Hacking Commlinks for Fun & Profit, Is it possible? Options

[Ayeohx]

According to what I've read so far it appears that ID theft is a big problem. It looks like hackers can go on shopping sprees. Unfortunately I can't figure out how they can do it in SR. Can someone give me a few examples showing how to hijack someone's nuyen? I'd really appreciate an example showing how to hack someones commlink to steal cash if at all possible. Thanks!

[Writer]

I would say that once you get into Average Shopper's commlink by defeating the Firewall 3, you control their commlink. Copying the Legitimate ID files and using those on your own commlink would be simple enough for shopping. Treat it like a Rating 1 fake ID, as it won't last long. Shopping doesn't entail anything more than a simple scan with no biometrics. Also, the person whose ID you stole will probably be notified quickly, since your shopping habits are most likely nothing like the shopping habits of the stolen ID. This will trigger some alerts. Tracking shopping habits are not just for advertising. To some extent, this process is already in place, but usually for large purchases only, and for credit cards, not debit cards.

[Method]

I think Writer has the right idea. There is no "money" on the commlink. Any nuyen the slag has are just credits in an international banking system, the computers for which are far more secure that the average commlink. What you are really stealing is the ID info necessary to spend that money, and the banks clamp down on that as soon as they figure out what is happening. You could try to cash out the slag's bank accounts and convert to certified cred sticks or corp scrip but that would likely require entering a bank or other business and undergoing far great scrutiny. Any hacker who does that too often will eventually get caught.

[Ayeohx]

I'll give you a scenario and you tell me how wrong I am. (IMG:style_emoticons/default/smile.gif)

I'm in a club and some schmuck has switched his commlink to active; I guess he really wants chicks to check his profile. The guy's not rich so he's sporting a crappy commlink: A CMT Link (Response 1 / Signal 3) with a Vector Xvim OS (Firewall & System 1).

#1. I make a Matrix perception on his node to get his accessID (right?).

#2. I want his Personal Data file, the one that contains EVERYTHING about him including cred accounts. Can I:

#2a. Spoof a command at admin level to send the file from his link to my backup link?

#2b. Hack on the Fly, make an admin account and transfer the file to my backup?

#3. After I get the Personal Data file I can then decrypt it. Can I then access his cred accounts and transfer his money to my certified credsticks?

This seems like an easy way to get money. Will it work?

[KCKitsune]

All this makes me glad my Chaos mage's cyber commlink has Firewall 6 and Encrypt 6, and IC running.

[GreyBrother]

Spoofing a 'link with it's own AID wouldn't work in my game. It would be like saying "Hi, i am you, now gimme that info i want."
Since he is active you have the node, you can do a matrix perception for certain information but if you'd want the ID information you'd have to hack him.
Alternatively, you go to shops which only require an AID and a name for checkout and let the poor schmuck get all the bills when you spoof his AID. But i am not sure if such etablissements exist.

[Medicineman]

For some of my Chars I use a Decoy Comlink(The cheap 1/1/1/3 ones) for my fake Sin,Licences and Public Identitity/Front and so on.
These are connected to an "Allowance Account" ,so a Hacker invading the comlink can't get more than 50¥ /Week

with a Public Dance
Medicineman

[Kerenshara]

I think Writer has the right idea. There is no "money" on the commlink. Any nuyen the slag has are just credits in an international banking system, the computers for which are far more secure that the average commlink. What you are really stealing is the ID info necessary to spend that money, and the banks clamp down on that as soon as they figure out what is happening. You could try to cash out the slag's bank accounts and convert to certified cred sticks or corp scrip but that would likely require entering a bank or other business and undergoing far great scrutiny. Any hacker who does that too often will eventually get caught.

This isn't necessarily the case. You can still have "cash" on the 'link (notice the BBB mention of an included credstick reader) but why would you as Joesephine Average Shopper? Lose the comlink, lose the "cash" stored on it. If you keep it in the nice, safe bank...

