Get the players for the thrill of it, not the monotony of a daily grind. Hacking a thousand accounts a day for 5 nuyen each would be like doing customer service and helping 100 customers a day for the same thing. Might as well classify yourself as a wageslave at that.

Also try getting them in the reputation. Word spreads through the shadows in mysterious ways, and a particular contact could make a disparaging remark about the mass robbing-the-poor style of earning cash.

And in the case of hacking, there's always the Honeypot (see Unwired). Something I had set up for a player of a magician who wanted to start earning extra cred by mugging people (by using a Fichetti Pain Inducer), his first mark was going to actually let him walk away with a relatively big score of five thousand nuyen. That nuyen, unbeknownst to the player until he tried to spend it (easy enough), was going to be forged and automatically set off alerts when used. Now I know a smart player might actually check the cred first and pitch the stick it's on, but this one wasn't all that bright.

I'm personally thinking of doing a little bit of hacking to try and recoup the losses from our current run. 40 grand between six characters isn't much to begin with and factor in that most of us needed to buy new vehicles for the terrain and I'd lost money on the run before it even started!
Let me explain: The person that got the call was our uncouth sniper adept, who didn't bother to contact any of the three primary faces and instead went with the dwarf hermetic mage as his face *Facepalm*. he got the mission without asking for any details ("It's a manhunt." "Tell us more about..." "I always wanted to do a manhunt! Let's go!" "We'll give you 40 grand for it." "Let's nego..." "Sounds great, done deal!" *Facepalm*)
The only reason the rest of us agreed to come along is that a) It's not fair on the GM to just turn down his missions and b) Our group has a 'Stick together, so that if one day you're the one in trouble someone's got your back' philosophy.
The first commlink I hack is going to be his. Seriously, if I'm getting paid less than it costs for a second-hand dirtbike and a second-hand antique rotordrone then I expect the mission to be straightforward, not scour 400 square km for a gone-to-ground paranoid survivalist who's security clearance at Ares was so high that our middle-manager contact can't even find his job description on the system! Oh, and have I mentioned that he's buddies with the local authorities who patrol the area in armoured rovers sporting machine guns?!?
Yeah, Malcolm (the pc) really dropped the ball on this one.

So just ambush one of the patrols and take their stuff (I assume that your team is somewhat competent, so this should not be all that difficult). Why you got to buy your own?

I'm not sure the word "buy" should really be in your vocabulary for many jobs. Just figure out who has what you need and swipe it so long as it isn't specialized gear.

Kill a bunch of cops and hijack an armored security vehicle that's going to be filled to the nines with a bare minimum of tracking devices, if not mechanisms by which the vehicle may be remotely shut down?

Good plan!

HERF gun? (IMG:style_emoticons/default/biggrin.gif) Though, if I remember right, that might not work on all dohickeys.

Like stealth tags. (IMG:style_emoticons/default/nyahnyah.gif)

What's the range of a broadcasting stealth tag anyways?

The default is Signal 1, which is good for roughly 40m, though I'd wager it's possible to augment that to a 3 (a range of 400m), and I recall reading somewhere about a Signal 5 tag.

Even at just 40m, usually that's good enough to bounce off something with a higher signal.

There are ways around everything. And it is not like your keeping them. Unless you are, of course. *shrug*

Good plan!

Who said anything about cops? The patrols are military.
Yeah, there is no way we're getting paid enough for this one.

Which military, specifically?

You might be able to get paid twice by impersonating a rival military and framing them for a border raid.

As long as your transmitter with the activating key code is within range, and depending on how the stealth tag is programmed (maybe it'll only connect to the device that gave it said key code despite how every wireless data is a router?).

Stop, stop right there. Don't question how it works, because Shadowrun's matrix does NOT function like the real world.

A stealth tag can, and will, phone home without an "activating source" and will perform signal relays.

I am so using this. Heck, if we get enough people to pay us for the one job then we might break even!

I know that, but I used terminology that's used in the books.

And right from the book:That there says they're not even acting as a passthrough for data for other devices, and unless you've got the passcode they're very difficult to find.

Of course it's also possible for a stealth tag to be programmed to periodically 'phone home', but they'll be found by the paranoid hacker that leaves his Scan and Sniffer programs running 24/7/365 or the TM who happens to sense an occasional pulse of data on a regular basis.

Thought you said it was a Bad Plan ShadowDragon8685.

It is, but they seem to be stuck with it. Therefor, if they can get away with pinning the blame on someone else - and making enough money to turn a profit, or at least break even - so much the better.

There are a few deterrents to this kind of mass-hacking:

1) Banking transactions should typically require biometric authorization, even for a $1 soycafe. They could also possibly require other autorization schemes (confirmation dialogues, passcodes, etc.), that come from the banking system, and not from the user's commlink. Meaning you'd have to hack the bank's node to bypass these schema.

2) Assuming you got by #1, most people will notice that their accounts are shortchanged in due time, and report the descrepancy. Even that $5 slice of pizza or coffee is likely to alert a decent percentage of people. If the banks start getting alerts about fraud (and it's entirely reasonable to believe banks share fraud alert information to better combat fraud), they'll likely assign an analyst to look into it. If it appears to be widespread (i.e. you're hacking enough people to make this profitable), they'll assign a team to analyst the fraud.

3) One hack might go undetected, and be impossible to trace. 1000 hacks will not only be detected, but will provide much more information for the investigators. They could pull security footage, correlate the locations of victims to determine where the attacker was sitting/standing/idling in their van, etc. Even if they cannot locate the current whereabouts of the hacker, they could easily determine a modus operandi, and set baits and traps for them. The honeypots, as someone else said, or just people on the lookout for this sort of fraud.

