Ok this came up in another thread and, more shockingly, a title search on "credsticks" doesn't come up with anything in the 4th ed forum.
In pervious editions I thought certified credsticks were associated with a bank account and, while you could forge one, as soon as the person you ripped of got on the matrix they found out what was up.
In 4th things are less clear, one way or the other.
The rules for hacking a credstick are pretty clear though, they're device rating 6. Meaning not everyone with a rating three comlink can hack them but any PC hacker or TM can do whatever they want.
So the question is are 4th ed credsticks associated with a bank account or are they just encoded and act purely like cash and not like a certified check.
If you're in the "just encoded" camp please indicate your reasons why hackers bother to run the shadows instead just cracking sticks.
Full Version: certified credsticks
I reckon the sticks do have encrypted cash balances on them, but they're only part of a larger system that handles electronic cash (that's cash, not credit accounts). It's a big, complex mathematical system that authenticates the cash on a credstick. If you'd like, I could go into more detail, but the system is part cryptography and part networking and can get a bit complex. But you can simply say that credsticks are cash and leave it at that.
So you're saying that the credsticks are still associated with something in the matrix. It's just something that might be run by UCAS as opposed to accounts in a bank. And there aren't accounts par se, just metadata regarding what money is on what credstick.
Okay, here's how it works.
A Credstick (an archaic conciet, but still accepted most places) is simply a wireless link to your bank account - or someone's bank account. If you want to upwardly change the amount of money on it, you have two options.
1) Earn some more money and bung it on the account.
2) Hack the bank itself and change what they think is on the account.
By far, #1 is the easiest of these options, especially if the bank is Zurich Orbital. FastJack doubts his ability to even get in the door there, let alone hack something and get out unnoticed.
Certified credsticks are something completely different. A certified stick is e-Cash-in-the-hand. Where certified sticks are accepted, it's as good as
, because it is . There's no waiting around for a transfer, there just is a transfer, from your certified stick to their accounts.
The question is, why don't all hackers simply cook certified credsticks and buy anything and everything they want? Well, it's not that easy...
Certified Credsticks are the hardest things in the game to crack. The test to defuse a nuclear bomb would be easier, I'm sure. First you have to crack the case without the whole thing frying. Easier said than done. Then you have to defeat a second layer of physical security, to get at the electronics. Then you need to find gear that can interface with the nonstandard design - again, not easy. You may have to devise your own.
Then you need to hack the stick itself. If you've gotten through the last two, this is probably easier, but one slip up here will still ruin the stick. At this point, you can put whatever amount you want on the stick, up to the maximum amount the stick type will take. (Higher stick types are correspondingly more difficult to hack.)
Once that's done, you then need to re]/i]assemble the stick, and you need to do it right, again, or the stick is ruined.
Once you've done that... Congratulations, you've got cooked money. You go to spend it... Whoops. The stick reader gets a test to see if it detects to forgery. Even if, after all of that hard work, there should be [i]no way a simple reader could detect the forgery, it gets a chance to do so. Sucks to be you if you get caught at this stage.
But once you're past this stage, you're scott-free... So what do you do?
You buy, and you buy like there's no tomorrow. You don't want any of that money to still be floating around (on your accounts, anyway,) by the time the bank runs it's next audit. They always wind up coming at least several hundred thousand overbudget, I suspect, and their response is simply to invalidate the "bad" . Sucks to be the person who made the sale, dosen't it?
You, on the other hand, if you took the normal Shadowrunner precautions when you spent, should be fairly safe. Of course, you do have to ditch the Comm and any identities associated with the transfers, because if you screwed a legitimate bisuness, the cops will come looking, if you screwed the mob, the mob will come looking, if you screwed fellow criminals, Shadowrunners will come looking, and if you screwed a Mega, their security will come looking.
The payoffs are big, but the number of chances to completely screw the pooch are high. And the set-up cost is high, too. Remember, certified credsticks have a minimum and a maximum limit; sure, you can buy the 0 - 1,000 credstick for like 5 , but you go through all that trouble, time and effort, and the most you can get is a grand.
