Nuyen, where is the cred really?, Discussion, and buying theoretical pants Options Track this topic Email this topic Print this topic Download this topic Subscribe to this forum Display Modes Switch to: Outline Standard Switch to: Linear+

[Blitzkrieg]

With the ubiquitous Comlink networks, and Nexi around these days, it is hard to know exactly how we do simple things like shop.
So I ask you? Where is an individual's wealth kept?

We know that in the main stream it is either pure data or on cred sticks, but is this data...

In the banks?
Stored on the Comlink?
In the corp banks?
Exclusively in the form of credit based on future work? (There is no real money per say but rather hours of employee work.)
In independent banks?

I would appriciate any theories on the matter, it looked to me like the books seem to waffle slightly on the subject.

Here's how I believe it works.
Forgive me if this is confusing but I am trying to map the parties/Nodes involved in a simple transaction at the fashion boutique. They "talk to eachother."

Buyer=Buyer's Comlink
Shop=The shop's "Comlink"
The buyer’s bank: BANK A's Nexus
The shop’s bank: BANK B's Nexus

Buyer: Picks up a pair of pants she likes and Selects buy on her Comlink.

[/indent] From Buyer To Shop: “I want to buy these pants.�

Buyer to Bank A: “I want to buy these pants.�

BANK A to Buyer: “Request verification of Buyer Comcode, and Identity, including personal tidbit of info that only you would know.�

Buyer to BANK A: “Here are my papers BANK A, and here is my verifying personal info tidbit which only I would know, which proves I’m me.�

BANK A to Buyer and Shop: “Everything checks out.�

From Shop to Buyer: “Let me call your bank, BANK A, to see if they heard you�

From Shop to BANK A: “Buyer is buying pants.�

BANK A to Buyer: “Request verification of Buyer Comcode, and Shop Identity.�

Buyer to BANK A: “Here are my papers officer.�

BANK A to Buyer and Shop: “We have the buyer on the other line, they approve, Everything checks out.�

BANK A to Shop: “Where should I transfer the money to?�

Shop to BANK A: “To BANK B�

BANK A to BANK B: “I am releasing $50 to you BANK B, for these pants.�
[indent]

BANK B To all parties: “All’s well and have a nice day, Here are your receipts.�
BANK A, BANK B SHOP and BUYER all receive an electronic receipt, which states.

The Buyer’s Receipt
BUYER has purchased Pants for $50 from SHOP 50$ was deducted from their account in BANK A.

The Shop’s receipt:
BUYER has purchased Pants for $50 from SHOP 50$ was deducted from their account, in BANK A to BANK B

BANK B’s receipt:
BUYER has purchased Pants for $50 from SHOP 50$ was deducted from their account, from BANK A to BANK B

Is this the correct model for an everyday exchange?

[Synner667]

Seems ok, in simple terms.
There might be something in there about permits and authorisation, in respect to vehicles or weapons [an extra check, rather than a change to the above].

"Bank C" ??

[Blitzkrieg]

I was working from a word file and didn't catch it until now, thanks. I'll edit right away, and also for legibility.

[Screaming Eagle]

Edited to include to work of HakZoR, He will p00n u N00bz!

With the ubiquitous Comlink networks, and Nexi around these days, it is hard to know exactly how we do simple things like shop.
So I ask you? Where is an individual's wealth kept?

We know that in the main stream it is either pure data or on cred sticks, but is this data...

In the banks?
Stored on the Comlink?
In the corp banks?
Exclusively in the form of credit based on future work? (There is no real money per say but rather hours of employee work.)
In independent banks?

I would appriciate any theories on the matter, it looked to me like the books seem to waffle slightly on the subject.

Here's how I believe it works.
Forgive me if this is confusing but I am trying to map the parties/Nodes involved in a simple transaction at the fashion boutique. They "talk to eachother."

Shop=The shop's "Comlink"
The buyer’s bank: BANK A's Nexus
The shop’s bank: BANK B's Nexus
HakZor=HakZor's Comlink (quickly abreviated to H)

HakZoR: Picks up a pair of pants she likes, intersepts some wireless traffic of the old BUYER (any random idiot) and Selects buy on her Comlink.