4) Someone has likely already tried this. Busy locations may very well already have the occasional plain-clothes hacker-cop keeping an eye out on wireless traffic for these kinds of schemes.

But, really, #1 should be enough to shut this sort of thing down. A simple "What's your secret confirmation passcode for this purchase?" sent from the bank's own node via an encrypted subscription for any purchase should be enough to prevent unauthorized purchases. Sure, some dumb people will have their passcode stored somewhere on the commlink (there's no accounting for human stupidity), but there's no reason to think the majority will, since responding to such a query is easy, and likely has been drilled in to the populace by the banks to prevent this sort of fraud.

Uh. No you don't. If it's any kind of request from the bank to the compromised comlink, then it's bypassable at the comlink level.

The bank queries a security question, the hacker gets the opportunity to spoof the response.

Sure. Spoof or hack. Regardless, the hacker would be spoofing the much more secure bank system than the personal commlink.

A small-amount transaction is probably not going to require biometric authorisation.

Also: if you ever need more than your own commlink to spend money, then effectively, you can't spend money. IOW: no matter what the bank does, if simply having (or controlling) the commlink in question is not sufficient to initiate, conduct, and successfully conclude even a SMALL transaction ... the entire premise of how SR4 handles money and electronic transfers breaks down completely.


Key words, "in due time".

True story: the other day, I glanced over the family cellphone bill out of curiousity, and because we've been discussing ways to tighten up our budget and save some money lately. I noticed two charges on my g/f's phone that seemed out of place - insurance for $7/month, and some download subscription for $4/month. The insurance has been getting paid, without being noticed, since she got the phone three or four years ago (and those payments have now exceeded the price of her phone, twice over). The download charge started LAST MAY, six months ago. And we're only JUST noticing it now.


That's why you (a) use a disguise, (b) pick a VERY busy place, © never go back to fetch the commlink, (d) set the commlink to delay the onset of it's hack attempts for 1 or 2 hours (it can spend the intervening time scanning and analysing the surrounding nodes to pick out he ones that aren't mobile - and pu them on it's "don't bother" list), and (e) use the Palming skill to surreptitiously Gecko-tape the commlink to the underside of something.

As for the modus operandi, that's why I said you never repeat the same scam in the same location less than three months apart. Preferably less often than that.


Even if the system works that way, you know what happens? Your self-replicating Agent program is under orders: "Sit back and watch. When transactions are made, RECORD THE SECRET PASSCODE. Then and only then, send 5¥ to ____, and upon confirmation of the transaction, delete EVERYTHING from the commlink.... including yourself, last of all." And with Admin access to the commlink, even an encrypted subscription doesn't matter. The Agent would have the decryption keys.

And there'd be a log of that particular access ID being the last thing in the node before everything crashed. Quick way to get caught.

Hrm, I disagree (though that does not preclude me from being wrong).

An example transaction from Bob to Sally, for $5:

1) Bob tells his commlink to transfer $5 to Sally's commlink.
2) Bob's commlink notifies Sally's commlink that a transfer shall take place. It gives her his banking information, and receives her banking information. Effectively a banking handshake.
3) Bob's commlink notifies his bank (hereforth known as Bank) to transfer funds to Sally's banking information (hereforth known as Recipient).
4) Bank sends a verification ping to Bob's commlink, for a verification passcode, biometric scan, (perhaps parental consent sent to a guardian's 'link), whatever, via encrypted subscription (basic encryption software baked into the banking software the commlink comes with).
5) Upon verification, Bank releases the funds to the Recipient, and logs the transaction.

The handshake, and verification, are nigh instantaneous. So you can easily have it apply to any and all transactions. The only reason we forgo needing a signature for credit card purchases for amounts less than $20 today is because it's a hassle for the merchant (cost/benefit/risk analysis). Given the ease of obtaining verification there's no reason to not do it for every transaction. Can the verification be spoofed? Sure. But you're spoofing the bank's system, not the more vulnerable commlink.



Certainly. I've had a similar situation happen to me. But when you're hacking large numbers of people, some of them quite possibly will notice something funny. Even if only 1% of people pay attention to their spending habits, that's still 1 person out of 100 that'll notice, which may (or may not) invite the banks to investigate for similar behaviors.

If we're talking anecdotes, what about those people who get hacked, and are on a really tight budget? Suddenly they're getting overdraft notices for no reasons, because that $5 charge sent them over the edge. Or their rent check bounced because they had less money than they expected.

All I'm saying, is that if you're hacking one or a handful of people for petty larceny, fine. Large scale? Odds become good that it gets noticed quickly by someone.



The "deployed commlink auto-hacking and stealing from people around it" bit has numerous problems, off the top of my head. From what happens when it fails a hack-on-the-fly (which will happen), to being detected, to being too-sophisticated for all but the most high-end agents (making it not cost effective), etc. IMO.



The main point I am trying to make, is that the banks will have had quite a bit of time to come up with ways to combat simple fraud/theft such as this. If this sort of hack is possible, confidence in the banking industry would be pretty shot. Any wiz wanna-be street hacker likely would try their hand at stealing from the patrons of the nearest Stuffer Shack.

What if it's not just a passcode, but current biometrics, and a rotating "Secret Question" style sheet. Maybe it asks what the last transaction was, where you were the last time you made a transaction (or other meta-type questions). There's a bajillion potential verification methods the banks could use to prevent this sort of fraud.

Can they prevent a dedicated hacker from doing a one-off? No. Can they limit mass theft scenarios? Hopefully.