On the other hand, to set yourself up for the million, you have to buy a certified cred-stick pre-loaded with something like a hundred thousand, or five hundred thousand. You screw the pooch on ONE of those, and you're out an amount of nuyen that most Shadowrunners could retire on!
A Credstick (an archaic conciet, but still accepted most places) is simply a wireless link to your bank account - or someone's bank account. If you want to upwardly change the amount of money on it, you have two options.
1) Earn some more money and bung it on the account.
2) Hack the bank itself and change what they think is on the account.
By far, #1 is the easiest of these options, especially if the bank is Zurich Orbital. FastJack doubts his ability to even get in the door there, let alone hack something and get out unnoticed.
Certified credsticks are something completely different. A certified stick is e-Cash-in-the-hand. Where certified sticks are accepted, it's as good as
, because it is . There's no waiting around for a transfer, there just is a transfer, from your certified stick to their accounts.The question is, why don't all hackers simply cook certified credsticks and buy anything and everything they want? Well, it's not that easy...
Certified Credsticks are the hardest things in the game to crack. The test to defuse a nuclear bomb would be easier, I'm sure. First you have to crack the case without the whole thing frying. Easier said than done. Then you have to defeat a second layer of physical security, to get at the electronics. Then you need to find gear that can interface with the nonstandard design - again, not easy. You may have to devise your own.
Then you need to hack the stick itself. If you've gotten through the last two, this is probably easier, but one slip up here will still ruin the stick. At this point, you can put whatever amount you want on the stick, up to the maximum amount the stick type will take. (Higher stick types are correspondingly more difficult to hack.)
Once that's done, you then need to re]/i]assemble the stick, and you need to do it right, again, or the stick is ruined.
Once you've done that... Congratulations, you've got cooked money. You go to spend it... Whoops. The stick reader gets a test to see if it detects to forgery. Even if, after all of that hard work, there should be [i]no way a simple reader could detect the forgery, it gets a chance to do so. Sucks to be you if you get caught at this stage.
But once you're past this stage, you're scott-free... So what do you do?
You buy, and you buy like there's no tomorrow. You don't want any of that money to still be floating around (on your accounts, anyway,) by the time the bank runs it's next audit. They always wind up coming at least several hundred thousand
overbudget, I suspect, and their response is simply to invalidate the "bad" . Sucks to be the person who made the sale, dosen't it?You, on the other hand, if you took the normal Shadowrunner precautions when you spent, should be fairly safe. Of course, you do have to ditch the Comm and any identities associated with the transfers, because if you screwed a legitimate bisuness, the cops will come looking, if you screwed the mob, the mob will come looking, if you screwed fellow criminals, Shadowrunners will come looking, and if you screwed a Mega, their security will come looking.
The payoffs are big, but the number of chances to completely screw the pooch are high. And the set-up cost is high, too. Remember, certified credsticks have a minimum and a maximum limit; sure, you can buy the 0
- 1,000 credstick for like 5 , but you go through all that trouble, time and effort, and the most you can get is a grand.On the other hand, to set yourself up for the million, you have to buy a certified cred-stick pre-loaded with something like a hundred thousand, or five hundred thousand. You screw the pooch on ONE of those, and you're out an amount of nuyen that most Shadowrunners could retire on!
The problem is that the RAW doesn't say anything about having to use a non-standard system to charge or accept a certified credstick. "Certified cred requires no ID or authorization to transfer or use." Anyone can buy one and install money on them. And you don't have to crack the case, as the only way it can talk to the outside world is able to be monitored by you. Naturally the traffic is strongly encrypted 
when it connects either through the reader or via wireless. Either way, you can control who it talks to and what it learns because SR encryption doesn't work. Which means that, by the RAW, it has no real way to verify anything about what you are telling it.
when it connects either through the reader or via wireless. Either way, you can control who it talks to and what it learns because SR encryption doesn't work. Which means that, by the RAW, it has no real way to verify anything about what you are telling it.
I see them as sticks with prepaid electronic money. It's like someone put a stick of gold in it, thus anyone can use it without any authorization.
Which means that if you're seen with too many of these babies on you, you better be ready to waste some muggers.
The credstick is manipulated physically.. thus you need to physically hold it transfer funds from it to a comlink or another credstick. And of course you cannot transfer more than what's on it.