[/indent] From H To Shop: “I want to buy these pants.�

H to Bank A: “I want to buy these pants.�

BANK A to Buyer: “Request verification of Buyer Comcode, and Identity, including personal tidbit of info that only you would know.�

H to BANK A: “Here are my SPOOF BANK A, and here is my STOLEN personal info tidbit which only I would know, which proves I’m me.�

BANK A to H and Shop: “Everything checks out.�

From Shop to H: “Let me call your bank, BANK A, to see if they heard you�

From Shop to BANK A: “Buyer is buying pants.�

BANK A to Buyer: “Request verification of Buyer Comcode, and Shop Identity.�

H to BANK A: “Here are my SPOOF officer.�

BANK A to H and Shop: “We have the buyer on the other line, they approve, Everything checks out.�

BANK A to Shop: “Where should I transfer the money to?�

Shop to BANK A: “To BANK B�

BANK A to BANK B: “I am releasing $50 to you BANK B, for these pants.�
[indent]

BANK B To all parties: “All’s well and have a nice day, Here are your receipts.�
BANK A, BANK B SHOP and BUYER(I assume H doesn't care about the receipt so BUYER still gets it and bemoanes their lousy firewall) all receive an electronic receipt, which states.

The Buyer’s Receipt
BUYER has purchased Pants for $50 from SHOP 50$ was deducted from their account in BANK A.

The Shop’s receipt:
BUYER has purchased Pants for $50 from SHOP 50$ was deducted from their account, in BANK A to BANK B

BANK B’s receipt:
BUYER has purchased Pants for $50 from SHOP 50$ was deducted from their account, from BANK A to BANK B

Is this the correct model for an everyday exchange?

Yes, this is how a hacker buys things.

[kzt]

This looks a reasonable approach, given the incrediable vagueness of SR on this. The drawback to this view is that who takes it in the shorts from this is either the bank or the shop. Which is SR means you a megacorp. Why does a megacorp allow themselves to be defrauded?

Which rolls back around to electronic commerce requires strong encryption. Otherwise hackers can essentially mint money, there is a 25% chance that the next call from your fixer is really a Lone Star detective (and 5% it's the bored 12 year old two door down) and the idea of a secure matrix site is a joke.

[Tymeaus Jalynsfe...]

This looks a reasonable approach, given the incrediable vagueness of SR on this. The drawback to this view is that who takes it in the shorts from this is either the bank or the shop. Which is SR means you a megacorp. Why does a megacorp allow themselves to be defrauded?

Which rolls back around to electronic commerce requires strong encryption. Otherwise hackers can essentially mint money, there is a 25% chance that the next call from your fixer is really a Lone Star detective (and 5% it's the bored 12 year old two door down) and the idea of a secure matrix site is a joke.

But according to the above example, encryption at the Bank or Shop has absolutely nothing to do with it... it is the encryption on the Comlink that the AID was stolen from (the consumer)... and as we all know, the consumer is the weak link here...

[Kerenshara]

Well, one of the things that comlinks did was replace credsticks. All comlinks have the ability to READ and WRITE to credsticks, so I imagine the're probably an inate ability to store "cash" right on the comlink. I doubt it's big, but even in the wonderful wireless 6^th World, some people'd just rather not be bothered having to do the whole bank routine just to buy stuffers or flats. Also important in the "adult entertainment" industry. You make it so that chip is not connected to the rest of the 'link in any way. It has the same safeguards against hacking as a regular credstick. It's just so much easier. Not to mention, there isn't always wireless access EVERYWHERE for buying things, so having a LITTLE cash on hand is a good thing.

It's really no different today. People use debit cards for nearly all purchases but really small ones or remote ones, they pull out that small amount of cash they're carrying that they're willing to chance "losing".

So those transactions are directly peer-to-peer under the same rules as the old credstick system.

That's my take on it, at any rate.

Let's also not forget that Corp Scrip still exists.

[kzt]

In SR you can trivially snoop all the traffic around you, encrypted or not (because you can break the encryption trivially). So you know the "verifying personal info tidbit which only I would know, which proves I’m me" because you overheard it. Not to mention that it's not much harder for a hacker to just hack their comlink and have them buy it for you. Or transfer all their money to you via a chain of difficult to track transactions.