But a shadowrunner might choose otherwise, mightent they? My GM made a big show of having a bartender pull out an OLD and very DUSTY credstick reader when I tried to use one to pay at a higher end bar, but I don't think that's particularly canon so much as him feeling like whacking me for being parano- er, I mean overly security concious In Character. I can't remember where I saw reference to this precisely; Maybe somebody who worship- er, I mean is very intimitely familiar with the BBB and lesser gospels of the RAW can lend a hand with a citation for me?

[Kerenshara]

I'll give you a scenario and you tell me how wrong I am. (IMG:style_emoticons/default/smile.gif)

I'm in a club and some schmuck has switched his commlink to active; I guess he really wants chicks to check his profile. The guy's not rich so he's sporting a crappy commlink: A CMT Link (Response 1 / Signal 3) with a Vector Xvim OS (Firewall & System 1).

#1. I make a Matrix perception on his node to get his accessID (right?).

#2. I want his Personal Data file, the one that contains EVERYTHING about him including cred accounts. Can I:

#2a. Spoof a command at admin level to send the file from his link to my backup link?

#2b. Hack on the Fly, make an admin account and transfer the file to my backup?

#3. After I get the Personal Data file I can then decrypt it. Can I then access his cred accounts and transfer his money to my certified credsticks?

This seems like an easy way to get money. Will it work?

By the RAW, I would think so. On the other hand, Matrix work isn't my strong point. Here's another case where we are back to another thread's discussion of SiN's and "common sense" from the GM. How fast could you get that money transfered via proxy to a numbered shadow account then re-transfered to another before they figure out the hack (two IPs/MAC IDs at the same time for one account) and freeze the assets?

[Method]

#3. After I get the Personal Data file I can then decrypt it. Can I then access his cred accounts and transfer his money to my certified credsticks?

This seems like an easy way to get money. Will it work?

All well and good... unless the nuyen has some kind of serial identification imbedded in it (not sure if there is any cannon basis for that). Then you need to launder the money, which requires help from certain groups of people with financial resources and moral flexibility- the kind of people that will require a large cut of the money.

I guess really what it boils down to is this: Do you want hackers to have this ability in your game? If you don't you can find a reasonable explanation as to why its not possible or not worth the effort. If you don't care, then go nuts.

Personally I think it defeats the purpose of playing SR- who wants to RP a dude sitting around in a mall all day picking peoples virtual pockets? Maybe they just do it as a side-line when they need cash- well if its that easy why do they bother with shadowrunning? (See the age old "Economy of Car Jacking" argument).

[Ayeohx]

You're right Method, I remember that nuyen have digital signatures (or at least they did back in 3rd ed). If so then nuyen can probably be flagged as stolen. I wonder what system handles that and how that'd work.

@Karenshara
I don't believe the commcode or accessID is linked to the cred accounts. Otherwise I wouldn't be able to upgrade to a new commlink without going through red tape. I believe when you change commlinks you transfer your Personal Data file over and thats that. Not sure if you have to set up your MSP connection again though.

@Greybrother
To support you the SR4A says:
"The target of a spoof attempt must either have a Pilot rating or be a peripheral device."
I don't think a Commlink is a peripheral device, correct? But couldn't you spoof info between to commlinks that are communicating? Huh, not sure.

[kzt]

No that would work fine. In SR the whole purpose of certified credsticks is to provide lazy GMs a way to give their lazy players untraceable money. By cannon you can't trace money once it goes into a certified credstick or that wouldn't work.

It's also pretty clearly not possible to have certified credsticks be untraceable and also prevent that from being trivially forgeable in SR, but I digress.

Anyhow, yeah, any semi-competent hacker can, by the rules, make a lot more money stealing small sums from passerbys than they can make running the shadows at the suggested payment rates in the book. Pretty much the GM has to fiat that they CANNOT do that.

[Chrysalis]

Or as I pointed out in the other thread is you mug or steal the person's commlink and go on your online shopping spree, or transfer their money to a credstick and then go on a shopping spree.

This actually indicates that a commlink is less secure than a RL credit card, where with a credit card you have a PIN which you have to place in and with larger transactions a photo ID must be shown. This of course varies from country-to-country.

[GreyBrother]

@Greybrother
To support you the SR4A says:
"The target of a spoof attempt must either have a Pilot rating or be a peripheral device."
I don't think a Commlink is a peripheral device, correct? But couldn't you spoof info between to commlinks that are communicating? Huh, not sure.