You could probably open it and change numbers - but if you do the anti-tamper system will destroy it before you can do anything. But that's just my take on it. There are no rules I've seen for hacking certified credsticks, it only says that default encryption on nuyen transfer is 5.
This game becomes so much easier to believe if you know nothing of computers
Which means that if you're seen with too many of these babies on you, you better be ready to waste some muggers.
The credstick is manipulated physically.. thus you need to physically hold it transfer funds from it to a comlink or another credstick. And of course you cannot transfer more than what's on it.
You could probably open it and change numbers - but if you do the anti-tamper system will destroy it before you can do anything. But that's just my take on it. There are no rules I've seen for hacking certified credsticks, it only says that default encryption on nuyen transfer is 5.
This game becomes so much easier to believe if you know nothing of computers
| QUOTE (FriendoftheDork) |
| This game becomes so much easier to believe if you know nothing of computers |
The Gibson approach to gaming?
I personally don't care about how hard it is to hack a credstick but I know some things about Credit Unions and finance in general so I might have some useful realworld intel on how electronic and certified funds work.
I'm going to start w/ the debit/check card. By now everyone probably realizes that it's linked to your cking acct and how long the funds take to come out of your acct is determined based upon weather you sign for the transaction or use your pin. Signing takes an avg of 2-4 days (seriously watch your on-line accts) while pin transactions usually take around an hour or so; often less. When you use your ck card to authorize a transaction the card looks at what is in your acct and then what is on your card waiting to clear in order to determine if you have enough money for the transaction. Be careful because some companies such as gas stations will authorize a very small amt like 1$ and then bill you for whatever you actually buy. Which means you may not actually have had enough money in your acct for the transaction and restaurants will usually authorize a larger amount to give you the option of tipping on your card and then bill you for the final ayoumt put down on the signed receipt.
Are any of you familiar w/ Check 21? Check 21 came out, I want to say in either 04 or 05. Before 9-11 all cks were cleared through the federal reserve manually and this took about 5-7 bus. days. That's right every check written in the U.S. was taken physically to the national federal reserve building (I can't think of what city it's in) and cleared one at a time. After 9-11 there was a huge back-up in ck clearing and it took weeks to catch up. Check 21 was a process by which an electronic copy of the ck could be sent through allowing cks to clear in a matter of hours. Not every financial institution uses Check 21- currently but things are moving in that direction and it's only a matter of time before every institution does.
Gift Cards. I think Gift cards are probably the closest thing to certified credsticks we have in the real world. A visa gift card or re-loadable pre-paid card (not all gift cards are re-loadable which is why I list them separately) work basically the same as the debit cards I described above. The difference is that though they are linked to an acct the acct doesn't actually have your name on it. Now, the card "might" have your name on it but it doesn't have to. I can go into a branch of my Credit Union and purchase a gift card at the front desk for the amount I want on the card plus a couple of dollars for the card itself and because I didn't order it on-line and the branch office doesn't have the embossing equipment on it there will be no name on it so anyone can use it. There won't even be an address attached to it for on-line security. (Debit cards have your address info on them and many on-line vendors have begun to refuse to ship to addresses other than your appropriate billing addr (the one on the card) in a way to help fight identity theft)
I think if I had to make a call I would consider certified cred to be like nameless gift cards. So they would be linked to an acct-it would just be an anonymous acct.
I'm going to start w/ the debit/check card. By now everyone probably realizes that it's linked to your cking acct and how long the funds take to come out of your acct is determined based upon weather you sign for the transaction or use your pin. Signing takes an avg of 2-4 days (seriously watch your on-line accts) while pin transactions usually take around an hour or so; often less. When you use your ck card to authorize a transaction the card looks at what is in your acct and then what is on your card waiting to clear in order to determine if you have enough money for the transaction. Be careful because some companies such as gas stations will authorize a very small amt like 1$ and then bill you for whatever you actually buy. Which means you may not actually have had enough money in your acct for the transaction and restaurants will usually authorize a larger amount to give you the option of tipping on your card and then bill you for the final ayoumt put down on the signed receipt.