[Ancient History]

This will be cleared up a bit in Corp Guide. Or so I hope that it proves illuminating.

[Tymeaus Jalynsfe...]

Well, one of the things that comlinks did was replace credsticks. All comlinks have the ability to READ and WRITE to credsticks, so I imagine the're probably an inate ability to store "cash" right on the comlink. I doubt it's big, but even in the wonderful wireless 6^th World, some people'd just rather not be bothered having to do the whole bank routine just to buy stuffers or flats. Also important in the "adult entertainment" industry. You make it so that chip is not connected to the rest of the 'link in any way. It has the same safeguards against hacking as a regular credstick. It's just so much easier. Not to mention, there isn't always wireless access EVERYWHERE for buying things, so having a LITTLE cash on hand is a good thing.

It's really no different today. People use debit cards for nearly all purchases but really small ones or remote ones, they pull out that small amount of cash they're carrying that they're willing to chance "losing".

So those transactions are directly peer-to-peer under the same rules as the old credstick system.

That's my take on it, at any rate.

Let's also not forget that Corp Scrip still exists.

Nope, I also use the Debit Card for all of those trivial purchases (such as a 39 cent Candy bar)... it is so much easier that way... It is a true rarity when I actually have any cash on hand... in the past it was usually when I was going to those "Adult Entertainment" locations you mentioned, back before I was maried.

Keep the Faith

[Tymeaus Jalynsfe...]

In SR you can trivially snoop all the traffic around you, encrypted or not (because you can break the encryption trivially). So you know the "verifying personal info tidbit which only I would know, which proves I’m me" because you overheard it. Not to mention that it's not much harder for a hacker to just hack their comlink and have them buy it for you. Or transfer all their money to you via a chain of difficult to track transactions.

Exactly...

[RunnerPaul]

This will be cleared up a bit in Corp Guide.

It's about time. After the disappointing description in Arsenal of how GridGuide^TM deals with the threat of a planet full of bored hackers (In short, they don't bother too much with matrix security, preferring to throw out of court settlements and hush money at the real-world victims of accidents caused by such hacks; an absurd proposition considering how frequent malicious hacks would have to be), I'm keenly interested in seeing any official description of how the banking industry keeps from imploding due to credit fraud in a world where hacking is as easy as it is.

Especially if it explains why the nearly totally meatspace-based Forgery skill is needed for duplicating the electronic nuyen contained on a certified credstick.

[Ancient History]

Well, keep your shorts on. Space limitations being what they were, I couldn't cover everything.

Especially if it explains why the nearly totally meatspace-based Forgery skill is needed for duplicating the electronic nuyen contained on a certified credstick.

This I can explain, though. Forgery concerns more than just the technical draftsmanship of, say, duplicating someone's signature on a check or making an exact plate in relief to counterfeit a dollar bill; it's the art and science of recognizing and circumventing security procedures - knowing how the system functions and how an item can be successfully introduced into a system and pass as a part of it.

That's a bit high-falutin' speak, but compare it to the Exploit program. The Exploit is functionally a collection of smaller programs that take advantage of flaws or errors in the code to achieve something a user is not supposed to do, continually evolving to meet the demands of the hacker. Modern examples of exploits would be hitting 4-2-3-1 on a Coca Cola machine to access its vendor menu or text-editing a file in a trial version of a program to give yourself more time to use it without paying the company; each of these exploits is specific to a device or program, and since a passable Shadowrun hacker would need at least hundreds of these to get by, it is impractical for them to have a list of individual programs or exploits; hence the Exploit program is used instead to represent a collection of such exploits and programs that implement them. Similarly, Forgery handles all the skills involved in any sort of counterfeiting or document obfuscation - from holoweave UCAS dollar bills to duplicating a certified credstick full of red yen, the Renraku corporate scrip.

[Krypter]

I'm keenly interested in seeing any official description of how the banking industry keeps from imploding due to credit fraud in a world where hacking is as easy as it is.

Why doesn't the current banking sector implode due to credit fraud given how easy it is to spear phish? Why aren't there 30 million dead Americans given how absurdly easy it is to purchase a firearm and shoot someone in the face? Now, the idea that GridGuide is buying off all it's intruders is ridiculous, but it's equally ridiculous to assume that everyone good with computers is a malicious, evil bastard...and that it's trivially easy to escape the long reach of the law and the megacorps.

