the table, "Seen her round?"
Posted by: Crusher Bob Mar 13 2007, 08:34 AM
The typical way to steal electronic funds from someone without leaving a data trail that leads straight to you is to buy something real, fungible, and transportable with those funds.
So you steal 10000Y from John Q public. You transfer it to Mr. Fake's account. You tehn buy 9950K worth of jewelry (or whatever) and walk out of the store. Some time later ( and maybe in another coutry) you then sell the jewelry for, say 5K.
Posted by: dionysus Mar 13 2007, 02:03 PM
| QUOTE (nathanross) |
| The only kind of theft I can see is something like electronic pick pocketing. I assume some nuyen is stored (not just linked, though im not exactly sure how you do it, Im guessing a transaction using the commlink as the end recipient before transfering it somewhere else), and that can be transfered to your own comm link before erasing the logs. I know 90% of my transactions could easily be handled between just 2 comms. |
I would disagree with the idea that nuyen is 'stored' anywhere. My debit card doesn't have any actual money 'on' it, it's an authentication token, not a storage device. When you "send him 100Y," you're giving your bank authorization to subtract 100 from the number that represents how much money you have, and add it to the number that represents how much money he has. Even if your commlink stores that number, the bank will ignore it in favor of theirs. If my debit card had a local copy of my balance (I'd be shocked), even if I hacked it to say "USD999,999,999,999,999,999", the bank would chuckle, issue me a new card, and bounce the check I wrote for that yacht. I would have to change *their* number, which means beating the bank's not-inconsiderable security.
Pickpocketing works for tangible things like tender, because currency doesn't require a third party to make the transaction. Electronic transfer of funds is pretty durn intangible. As Jack Kain pointed out, electronic theft becomes profitable at large amounts, when you can pay someone to launder it. Any transaction that isn't cash (I don't think credsticks count as cash, but I could be wrong) involves a bank, no matter if its 10Y or 10,000,000,000Y
Posted by: Moon-Hawk Mar 13 2007, 02:18 PM
| QUOTE (dionysus) |
| I would disagree with the idea that nuyen is 'stored' anywhere. My debit card doesn't have any actual money 'on' it, it's an authentication token, not a storage device. |
But my laundry card does have actual money "on" it, in that there is no record of the balance of that card anywhere else. Were I to successfully "hack" my laundry card I could create money, which I could then use to wash my clothes. And, um, well, nothing else, 'cause I can't transfer money off the laundry card.
So I think it is within the realm of possibility that credsticks could set aside a small amount of money as actually "on" the stick, for minor transactions that do not need to be verified. A small amount of money, so that even if someone were able to defraud the system, they'd be putting a lot of work into getting a teeny bit of money. You don't have to make counterfeiting impossible, you just have to make it less profitable than minor crimes.
Posted by: dionysus Mar 13 2007, 02:22 PM
| QUOTE (Moon-Hawk) | ||
But my laundry card does have actual money "on" it, in that there is no record of the balance of that card anywhere else. Were I to successfully "hack" my laundry card I could create money, which I could then use to wash my clothes. And, um, well, nothing else, 'cause I can't transfer money off the laundry card. So I think it is within the realm of possibility that credsticks could set aside a small amount of money as actually "on" the stick, for minor transactions that do not need to be verified. A small amount of money, so that even if someone were able to defraud the system, they'd be putting a lot of work into getting a teeny bit of money. You don't have to make counterfeiting impossible, you just have to make it less profitable than minor crimes. |
Oh, right those. Had those in college, a few of my friends did actually hack them, they maxed at about $100. That makes sense for credsticks, which is like a cash transaction then. Interesting.
Posted by: Moon-Hawk Mar 13 2007, 02:28 PM
| QUOTE (dionysus) |
| Oh, right those. Had those in college, a few of my friends did actually hack them, they maxed at about $100. That makes sense for credsticks, which is like a cash transaction then. Interesting. |
Right. I had something like my current laundry card in college too, except that one I could use to buy fast food and other stuff around campus.
So what you friends did; was it counterfeiting? Yes. Was it illegal? Most certainly. Did it cause the collapse of the western economy? No. Are they now fabulously wealthy? Well, they might be, but if so I guarantee it has nothing to do with their laundry cards.
So in game terms, if you actually have a player who wants to have their character scam people's "laundry card" or "fast food accounts" for 50
at a time, the problem is not with credsticks, there's a more serious problem at your gaming table because somebody obviously doesn't want to play Shadowrun.
Posted by: Crusher Bob Mar 13 2007, 02:47 PM
The current problem is basically that peoples comlinks are too easy to hack. Think of it as having someone find out what your PIN number is and stealing your ATM card. Because authorization for the debit is done at/on John Q Public's comlink and any hackr can own John Q Public's comlink in a few minutes, this means that he can steal or copy the authentication code.
Posted by: Moon-Hawk Mar 13 2007, 03:06 PM
| QUOTE (Crusher Bob) |
| The current problem is basically that peoples comlinks are too easy to hack. Think of it as having someone find out what your PIN number is and stealing your ATM card. Because authorization for the debit is done at/on John Q Public's comlink and any hackr can own John Q Public's comlink in a few minutes, this means that he can steal or copy the authentication code. |
Well that's true. Of course he'll need to steal John Q Public's fingerprints or other authentication info not stored on the commlink, but that's also a relatively minor hurdle.
So what happens then? Well, John Q reports it stolen, and his credit insurance kicks in, so he won't be liable for any losses. The next time it is used for a transaction Lone Star are immediately notified. An astral mage or spirit is on the scene instantly to track the offender and lead police to him.