Are any of you familiar w/ Check 21? Check 21 came out, I want to say in either 04 or 05. Before 9-11 all cks were cleared through the federal reserve manually and this took about 5-7 bus. days. That's right every check written in the U.S. was taken physically to the national federal reserve building (I can't think of what city it's in) and cleared one at a time. After 9-11 there was a huge back-up in ck clearing and it took weeks to catch up. Check 21 was a process by which an electronic copy of the ck could be sent through allowing cks to clear in a matter of hours. Not every financial institution uses Check 21- currently but things are moving in that direction and it's only a matter of time before every institution does.
Gift Cards. I think Gift cards are probably the closest thing to certified credsticks we have in the real world. A visa gift card or re-loadable pre-paid card (not all gift cards are re-loadable which is why I list them separately) work basically the same as the debit cards I described above. The difference is that though they are linked to an acct the acct doesn't actually have your name on it. Now, the card "might" have your name on it but it doesn't have to. I can go into a branch of my Credit Union and purchase a gift card at the front desk for the amount I want on the card plus a couple of dollars for the card itself and because I didn't order it on-line and the branch office doesn't have the embossing equipment on it there will be no name on it so anyone can use it. There won't even be an address attached to it for on-line security. (Debit cards have your address info on them and many on-line vendors have begun to refuse to ship to addresses other than your appropriate billing addr (the one on the card) in a way to help fight identity theft)
I think if I had to make a call I would consider certified cred to be like nameless gift cards. So they would be linked to an acct-it would just be an anonymous acct.
The nameless gift card is exactly how I envision certified credsticks. With that system, hacking the credstick would get you exactly no where because you'd need to know the account number and account access permits of another account that had more money in it. That explains why there's only rating 6 protection on the credstick. And it explains why criminals run the shadows instead of sitting in their basement hacking credsticks. You'd have to hack the entire certified credstick banking system to be able to create money out of thin air.
I've never give to much tought about how Certified Credstick works behind the curtains (just used it something like "hard cash", since my players never tryed to hack one). The entire "Gift Nameless Credit Card Pré-Loaded" thing hit right on the spot, in my opinion... and i guess credsticks will start to work this way on my games.
This way, hacking the card will, after bypassing all the cryptography, give you the account from where the money came from... but getting more money will put you hacking the entire bank matrix e the freaking security that it will have.
This way, hacking the card will, after bypassing all the cryptography, give you the account from where the money came from... but getting more money will put you hacking the entire bank matrix e the freaking security that it will have.
The other thing to think about is that financial institutions as that they are very security minded. I just enrolled in Internet banking for a bank I just joined and good god they have picture id recognition.
Financial Institutions across the country are constantly working hand in hand w/ federal agencies (like the FBI) to hunt down and arrest identitiy thieves and fraudsters.
Based on what I know I'm inferring that groups like the FBI also have electronic crime divisions by this time and definately would in the 2070's. The only hope that criminals have hacking across national borders (I alwasy have the feeling that international cooperation doesn't happen a lot in SR) but even then you have to deal w/ corporate security and I have to believe that companies as powerful as Zurich would have to have a security group (including an electronic crimes unit) as powerful as the FBI; if not more so.
So, going back into gaming you have to believe that regardless of whether or not certified credsticks are linked to accts or stand alone that there are very very talented law enforcement officials tracking down the hackers responsible.
Financial Institutions across the country are constantly working hand in hand w/ federal agencies (like the FBI) to hunt down and arrest identitiy thieves and fraudsters.
Based on what I know I'm inferring that groups like the FBI also have electronic crime divisions by this time and definately would in the 2070's. The only hope that criminals have hacking across national borders (I alwasy have the feeling that international cooperation doesn't happen a lot in SR) but even then you have to deal w/ corporate security and I have to believe that companies as powerful as Zurich would have to have a security group (including an electronic crimes unit) as powerful as the FBI; if not more so.
So, going back into gaming you have to believe that regardless of whether or not certified credsticks are linked to accts or stand alone that there are very very talented law enforcement officials tracking down the hackers responsible.
Sprawl Survival Guide explains credsticks.
Normal credsticks are merely linked to a bank account. When you buy something, a connection is made to your account and money comes out. Think Debit Card.
