Crash Course on Hacking Options

[DnDer]

Scenario: You need to convince your client that you have a business worth, say, 2.4m nuyen, and that your business is based out of a Seattle suburb, but he's still going to check your financials (or you need a disappearing account for him to stash money in).

Target: A small bank or credit union in Seattle's suburbs.
Goal: Create an account that will disappear within a week, not using any actual money.

My GM and I have some ideas about how to do this, but we're still exploring options and how to do it. How would it be done, by RAW, and what kinds of tests would we need?

I'll detail our ideas and thought process in the next post.

[DnDer]

First things first, in this scenario: The team has zero physical access to the site, and zero physical access to the employees.

We need to log into the bank's node and gain user (say, loan officer) access on the node in order to create an account.

You can't log on AS a pre-existing loan officer. Access ID is generated from your persona (hardwired into your commlink), therefore we can't actually get a loan officer's ID because we can't log on with his commlink. Therefore whether we have his password (authentication) is irrelevant, right? If we can't become ~that loan officer's access ID~ then we his authentication does no good.

So we need to log onto the node, make a hack on the fly test to establish a user account?

After that, it'd be just a spoof command to mimic Loan Officer's ID. Once we successfully spoof, then we can probably made an edit test to create an account.

Once we do that, we would need to leave a command (data bomb?) to erase the account in a week (before the weekly reports are generated, that would reveal the account's existence), as well as an edit edit test to remove our tracks from the system log (or do we need to do another test to upgrade to security account first?) before doing a graceful logoff?

The total tests come to...

Log on and HOTF to gain User Access
SPOOF to look like Mr Loan Officer
EDIT to create an bank account
EDIT (or Data Bomb?) the account to disappear in a week, on its own
EDIT the security logs
Log off

Let's just assume IC-free (for this example) and that we just have to overcome the firewall and passive security access controls.

[Umidori]

By RAW? No idea how you'd do this, personally.

By KISS? Obtain a Money Launderer as a Contact. Bonus points if his name is Barry.

~Umi

[DnDer]

Hah! Barry... Poor guy...

No, the team didn't have enough time to do laundering. This had to be done in 30 hours' notice.

Let's assume the Public Library Nexus stats (5/4/4/3 -- budget expenses prevent small business from getting more than the minimum federally-required security) for the actual system ratings that need to be hacked.

[Mantis]

A few questions first. Are we saying no access to site or personnel for a reason or just to keep the scenario simple? Secondly, is the team on a time crunch that prevents doing a long hack (they sure won't use up the 30 hours listed)? Thirdly, is there a particular reason they aren't going for an admin account off the bat?
Now for the scenario as presented, I'd go for a long hack for an admin account to start, since just about everything you want to do would normally be around that account level. The loan officer may not have or need that level of access but whoever does final approval on his clients will.
Get admin access then create a fake loan officer account or what ever is needed, using edit to create the new bank account. Use the rules in Unwired (pg 97) to do this and hide the account (no need for the bank to know it is there). Write a script to erase the account after the week or else leave an agent dormant there to do that for you in a week. Edit the logs and then log off.
Unwired provides rules on forgery (pg 95) and for doing what you want, it will be really damn hard to create 2.5 mil. If the idea is to create a fake loan for 2.5 mil, I would rather imagine the bank would wonder about that and start digging into it before the week is up unless they regularly loan out that kind of cash.
I would instead gain access to both the bank and employees and work it from there rather than trying to fake all that info.

[DnDer]

A few questions first. Are we saying no access to site or personnel for a reason or just to keep the scenario simple? Secondly, is the team on a time crunch that prevents doing a long hack (they sure won't use up the 30 hours listed)? Thirdly, is there a particular reason they aren't going for an admin account off the bat?
Now for the scenario as presented, I'd go for a long hack for an admin account to start, since just about everything you want to do would normally be around that account level. The loan officer may not have or need that level of access but whoever does final approval on his clients will.
Get admin access then create a fake loan officer account or what ever is needed, using edit to create the new bank account. Use the rules in Unwired (pg 97) to do this and hide the account (no need for the bank to know it is there). Write a script to erase the account after the week or else leave an agent dormant there to do that for you in a week. Edit the logs and then log off.
Unwired provides rules on forgery (pg 95) and for doing what you want, it will be really damn hard to create 2.5 mil. If the idea is to create a fake loan for 2.5 mil, I would rather imagine the bank would wonder about that and start digging into it before the week is up unless they regularly loan out that kind of cash.
I would instead gain access to both the bank and employees and work it from there rather than trying to fake all that info.

The bank is in another country -- the team is doing a run in the Arabian Caliphate. It was a random player idea to create a dummy account to have a large business account balance in the bank (to impress a Saudi merchant).

30 hours was the deadline for the entire run, or that portion of it. I think our extended tests ran into 12 hours, but we weren't 100% on what we were doing right and wrong.

Why skip admin account? Because a loan officer and a branch manager are both user accounts and can accomplish the same thing about creating an account with a balance in them already. Why up the difficulty for an admin account when you can do it like an actual user -- since admins are adminning and not handling financial transactions, it would look a little odd for an admin to create a bank account. (Also skipping that +6 difficulty seems like a reasonable idea.)

And we didn't need to create a loan, just an account with a balance to show the merchant, because he only dealt with "high rollers." All for show, for him. Therefore no 2.5m loan that would trigger an audit, just an account with a balance that would disappear before the weekly audit numbers are pulled.

As said, no access to employees or site because +14 hour time zone difference (give or take, I'm not going to google time zone differences right now).

[DnDer]

So, the biggest question I have is this: How do I become someone else in the Matrix? I want to log onto Bank as John Smith, who works there, so that everything I do is as John Smith.

