certified credsticks, Resisting just derailing another thread Options

[sunnyside]

Ok this came up in another thread and, more shockingly, a title search on "credsticks" doesn't come up with anything in the 4th ed forum.

In pervious editions I thought certified credsticks were associated with a bank account and, while you could forge one, as soon as the person you ripped of got on the matrix they found out what was up.

In 4th things are less clear, one way or the other.

The rules for hacking a credstick are pretty clear though, they're device rating 6. Meaning not everyone with a rating three comlink can hack them but any PC hacker or TM can do whatever they want.

So the question is are 4th ed credsticks associated with a bank account or are they just encoded and act purely like cash and not like a certified check.

If you're in the "just encoded" camp please indicate your reasons why hackers bother to run the shadows instead just cracking sticks.

[Aaron]

I reckon the sticks do have encrypted cash balances on them, but they're only part of a larger system that handles electronic cash (that's cash, not credit accounts). It's a big, complex mathematical system that authenticates the cash on a credstick. If you'd like, I could go into more detail, but the system is part cryptography and part networking and can get a bit complex. But you can simply say that credsticks are cash and leave it at that.

[sunnyside]

So you're saying that the credsticks are still associated with something in the matrix. It's just something that might be run by UCAS as opposed to accounts in a bank. And there aren't accounts par se, just metadata regarding what money is on what credstick.

[ShadowDragon8685]

Okay, here's how it works.

A Credstick (an archaic conciet, but still accepted most places) is simply a wireless link to your bank account - or someone's bank account. If you want to upwardly change the amount of money on it, you have two options.

1) Earn some more money and bung it on the account.
2) Hack the bank itself and change what they think is on the account.

By far, #1 is the easiest of these options, especially if the bank is Zurich Orbital. FastJack doubts his ability to even get in the door there, let alone hack something and get out unnoticed.



Certified credsticks are something completely different. A certified stick is e-Cash-in-the-hand. Where certified sticks are accepted, it's as good as :nuyen: , because it is :nuyen: . There's no waiting around for a transfer, there just is a transfer, from your certified stick to their accounts.

The question is, why don't all hackers simply cook certified credsticks and buy anything and everything they want? Well, it's not that easy...

Certified Credsticks are the hardest things in the game to crack. The test to defuse a nuclear bomb would be easier, I'm sure. First you have to crack the case without the whole thing frying. Easier said than done. Then you have to defeat a second layer of physical security, to get at the electronics. Then you need to find gear that can interface with the nonstandard design - again, not easy. You may have to devise your own.

Then you need to hack the stick itself. If you've gotten through the last two, this is probably easier, but one slip up here will still ruin the stick. At this point, you can put whatever amount you want on the stick, up to the maximum amount the stick type will take. (Higher stick types are correspondingly more difficult to hack.)

Once that's done, you then need to re]/i]assemble the stick, and you need to do it right, again, or the stick is ruined.

Once you've done that... Congratulations, you've got cooked money. You go to spend it... Whoops. The stick reader gets a test to see if it detects to forgery. Even if, after all of that hard work, there should be [i]no way a simple reader could detect the forgery, it gets a chance to do so. Sucks to be you if you get caught at this stage.

But once you're past this stage, you're scott-free... So what do you do?

You buy, and you buy like there's no tomorrow. You don't want any of that money to still be floating around (on your accounts, anyway,) by the time the bank runs it's next audit. They always wind up coming at least several hundred thousand :nuyen: overbudget, I suspect, and their response is simply to invalidate the "bad" :nuyen: . Sucks to be the person who made the sale, dosen't it?

You, on the other hand, if you took the normal Shadowrunner precautions when you spent, should be fairly safe. Of course, you do have to ditch the Comm and any identities associated with the transfers, because if you screwed a legitimate bisuness, the cops will come looking, if you screwed the mob, the mob will come looking, if you screwed fellow criminals, Shadowrunners will come looking, and if you screwed a Mega, their security will come looking.

The payoffs are big, but the number of chances to completely screw the pooch are high. And the set-up cost is high, too. Remember, certified credsticks have a minimum and a maximum limit; sure, you can buy the 0 :nuyen: - 1,000 :nuyen: credstick for like 5 :nuyen: , but you go through all that trouble, time and effort, and the most you can get is a grand.