Certified cred is not the same. Money is pre-transfered to the internal memory of a credstick. Once on the certified credstick, you spend it directly from the stick's internal memory.
Read SSG is you need more details. It's all very well explained.
Normal credsticks are merely linked to a bank account. When you buy something, a connection is made to your account and money comes out. Think Debit Card.
Certified cred is not the same. Money is pre-transfered to the internal memory of a credstick. Once on the certified credstick, you spend it directly from the stick's internal memory.
Read SSG is you need more details. It's all very well explained.
A credstick is just a piece of plastic. You slot it into your comm and transfer money to or from it. The credstick does not have any info on it except what the current balance is.
Your account info is on your commlink.
If you pay for a taxi cab ride with your commlink the whole world knows where you were at because you leave an electronic footprint at that address, at that time, using that SIN.
If you slot a credstick as you exit the taxi not a soul in the world will know about it cept the cabby and any people around at the time. And then they will only hve a physical description.
Im sure some credsticks could have security features and be for specific one way transfers to specific targets. Those sound like a perfect example of when you use Hack/Exploit/Computer + logic to mess with a "device".
Your account info is on your commlink.
If you pay for a taxi cab ride with your commlink the whole world knows where you were at because you leave an electronic footprint at that address, at that time, using that SIN.
If you slot a credstick as you exit the taxi not a soul in the world will know about it cept the cabby and any people around at the time. And then they will only hve a physical description.
Im sure some credsticks could have security features and be for specific one way transfers to specific targets. Those sound like a perfect example of when you use Hack/Exploit/Computer + logic to mess with a "device".
| QUOTE |
| A credstick is just a piece of plastic. You slot it into your comm and transfer money to or from it. The credstick does not have any info on it except what the current balance is. |
You don´t "Transfer" money from your Comm to the Credstick... first, because that could create a datatrail (you know it or not), second, because it´s is the bank that encode the credstick with money - chaging a small percentage of the ammount. (BBB - p. 259)
| QUOTE |
| Certified cred is not the same. Money is pre-transfered to the internal memory of a credstick. Once on the certified credstick, you spend it directly from the stick's internal memory. |
Thanks you, i've never had a chance of reading SSG. But, at least in my game, i guess i will use the "Gift VISA card" way of thinking... more control from the bank, more security, and i guess that wireless tecnology could have changed a little the way credsticks work. But, thanks any way.
| QUOTE (raphabonelli) | ||||
You don´t "Transfer" money from your Comm to the Credstick... first, because that could create a datatrail (you know it or not), second, because it´s is the bank that encode the credstick with money - chaging a small percentage of the ammount. (BBB - p. 259)
Thanks you, i've never had a chance of reading SSG. But, at least in my game, i guess i will use the "Gift VISA card" way of thinking... more control from the bank, more security, and i guess that wireless tecnology could have changed a little the way credsticks work. But, thanks any way. |
Actually in my game this came up. Basically you're right, the bank has to transfer the funds to the credstick (using whatever insane security measures available). But IMO they wouldn't need to do this physically, I mean going into the bank and slamming in on a table.... that's too old.fashioned.
So basically the user of a bank account asks for a certain amount to be transferred from his account to his comlink as certified cred. The bank sends him this electronic wad of "dollars", which he can then transfer into the certified credstick by slotting it or perhaps wireless. The whole process should take a few minutes, which is forever in 2070.
What do you think about that? Could it be done? IMO to hack it you would have to hack the bank itself, you couldn't just spoof the signal as you would need certified nuyen as data to send anyway, and that shouldn't be possible to make for a hacker.
| QUOTE (sunnyside) |
| So you're saying that the credsticks are still associated with something in the matrix. It's just something that might be run by UCAS as opposed to accounts in a bank. And there aren't accounts par se, just metadata regarding what money is on what credstick. |
Not precisely. The credstick isn't associated with anything in the Matrix, but the cash in it is. It's kinda like the way the real cash I have in my pocket is associated with something in the US Treasury Bureau. I could agree to buy your old copy of 2XS for US$1, and then hand you this piece of paper that has printed on it "A946084434B" in green letters and numbers. Even if that number never existed within the system (it doesn't, incidentally), it still acts as regular old currency until somebody bothers to check the register of serial numbers.