Nice, i didn't know that. Very sad, i always thought you can also spoof a kommlink or a nexus. Well... as for spoofing the communication, i'd suggest you intercept the traffic and edit it, but i can't quote the RAW since my books aren't available at the moment.

[Larme]

People are always confused about spoof -- it's not some general term for tricking a device, it's specifically a way to command a drone or slaved device while pretending to be its master. If you want to issue commands a commlink, you have to hack in and get authorized access for yourself. After that, it's a very simple matter to copy someone's ID. It might be encrypted, but that's not really a big problem. But it seems to me that if two people were using the same SIN at the same time, the system would detect it almost immediately and quash the copy. That's why fake SINs are so complicated to make -- you have to take a valid number, but scrub away anything that could show it's stolen or fake. You can't just steal one and make do.

[Writer]

Pickpocket hacking is all a matter of scale. People who have money worth stealing probably have the security to protect it. Pulling 5 nuyen from 100 people who have weak security really isn't worth your time, if you are trying to pay for some serious hardware or software costing thousands. Also, I tend to think that the hackers of 2070 wouldn't ever admit to doing this, even if they did. They would lose all respect from the hackers that pulled in 2,000 nuyens for hacking a small companies alarm system so the samurai could steal something physical.

"Man, you should have seen the way he took down those three guards!"
"Oh, yeah? I made someone's grandmother pay for my burrito!"

And there is always the "shopping habits" theory. If dumping your credit into certified accounts isn't part of your makeup, the bank holding your credit might not allow the transfer until it received some high security verification. The target might be asked to contact a branch in person. There are (have to be) reasons why the wireless world works. Otherwise, we revert back to 3rd Edition.

[hobgoblin]

just go with spoofing a lifestyle from unwired and leave it at that...

[Kerenshara]

@Karenshara
I don't believe the commcode or accessID is linked to the cred accounts. Otherwise I wouldn't be able to upgrade to a new commlink without going through red tape. I believe when you change commlinks you transfer your Personal Data file over and thats that. Not sure if you have to set up your MSP connection again though.

OK, I KNOW we're talking about two diferent things here. I wasn't talking about having to register any single MAC or IP, I was actually referring to any single attempt to access ANY single account simultaneously from two SEPARATE MACs and IPs simultaneously. In other words, "You are already logged in on another device" or "You have been logged out because you have logged in on another device". Make sense?

[DireRadiant]

The Matrix isn't about files. It's about accounts and authentication. Nuyen isn't in a file. It's in an account. What's on the commlink is simply the list of common accounts and personal history for the users convenience. The commlink is the net device for accessing the rest of the Matrix where everything else happens. It's very rare that any transaction occurs solely between two devices. Sure you can take my commlink, or find what's on it, but you need my authentication to access and use the accounts.

[hobgoblin]

and thats why a IT student can have fun with the local vending machine payment system (thanks to the data on the card or keyfob being the actual rest amount), but cant do so with a debit card, as it just id the account to access, and in combo with the pin, a legitimate user of said account...

[Writer]

The Matrix isn't about files. It's about accounts and authentication. Nuyen isn't in a file. It's in an account. What's on the commlink is simply the list of common accounts and personal history for the users convenience. The commlink is the net device for accessing the rest of the Matrix where everything else happens. It's very rare that any transaction occurs solely between two devices. Sure you can take my commlink, or find what's on it, but you need my authentication to access and use the accounts.

Ah, right, I completely lost myself on this point. You can't download someone's SIN file, because the information is actually in various databases. You can look at the database links, but you can't steal the linked information. Even the owner of the information can't change it, because they don't own the database. When you get a new commlink, you probably can't just pick it up off the shelf and access the matrix. You have to "personalize" it, let it read some kind of biometric or something to access the matrix account that pays for the matrix access.

Well, not really, now that I think about it. If you are in the middle of the barrens with no matrix, you can still access nearby devices and nodes. So, you could have you're commlink running with no connection to any SIN. However, your commlink probably has unique identifiers to separate it from other devices and nodes within the matrix coding.