[Kerenshara]

Why doesn't the current banking sector implode due to credit fraud given how easy it is to spear phish? Why aren't there 30 million dead Americans given how absurdly easy it is to purchase a firearm and shoot someone in the face? Now, the idea that GridGuide is buying off all it's intruders is ridiculous, but it's equally ridiculous to assume that everyone good with computers is a malicious, evil bastard...and that it's trivially easy to escape the long reach of the law and the megacorps.

Well, the things to keep in mind here are:

First: There really aren't THAT many hackers in either a per-capita basis or absolute basis. Probably fewer than Awakened, when you get right down to it.

Second: Not all hackers are actually necessarily planning to damage other people's credit when it's just as easy/hard to create yourself a profile all your own. Surprisingly enough, many hackers have a code of ethics they go by. Just because you're an accomplished hacker doesn't mean you're a hardened criminal willing to hurt innocent people. Besides which, that's not as challenging as doing the same thing to a MegaCorp. Now THAT's worthy of a hacker's time!

Third: Most hackers understand that there are two kinds of hacks: small subtle hacks people are unlikely to notice in time to do anythig to YOU about it, and big elaborate hacks where you take the time to make sure things don't come back to bite you. If a hacker got greedy, they'd eventually slip up enough to get caught. Put another way, when you're dealing with enough zeroes after the first digit, even fairly hefty absolute sums can vanish in "rounding errors". The US government says that the "Stimulus Plan" is one of the "cleanest" government programs in history with sub single digit fraud, but put against the hundreds of billiions of dollars, that's still 4-5 billion - with a B - that's been successfully embezzled. That's not to say that big scams aren't going on, but they usually take a network of cooperating people with lots of planning and support. The worry about "every minor hacker" is largely counteracted by the fact that most those "minor" hackers have less interest in stealing from individual people than they do in paying their own bills; Just hack the company you want to steal from (and they're not "people" right?) and do your thing, then clean up behind yourself, and as long as you weren't greedy, they're unlikely to even notice, much less go looking for you. But if you, say, arranged for the mis-shipment of a case of Thunderstruck Gauss Rifles, that's going to get noticed and QUICK! Making it so the computers THINK you already paid your light bill... well, that's just one more electronic payment ammong millions, right?

[Blade]

Shadowrun has this trouble that, in order to be useful and fun to play, the hacker has to be able to hack the secure network of a secure facility. At the same time, he has to be unable to just hack a bank and get rich (or any other kind of hacks that could make it more interesting for him than running the Shadows).

Technical limitations can help: for example, the banking network can use specific mechanisms that can only be used in the banking context but restrict hacking possibilities. For example, they can get around encryption weakness by having very short communications that can't be decrypted before the transaction is over. But this probably can't always work, so you have to have a non technical explanation too.
Mine has to do with the repercussion. When you hack a secure facility, steal important research data and bring it back to your Johnson, the corp you attacked doesn't have any reason to look for you. They know that the data has already leaked and capturing/killing you won't change anything about it.
It's completely different for a bank: if you steal money, they'll look for you. And they'll probably have enough resources to do so, maybe even the help of the G.O.D.

[hobgoblin]

Kerenshara brings up a good point, be to flamboyant about your capabilities, and a corp court task force will probably land on your location...

this is not much different from credit card fraud, in that the kiddies will just charge the biggest, shiniest thing they can get their hands on, and then run, while the true pro will charge everyday things on it and probably fly below radar for months or years.

one interesting movie to view could be this one:
http://www.imdb.com/title/tt0264464/

and from what i understand, its based of a true story.

and thats one guy doing his thing with fast talk and a keen eye for procedure.

[Screaming Eagle]

Even today the BUYER is the weak link and it is typically the buyer who pays one way or another: yes you have fraud insurance, but you pay for that, either up front with a policy or on the back end with fees and interest rates. Trust me, the corp won't take a hit on the pair of pants until you errode their consumer trust by defrauding huge numbers of people and force the rates up. Then they will find you and nail you to the wall as an example to others - seriously, anything you can do they can do better. Just make sure it isn't worth their time to come and get you and you should be fine.