Electronic money, or scrip, works in the same way, except that the serial numbers are far more complex, and checking the register is far more trivial. So once one hacked a credstick, unless one was also hacking the currency system (run on Zurich Orbital, anyone?), one would have an infinitesimal chance of coming up with a valid serial number for the scrip one wanted to add. One could just make a copy of the scrip data, sure, but once the registry started detecting transactions on that scrip from multiple divergent sources, it would flag that scrip as forged.
And before anyone asks, yes, scrip would be traceable, but only in the abstract sense. It wouldn't necessarily be traceable to any particular location or person. The book describes how credsticks are generally considered shady, so most validation transactions probably pass through one or more anonymizers (heck, I imagine such validators run Spoof actions once a second as a matter of course). Any data connected to validated scrip beyond amount and time of validation would be unavailable.
| QUOTE (raphabonelli) |
| Thanks you, i've never had a chance of reading SSG. But, at least in my game, i guess i will use the "Gift VISA card" way of thinking... more control from the bank, more security, and i guess that wireless tecnology could have changed a little the way credsticks work. But, thanks any way. |
That does work, but you are creating a data trail. Someone looking may not know who had the gift card at any given moment, but they know who bought the gift card and who money was transfered too. The fact that the money is being taken out of a secure back-end system is why you can't just code a value onto the card.
There have been similar traces done with phone cards. An investigator couldn't determine from the one call who had the phone card that called the Ryder truck outlet that rented the used to blow up Alfred P. Murrah federal building, but from the data trail they could.
Without that link to the back-end bank system there is nothing that can really be done in SR to stop someone semi-competent from creating money on a certified credstick other than GM fiat.
But financial corps and honest governments don't like anonymous accounts or unrecorded transactions and actively work to stop them. Which is why you can't typically walk into a bank and open an account at a random bank without ID or pay $100,000 in cash for something without a report being filed.
| QUOTE (kzt @ Jun 24 2007, 11:36 PM) |
| But financial corps and honest governments don't like anonymous accounts or unrecorded transactions and actively work to stop them. |
But the corps like it. And thus, it happens.
| QUOTE (Rotbart van Dainig) |
| But the corps like it. And thus, it happens. |
Corps are at their heart a financial organization run by accountants. Why do they want someone to be able to anonymously defraud them? And if they don't care, why would you need a SIN to open a bank account with Ares bank?
| QUOTE (kzt) |
| But financial corps and honest governments don't like anonymous accounts or unrecorded transactions and actively work to stop them. |
...Governments? Honest?
..."legitimate" or "established" maybe.
Because black accounts are necessary to them.
So are some of you saying that Certified Credsticks do not work in Wireless Dead Zones like the Barrens? If that is the case have they gone back to a barter system. If the Certified Credstick displays its value. They just trade for a Certified Credstick(s) of the closest amount?
| QUOTE (Demon_Bob) |
| So are some of you saying that Certified Credsticks do not work in Wireless Dead Zones like the Barrens? If that is the case have they gone back to a barter system. If the Certified Credstick displays its value. They just trade for a Certified Credstick(s) of the closest amount? |
Nobodies saying that. Since "players get infinite money" isn't really an option we're fundamentally debating between.
1. There is some kind of credit confirmation system. Credsticks can transfer money all they want, and can be hacked, but eventually you log onto the wireless and stuff gets validated somehow, telling you that, yes, that was a valid credstick that transfered money onto your credstick.
2. Credsticks have secret anti hacking foo. You can hand wave this however you want. The bottom line is that credsticks can't be reliably hacked. Either they can't be hacked in the first place or there is a chance the hacking will be detected and get you in a world of hurt later.
Stopping someone from hacking a credstick to add cash doesn't require a DM flat. It just requires actually reading the rules.
Under the forgery skill.
"Bogus credsticks are especially vulnerable to detection; once either the original or copy has been used, verification systems will detect the anomaly as soon as the other is used, immediately
flagging all transactions with either stick and preventing either from being used again until the situation is cleared up"
Don't forget the certified in certified credstick.