If I have a SIN, could I just shut down my SIN on my commlink, or use a commlink that is not connected to any SIN, and operate a matrix connection (node to node) without risk of linking my activities to my SIN?

Okay, I'm going to sleep on this. I'm sure the questions will be answered sometime in the next sixty years (or sixty posts, whichever comes first).

[DireRadiant]

SIN <> Commlink

[Zen Shooter01]

My question to the original poster is, why? If your idea is for your hacker to live off the commlinks of passers-by, then, as someone else said already, just use the Spoofing Life rules from Unwired.

This question touches on the existential dilemma of Shadowrun, which is, "Why am I doing this?" Shadowrunning, by the definition of "The fixer hires you to do X", is dangerous, unreliable, sporadic, and doesn't pay very well after deducting expenses. Why doesn't the magician open up a magical clinic, or divination service, or rent herself out to business meetings to use Analyze Truth on both parties? Why doesn't the hacker make a comfortable and low-risk living stealing motorcycles?

Because it would make a boring role-playing game. So, do not have your PC seek other employment. Avoid existential dilemmas. They kill the fun.

[Kerenshara]

The Matrix isn't about files. It's about accounts and authentication. Nuyen isn't in a file. It's in an account. What's on the commlink is simply the list of common accounts and personal history for the users convenience. The commlink is the net device for accessing the rest of the Matrix where everything else happens. It's very rare that any transaction occurs solely between two devices. Sure you can take my commlink, or find what's on it, but you need my authentication to access and use the accounts.

Hold on a second:
Accounts are not a file, but the information to access them is, thus why I mentioned logging in from two devices at once. Remember, password security is only as effective as the user. Users are lazy. Most browsers offer "remember my password?". Now, if you could manage to steal THAT file... that's why I mentioned accessing one account simultaneously from two devices being a red flag. Most people don't go shopping on two 'links at a time.
As for transactions between devices, that depends. Small amounts of cash would almost certainly be kept on a 'link for convenience sake, the same reason in the digital age most of us still carry a token amount of cash and coin: to make very small purchases easier. Just point your link at the receiving device and hit "quick buy!" and boom! you're done. No passwords or fingerprints or any of that. The BBB says that 'links have largely REPLACED cred sticks, because they have the same functionality built in. When you go to the strip club, or when you are greasing your way into a happening place in the 'plex, you're not going to ask for a brokered 3rd party transaction! You're going to beam a small amount of cred to the gal/guy.
Remember back in earlier editions, there were detailed (and complicated) rules for circumventing a certified credstick's protections which required more Hardware ability than Cracking. There is no reason the same functionality couldn't be (or isn't) on every single comlink, making it cost-prohibitive to try to hack it, since doing so, if you screw up, also compromises the rest of the 'link. By the same token, hacking that cash OUT of the 'link would be nigh impossible "on the fly", but convincing the OS that the user told it to beam it to another 'link nearby then carefully deleting the access logs... now we're getting someplace. But any large purchase is going to want a mandatory ID check, which is part of the 3rd party verification anyhow, so cash won't often help you there. At best, a certified credstick and a completely separate SiN check would be required.

[hobgoblin]

My question to the original poster is, why? If your idea is for your hacker to live off the commlinks of passers-by, then, as someone else said already, just use the Spoofing Life rules from Unwired.

This question touches on the existential dilemma of Shadowrun, which is, "Why am I doing this?" Shadowrunning, by the definition of "The fixer hires you to do X", is dangerous, unreliable, sporadic, and doesn't pay very well after deducting expenses. Why doesn't the magician open up a magical clinic, or divination service, or rent herself out to business meetings to use Analyze Truth on both parties? Why doesn't the hacker make a comfortable and low-risk living stealing motorcycles?

Because it would make a boring role-playing game. So, do not have your PC seek other employment. Avoid existential dilemmas. They kill the fun.

or the magician may not have the proper certificates (iirc, you need to be both a medical doctor and a trained magician to use magic to heal, legally).

as for why not just steal things? well first of the default expected sales price of something you stole is 30%. second, a shadowrunner is often a thief for hire, only that they steal company secrets rather then random items of the street.