On the other hand, to set yourself up for the million, you have to buy a certified cred-stick pre-loaded with something like a hundred thousand, or five hundred thousand. You screw the pooch on ONE of those, and you're out an amount of nuyen that most Shadowrunners could retire on!

[kzt]

The problem is that the RAW doesn't say anything about having to use a non-standard system to charge or accept a certified credstick. "Certified cred requires no ID or authorization to transfer or use." Anyone can buy one and install money on them. And you don't have to crack the case, as the only way it can talk to the outside world is able to be monitored by you. Naturally the traffic is strongly encrypted :rotfl: when it connects either through the reader or via wireless. Either way, you can control who it talks to and what it learns because SR encryption doesn't work. Which means that, by the RAW, it has no real way to verify anything about what you are telling it.

[FriendoftheDork]

I see them as sticks with prepaid electronic money. It's like someone put a stick of gold in it, thus anyone can use it without any authorization.

Which means that if you're seen with too many of these babies on you, you better be ready to waste some muggers.

The credstick is manipulated physically.. thus you need to physically hold it transfer funds from it to a comlink or another credstick. And of course you cannot transfer more than what's on it.

You could probably open it and change numbers - but if you do the anti-tamper system will destroy it before you can do anything. But that's just my take on it. There are no rules I've seen for hacking certified credsticks, it only says that default encryption on nuyen transfer is 5.

This game becomes so much easier to believe if you know nothing of computers :)

[kzt]

[TheMadDutchman]

I personally don't care about how hard it is to hack a credstick but I know some things about Credit Unions and finance in general so I might have some useful realworld intel on how electronic and certified funds work.

I'm going to start w/ the debit/check card. By now everyone probably realizes that it's linked to your cking acct and how long the funds take to come out of your acct is determined based upon weather you sign for the transaction or use your pin. Signing takes an avg of 2-4 days (seriously watch your on-line accts) while pin transactions usually take around an hour or so; often less. When you use your ck card to authorize a transaction the card looks at what is in your acct and then what is on your card waiting to clear in order to determine if you have enough money for the transaction. Be careful because some companies such as gas stations will authorize a very small amt like 1$ and then bill you for whatever you actually buy. Which means you may not actually have had enough money in your acct for the transaction and restaurants will usually authorize a larger amount to give you the option of tipping on your card and then bill you for the final ayoumt put down on the signed receipt.

Are any of you familiar w/ Check 21? Check 21 came out, I want to say in either 04 or 05. Before 9-11 all cks were cleared through the federal reserve manually and this took about 5-7 bus. days. That's right every check written in the U.S. was taken physically to the national federal reserve building (I can't think of what city it's in) and cleared one at a time. After 9-11 there was a huge back-up in ck clearing and it took weeks to catch up. Check 21 was a process by which an electronic copy of the ck could be sent through allowing cks to clear in a matter of hours. Not every financial institution uses Check 21- currently but things are moving in that direction and it's only a matter of time before every institution does.

Gift Cards. I think Gift cards are probably the closest thing to certified credsticks we have in the real world. A visa gift card or re-loadable pre-paid card (not all gift cards are re-loadable which is why I list them separately) work basically the same as the debit cards I described above. The difference is that though they are linked to an acct the acct doesn't actually have your name on it. Now, the card "might" have your name on it but it doesn't have to. I can go into a branch of my Credit Union and purchase a gift card at the front desk for the amount I want on the card plus a couple of dollars for the card itself and because I didn't order it on-line and the branch office doesn't have the embossing equipment on it there will be no name on it so anyone can use it. There won't even be an address attached to it for on-line security. (Debit cards have your address info on them and many on-line vendors have begun to refuse to ship to addresses other than your appropriate billing addr (the one on the card) in a way to help fight identity theft)

I think if I had to make a call I would consider certified cred to be like nameless gift cards. So they would be linked to an acct-it would just be an anonymous acct.