For a fraud perspective, know your target well enough (and that is getting easier and easier by the year with social networking et. all.) and they will probably NEVER notice. Buy groceries at their usual store or corner convienece store they frequent, keep the purchases small and they won't ever blink. Do this to 10 or so people and you will never make a small purchase again saving yourself/ stealing upwards of tens of thousands of dollars a year... untill something gums up but if you are carful this will be years, many, many years.
In the above example BUYER will most likely have a full list of purchases they have made on their link, in fact I would assume this is standard and any responceable citizen (too few) check this electronically againt their bank statement regularly making it MORE secure then modern credit cards etc. owing to verification ease.
All this does for the industrius hacker is add an extra step to check if you do this double check with your bank - a good criminal will seek the path of least resistance, if you own a dog he'll check the next house till he finds one that doesn't have a dog - same idea, it just that now its electronic dogs.

Hacking isn't free in Shadowrun - there is a decent sized outlay of time and money for a link that can hack, the programs and the skill to use both. Encrypion etc. in Shadowrun exists for the same reason locks do today: they keep honest men honest.
Eventually, doing this often enough for long enough, you will get caught and the police will be at your door. At this point you get arrested or start running, both achive the same end: your current criminal activities stop because you, the hacker, cannot know which of your hacks got you caught (unless you TOTALLY DO, which is a different story)

To in part support this I continue to keep Certified cred relativly common - some people know the hackers way and refuse to put their banking info on the air or on their links at all and cash can still be used in many stores (they have a little sticker saying so and a big one advising the safe/deposit till cannot be opened by the staff and that change will not be provided in the form of cash).

[Blitzkrieg]

Either that or with a disposable comlink replace BANK B with your bank, BANK C. For one day all the cash goes to zurich orbital who doesn't care where it's from and conserves your anonymity. The money goes from buyer to shop to your bank. Then do the next few runs for favors instead of cash.

Of course one Hacker on the system and you're screwed. Heck any number of things and your screwed. Information would have to be forged and sent to all parties. You would need to act for small blocks of time, etc.

Of course that is kind of what a big hack is. Trying to break the bank/shop whatever.

[Bugfoxmaster]

Shadowrun has this trouble that, in order to be useful and fun to play, the hacker has to be able to hack the secure network of a secure facility. At the same time, he has to be unable to just hack a bank and get rich (or any other kind of hacks that could make it more interesting for him than running the Shadows).

Technical limitations can help: for example, the banking network can use specific mechanisms that can only be used in the banking context but restrict hacking possibilities. For example, they can get around encryption weakness by having very short communications that can't be decrypted before the transaction is over. But this probably can't always work, so you have to have a non technical explanation too.
Mine has to do with the repercussion. When you hack a secure facility, steal important research data and bring it back to your Johnson, the corp you attacked doesn't have any reason to look for you. They know that the data has already leaked and capturing/killing you won't change anything about it.
It's completely different for a bank: if you steal money, they'll look for you. And they'll probably have enough resources to do so, maybe even the help of the G.O.D.

I believe technical points in this vein are the best way to prevent simple bank fraud from taking all the hackers off the table - the banks could also use a very specialized wired transfer system, which'd immediately eliminate some part of the problem - it wouldn't be so easy to hack the banks any more. Additionally, I think the point about stealing from a bank resulting in them chasing you is legitimate - it's one of the big points against just bank robbery as a means to cash.

[TheOOB]

Remember that the matrix 2.0 protocols are not public domain, they where corp created and only the corporate court knows everything about how the matrix works. It is within their power to create certain key networks that are virtually impossible to hack using normal devices. Just as in the real world if a computer uses something other then TCP/IP protocol it is difficult to connect and manipulate, the banks and grid guide could run on a similar system.

Also remember that G.O.D. exists, and they are scary. There are certain crimes that if committed will get G.O.D. send after you, and they have more time, money, manpower, and skill than you.

[Bugfoxmaster]

Remember that the matrix 2.0 protocols are not public domain, they where corp created and only the corporate court knows everything about how the matrix works. It is within their power to create certain key networks that are virtually impossible to hack using normal devices. Just as in the real world if a computer uses something other then TCP/IP protocol it is difficult to connect and manipulate, the banks and grid guide could run on a similar system.