Now if the criminal is very quick he may be able to steal the money and get away with some commodity before it's reported and before the cops can catch him. But whatever he bought he bought it with legitimate cred (someone elses, but still attached to someone's SIN) so the transaction is logged and there's a record of exactly what was bought, making it a pain to deal with the merchandise.
I have no doubt that this happens from time to time, but as a GM it seems like you should be able to make this inconvenient enough that if you're still having problems with everyone at your table trying this instead of playing the game, the problem probably lies elsewhere.
But I really don't think it's a problem that identity theft exists for some people in SR, as long as the PCs aren't doing it in lieu of playing the damn game.
So we don't have to think of ways to completely stop identity theft, we just have to come up with one or two ways to make it less fun than shadowrunning.
Posted by: dionysus Mar 13 2007, 03:12 PM
| QUOTE (MoonHawk) |
| But I really don't think it's a problem that identity theft exists for some people in SR, as long as the PCs aren't doing it in lieu of playing the damn game. So we don't have to think of ways to completely stop identity theft, we just have to come up with one or two ways to make it less fun than shadowrunning. |
Well said.
Posted by: Crusher Bob Mar 13 2007, 03:12 PM
He reports what exactly as stolen? He still has his fingerse, he still has his comlink. The hacker just runs a virtual copy of the comlink, and buys something.
Posted by: Moon-Hawk Mar 13 2007, 03:54 PM
| QUOTE (Crusher Bob) |
| He reports what exactly as stolen? |
Information. His passcodes. Information is ownable, and it is stealable. Someone can scam your credit card and steal your identity even if they don't have the physical chunk of plastic.
And he is using that stolen information to commit other crimes, like fraud. This is really no different than identity theft today. The difference is that it's easier to do, easier to track, and the whole process is a lot faster.
Posted by: sunnyside Mar 13 2007, 04:14 PM
Certified credsticks are still tied to a bank. Just not to a person (so you can punch someone and take their certified credstick and use it). This is why they're casually tossed around to pay for stuff (though being tied to a bank you'll want to get the money offshore fast).
For those of you who don't want to use LEDs and all that one thing in shadowrun that might help keep that sort of thing in check is having the banks randomly running trace IC on transactions, and always on "suspicious" transactions. The trace will find the hacking comlink through the hacked comlink as always. At that point it would obviously null the transaction(though it'd probably tell the runner that the transaction was fine) and law enforcement would be dispatched. Additionally the bank would probably send a spider/high rating agent to backhack the ID theif. Granted a shadowrunner will probably only have a fake ID on their own comlink, but it's worthless now and that's a couple thousand nuyen flushed down the toilet. Things get much more exciting if the spider can get into the runners cyber eyes and see their friends/download stuff they recorded.
I bet this would at least catch players once. They may be good at scanning for active IC and such while hacking, but when using the bank they probably just say "I transfer the money".
Posted by: Crusher Bob Mar 13 2007, 04:44 PM
| QUOTE (Moon-Hawk) | ||
Information. His passcodes. Information is ownable, and it is stealable. Someone can scam your credit card and steal your identity even if they don't have the physical chunk of plastic. And he is using that stolen information to commit other crimes, like fraud. This is really no different than identity theft today. The difference is that it's easier to do, easier to track, and the whole process is a lot faster. |
I posted that in response to someone saying that the person who had their ID stolen would report it as stolen. With the hacker moving fast, the fradulent transactions are over before the monthly statement (or whatever) is done.
Sure administrative/random spot checks on the banks transactinos might catch a few people, but the problem is that it is so easy to do. It's as if ATMs were as secure as newspaper machines.
Posted by: JanessaVR Mar 13 2007, 06:15 PM
Hmmm...I've already been thinking about financial security in an age of rampant, highly-skilled hackers everywhere. Step 1 was to put the bulk of my funds into Zurich-Orbital (no better banking security anywhere). The following is a quote directly copied from the Assets & Equipment section of my character sheet for our campaign that starts this Saturday:
Security Features: Her Zurich-Orbital account can only have funds withdrawn from it or changes made to it under very specific circumstances. Specifically, these can only be made in person from certain banks on certain days and at certain times. Biometric information as well as series of question-and-answer passcodes are also required. For deposits, disposable account deposit codes are used.
My "day to day" cash is a few thousand nuyen (I have High Lifestyle). Anything over this is sent to Zurich-Orbital. All serious funds are stored off-planet, not just offshore.
Posted by: Jack Kain Mar 13 2007, 07:31 PM
When saying how easy something is to hack you do realize that 400BP is equivalent to professional rating 6 or more right? The standard PC shadowrunner is already elite. This isn't a game where you start out as a green kid with little to no skill and you have to work your way up like most RPG's.
Posted by: hobgoblin Mar 13 2007, 09:43 PM
true, a hacker in SR4 is either home schooled or in some other way educated to what can be seen as a engineering title from mit(&t) more or less.
still, if a kid with hacking 1 got hold of some smoking hot rating 6 programs of the matrix, he may have a chance or something...
Posted by: Jack Kain Mar 14 2007, 12:57 AM
Thats what limited the number of rolls you can make on an extended test are for.
Posted by: sunnyside Mar 14 2007, 04:56 PM
The issue isn't so much hacking the banks. It's if you can hack the dude with the comlink. And that's something a pretty green hacker could do.
Personally I like my thing with having a hardware LED on the person they have to look at to know what passcode to enter to authorize the transaction plus real time movies sent. That way you'd have to physically assault the person. And then the amount you could get should in practice be limited. Much as many credit/debt cards have limits on how much can be taken out in a day.
Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)