[Buster]

The nameless gift card is exactly how I envision certified credsticks. With that system, hacking the credstick would get you exactly no where because you'd need to know the account number and account access permits of another account that had more money in it. That explains why there's only rating 6 protection on the credstick. And it explains why criminals run the shadows instead of sitting in their basement hacking credsticks. You'd have to hack the entire certified credstick banking system to be able to create money out of thin air.

[raphabonelli]

I've never give to much tought about how Certified Credstick works behind the curtains (just used it something like "hard cash", since my players never tryed to hack one). The entire "Gift Nameless Credit Card Pré-Loaded" thing hit right on the spot, in my opinion... and i guess credsticks will start to work this way on my games.

This way, hacking the card will, after bypassing all the cryptography, give you the account from where the money came from... but getting more money will put you hacking the entire bank matrix e the freaking security that it will have.

[TheMadDutchman]

The other thing to think about is that financial institutions as that they are very security minded. I just enrolled in Internet banking for a bank I just joined and good god they have picture id recognition.

Financial Institutions across the country are constantly working hand in hand w/ federal agencies (like the FBI) to hunt down and arrest identitiy thieves and fraudsters.

Based on what I know I'm inferring that groups like the FBI also have electronic crime divisions by this time and definately would in the 2070's. The only hope that criminals have hacking across national borders (I alwasy have the feeling that international cooperation doesn't happen a lot in SR) but even then you have to deal w/ corporate security and I have to believe that companies as powerful as Zurich would have to have a security group (including an electronic crimes unit) as powerful as the FBI; if not more so.

So, going back into gaming you have to believe that regardless of whether or not certified credsticks are linked to accts or stand alone that there are very very talented law enforcement officials tracking down the hackers responsible.

[Backgammon]

Sprawl Survival Guide explains credsticks.

Normal credsticks are merely linked to a bank account. When you buy something, a connection is made to your account and money comes out. Think Debit Card.

Certified cred is not the same. Money is pre-transfered to the internal memory of a credstick. Once on the certified credstick, you spend it directly from the stick's internal memory.

Read SSG is you need more details. It's all very well explained.

[Abbandon]

A credstick is just a piece of plastic. You slot it into your comm and transfer money to or from it. The credstick does not have any info on it except what the current balance is.

Your account info is on your commlink.

If you pay for a taxi cab ride with your commlink the whole world knows where you were at because you leave an electronic footprint at that address, at that time, using that SIN.

If you slot a credstick as you exit the taxi not a soul in the world will know about it cept the cabby and any people around at the time. And then they will only hve a physical description.

Im sure some credsticks could have security features and be for specific one way transfers to specific targets. Those sound like a perfect example of when you use Hack/Exploit/Computer + logic to mess with a "device".

[raphabonelli]

[FriendoftheDork]

[Aaron]

[kzt]

[Rotbart van Dain...]

[kzt]

[Kyoto Kid]

[Rotbart van Dain...]

Because black accounts are necessary to them.

[Demon_Bob]

So are some of you saying that Certified Credsticks do not work in Wireless Dead Zones like the Barrens? If that is the case have they gone back to a barter system. If the Certified Credstick displays its value. They just trade for a Certified Credstick(s) of the closest amount?

[sunnyside]

[Jack Kain]

Stopping someone from hacking a credstick to add cash doesn't require a DM flat. It just requires actually reading the rules.

Under the forgery skill.
"Bogus credsticks are especially vulnerable to detection; once either the original or copy has been used, verification systems will detect the anomaly as soon as the other is used, immediately
flagging all transactions with either stick and preventing either from being used again until the situation is cleared up"

Don't forget the certified in certified credstick.

A credstick is anonymous because you can physically hand the credstick to another person.
A bank can track transactions on a credstick but if the transactions go to another credstick or the stick changes hand. That tracking is practically useless as you don't know who bought what.

Counterfeiting a credstick works only because you could hand a person two sticks each with 10,000 :nuyen: but one is a forgery of the other (or both are a forgery of a 3rd).

[sunnyside]

Sweet! While it makes sence I never thought to check that section for credsticks.

So it looks like it's the "money on the sticks, verification on the matrix" thing.

So if your J pays your with a pair of sticks do an online transaction with them quick to make sure both turn up clean.