Also remember that G.O.D. exists, and they are scary. There are certain crimes that if committed will get G.O.D. send after you, and they have more time, money, manpower, and skill than you.

Sensible, but why not place the entirety of the wireless network on such a non-standard protocol? Ok, never mind, I know that one, but seriously, why shouldn't a given AAA-corp just place all important systems (LIKE SECURITY) on a non-standard (in normal-days example, non-TCP/IP) protocol system, and thus make their defenses extremely dense and tougher? And the Corporate Court doesn't get magical powers to know how the matrix works - clearly hackers know enough to fuck with it, and the people who put it together and programmed it... well yeah... and only certain companies, like NEOnet were involved in the contstruction - what gives Aztechnology any real knowledge of it beyond the amount others'd know? Etcetera applies.

[milk ducks]

Banks almost certainly operate using a fair amount of cold storage - that is, networks that are still linked together by miles of fiberoptic spaghetti, and aren't accessable by wireless communications except in very limited ways. When a customer on location at a store wants to buy a pair of pants, they send out a transaction request from their 'links that get picked up by bank nodes that are designated "receive only"; meaning they can accept incoming wireless information, but aren't functionally capable of transmitting information back. These nodes are physically connected, via fiberoptic cables, to more secure banking networks on site, but have only user-level access, which only permits them to input information, such as transaction requests. The request is then processed by the cold storage network, and sent back out to a different fiberoptically-linked terminal designated "transmit only"; meaning it can only send information, and is not functionally capable of picking up incoming wireless signals.

I can't see any real way for a hacker to negotiate that system illegally, without actually being on site to access the cold storage network where the goodies are hiding.

-milk.

[eidolon]

o/` Because it's a gaaaaaaaaaaaaaaaaaaame, baby, because it's a gaaaaaame. o/`

[Kerenshara]

Banks almost certainly operate using a fair amount of cold storage - that is, networks that are still linked together by miles of fiberoptic spaghetti, and aren't accessable by wireless communications except in very limited ways.

There's a weakness to this statement that I think you fail to grok completely, or you wouldn't have made it at all. If a system is in ANY way hooked up to the matrix, it's going to be vulnerable. In order to be able to interact with devices communicating via the matrix, it has to connect somehow. Individual comlinks are defacto POS (Point Of Sale) terminals, so there MUST be connectevity SOMEHOW to comlinks. Ergo, you're going to have to be vulnerable. And the more you concentrate flow through any single gateway, the more you're going to slow things down. Contrary to popular belief, most banks are housed in the same datacenters as places like this very forum. Given the way virtual processing is developing, they MIGHT be running on the same processor, though that's a bit of a stretch. And that's not just small banks, either; Some of the really BIG banks outsource their online processing. Now, the banks might just wise up and put all their servers (Nexi) in some great huge basement somewhere under the aegis of the Corporate Court but... they're more worried about their competition hacking in through those dedicated connections than they are about some jerk hacker. That's why they hire spiders and freelance "security consultants", right? Remember: these decisions are being made in boardrooms by people who have only the vaguest notion about how things like networks or processors actually work and THEIR focus is on their bonuses.

When a customer on location at a store wants to buy a pair of pants, they send out a transaction request from their 'links that get picked up by bank nodes that are designated "receive only"; meaning they can accept incoming wireless information, but aren't functionally capable of transmitting information back. These nodes are physically connected, via fiberoptic cables, to more secure banking networks on site, but have only user-level access, which only permits them to input information, such as transaction requests. The request is then processed by the cold storage network, and sent back out to a different fiberoptically-linked terminal designated "transmit only"; meaning it can only send information, and is not functionally capable of picking up incoming wireless signals.

I can't see any real way for a hacker to negotiate that system illegally, without actually being on site to access the cold storage network where the goodies are hiding.

The problem with those restricted "in" and "out" connections is that you need to be able to verify that the transmitted date matches received data and if there is doubt, request a retransmit. I flat don't think you could build a functional system the way you describe. Worse, by putting all those eggs in one basket, you're just begging for some catastrophe to take out a LOT of important systems.
That "cold storage" is of primary use in restoring catastrophic damage. If it's available quickly and easily, it's not really "cold".