I can spoof + hacking every command I want to do as John Smith, but that's a lot of die rolls.

What am I missing? I can social engineer authentication, or plant a script in an attachment, or something similar. But that doesn't get me the account without the ID. And the ID is only generated by the system's persona, right?

[Jaid]

do it on a different account normally.

edit the logs to make it look like John Smith did it.

at least, that's the simplest one i can think of.

[Mantis]

An admin account lets you do anything. Don't think of it as a real admin account as we have today where they only do 'admin stuff' but rather a level of access to the system. User accounts typically can't do much beyond read stuff and use limited programs. I suppose your loan officers could only have user access but that is kind of terrible security if I can hack in and create a bank account with that level of access. User is what I would likely have if I already had a bank account and wanted to do some online banking. Rather limited. Loan officer should be at least security level I think.
A time of 12 hours is really long for a hack. If the system they are going after is a 5/4/4/3 system, then even admin only gives a 15 threshold (firewall + system +6 for admin). Unless you get crappy rolls or have terrible skills and software it shouldn't take that long. The main reason to do this is there is less chance of getting caught (1 test vs a test for every test you make for a quick hack).
You can just change your commlink to have Joe Smith's access ID, so long as you have his access ID. The only draw back is if he is online somewhere you are at the same time. Rules for that are on pg 224 of SR4A.

[Epicedion]

You're going about this wrong. If the hacker could make 2.4 million nuyen appear in a bank account overnight, what would stop him from just doing that a couple times, wiring the money out and dumping it on some certified credsticks and living the high life forever?

No, what they need is incredibly fake stuff -- fake bank, fake server, fake accounts. Fake fake fake. Have them register a throwaway commlink or nexus on the Cayman Islands' LTG with a legit-looking frontage and some hefty-looking security and forged account logs. Patch in a real account from a real bank as a dummy account to transfer the money through your fake system (the fake system reports millions, the real account barely has enough to pay tolls) to the target's accounts for verification microtransfers, and keep your hacker online on standby to manage issues as they come up. It'll look a little shady, but in the shadows, if it looks a little shady everything's normal.

[DnDer]

You're going about this wrong. If the hacker could make 2.4 million nuyen appear in a bank account overnight, what would stop him from just doing that a couple times, wiring the money out and dumping it on some certified credsticks and living the high life forever?

No, what they need is incredibly fake stuff -- fake bank, fake server, fake accounts. Fake fake fake. Have them register a throwaway commlink or nexus on the Cayman Islands' LTG with a legit-looking frontage and some hefty-looking security and forged account logs. Patch in a real account from a real bank as a dummy account to transfer the money through your fake system (the fake system reports millions, the real account barely has enough to pay tolls) to the target's accounts for verification microtransfers, and keep your hacker online on standby to manage issues as they come up. It'll look a little shady, but in the shadows, if it looks a little shady everything's normal.

I was a player in this scenario. I was not the hacker. However, I made an explicit argument that we do NOT transfer any of the fake money out. After all, that was a local bank back home... Couldn't see all those lives come to ruin, or the bank itself get closed.

What stopped him from doing it repeatedly was that (a) he didn't have time and, (b) I was serving as group conscience when I was there. (I actually left a session during a wetwork mission. Thievery is okay. Running a con? All right. Murder for hire? Not happening. Not with that character, anyway.)

[UmaroVI]

Thinking too hard about why cyber-criminals are doing shadowruns instead of hacking banks in a world where money is electronic, or why B&E specialists break into high-security buildings instead of expensive parked cars, is not really a good idea. SR doesn't actually make sense and poking too hard at the places where it's most obvious isn't worth it.

[Aaron]

I can think of a couple of ways, although I'll add a disclaimer that I've been through a lot of different versions of the SR4 wireless rules, so I might have something wrong.

The easiest would be to hack the 'link of the person looking up the account and having it display the information you want him or her to see.

You could use an area jammer in the bank, set to jam all devices except for your commlink, that everybody else's Signal rating enough to keep them from reaching outside nodes but allowing them to reach your 'link. This means all external traffic is going through your commlink, so you can use the Intercept Traffic action and modify the information going in and out of your target's commlink.

Another way would be to pay a rich contact to set up an account and put a lot of money in it for a day or so. When the account is queried, it will show the amount your contact put there. Then the contact can put his or her money back to its original location.

[Teulisch]

doing it right takes a few hours. have the hacker VR (Cold or hot) and probe the target (SR41 p.236), going for admin access. if you have at least 12 dice (easy to do with a starting hacker), then thats an average 4 hits per hour. so lets say 4 hours. the system gets one try to detect you on login, so you should be fine with stealth 5+.

first you create a hidden admin account (the admin account will then make the account level you need to enter stuff), and check the logs. remember to edit the logs to hide your actions. next, you set up the account type you need, and plug in the necessary data for a shell company- a trick here would be to make it look like the business is simply not revealing a silent partner. set things up so that the money looks like its there, for the next day or so. use your admin account later to do any modification or maintenance to the data as needed without tripping security (ie showing your target that yes, his action did go through).

now why this wont work to get money from a bank- banks will look carefully at large amounts moving around, but they also loan each other money all the time to cover short-term costs. if the BANK sees this money as 'holding onto this for a day to cover X', then it will not draw much scrutiny right now(but will probably get hit with an audit within a weeks time). it could be this is a 'deposit' made by check, and the money is being held pending that check clearing (maybe someone sold a house). trying to move any of that money would set off a lot of red flags, but having it sitting there is not that serious over the span of a day or two.

really, the hacker should have a knowledge skill for banking to do this. its basically a matter of exploiting the existing system to make your house of cards look legit to a casual glance. a knowsoft will do the job just fine, and you could probably pirate such a knowsoft cheaply enough.