A credstick is anonymous because you can physically hand the credstick to another person.
A bank can track transactions on a credstick but if the transactions go to another credstick or the stick changes hand. That tracking is practically useless as you don't know who bought what.
Counterfeiting a credstick works only because you could hand a person two sticks each with 10,000 but one is a forgery of the other (or both are a forgery of a 3rd).
Under the forgery skill.
"Bogus credsticks are especially vulnerable to detection; once either the original or copy has been used, verification systems will detect the anomaly as soon as the other is used, immediately
flagging all transactions with either stick and preventing either from being used again until the situation is cleared up"
Don't forget the certified in certified credstick.
A credstick is anonymous because you can physically hand the credstick to another person.
A bank can track transactions on a credstick but if the transactions go to another credstick or the stick changes hand. That tracking is practically useless as you don't know who bought what.
Counterfeiting a credstick works only because you could hand a person two sticks each with 10,000
but one is a forgery of the other (or both are a forgery of a 3rd).
Sweet! While it makes sence I never thought to check that section for credsticks.
So it looks like it's the "money on the sticks, verification on the matrix" thing.
So if your J pays your with a pair of sticks do an online transaction with them quick to make sure both turn up clean.
So it looks like it's the "money on the sticks, verification on the matrix" thing.
So if your J pays your with a pair of sticks do an online transaction with them quick to make sure both turn up clean.
| QUOTE (sunnyside) |
| So if your J pays your with a pair of sticks do an online transaction with them quick to make sure both turn up clean. |
Your lips to God's ears, chummer.
A SINless criminal makes an easily traceable matrix transaction using counterfeit certified cred, I cannot possibly see how this could go wrong, but I presume that it involves a cyberzombie SWAT team dropping from ZO and onto your head.
| QUOTE (hyzmarca) |
| A SINless criminal makes an easily traceable matrix transaction using counterfeit certified cred, I cannot possibly see how this could go wrong, but I presume that it involves a cyberzombie SWAT team dropping from ZO and onto your head. |
I think the idea is to have a valid fake you have to make a copy. This isn't too unreasonable. Maybe each credstick has a piece of hardware that outputs a different value each transaction for verification or whatever. Tons of way to do it.
The deal is that to make a copy presumably you have to have the origional, and since you can't use both there isn't much reason to make the copy in the first place unless you're trading in a dead zone.
| QUOTE (sunnyside) |
| [QUOTE=hyzmarca,Jun 24 2007, 11:24 PM] The deal is that to make a copy presumably you have to have the origional, and since you can't use both there isn't much reason to make the copy in the first place unless you're trading in a dead zone. |
As I just explained you'd make the copy and pay by physically handing the forged a couple credstick to the person. IE: You take the credstick form your hand and physically hand it to the second person.
Or you steal someones credstick make a copy and place the original or the forgery back where you found it. Thus they don't report the credstick stolen. This allows you to spend all the cash and it may take days before the target knows what happened.
Its also quite likely that when making payment you might be there and gone before they have a chance to verify the credsticks you handed them.
In the first case it doesn't do you any good since as soon as they verify it/spend some money the other credstick isn't going to do you any good.
In the second you could do that. I don't think you can copy a credstick quickly. But yes if you knew where one was kept and got it come you might be able to copy it and return the origional. However they'll figure out somethings up as soon as they try and use the thing after you've used your copy. So it isn't all that different than just stealing the origional and not putting it back. You just maybe buy yourself a little time and the added risk of getting to the spot twice.
You'll want to be gone in the very fast sence for the third one.
In the second you could do that. I don't think you can copy a credstick quickly. But yes if you knew where one was kept and got it come you might be able to copy it and return the origional. However they'll figure out somethings up as soon as they try and use the thing after you've used your copy. So it isn't all that different than just stealing the origional and not putting it back. You just maybe buy yourself a little time and the added risk of getting to the spot twice.
You'll want to be gone in the very fast sence for the third one.
| QUOTE (sunnyside) |
| Maybe each credstick has a piece of hardware that outputs a different value each transaction for verification or whatever. Tons of way to do it. |
Many ways, involving hash functions or other cryptographic tools that, by the laws of physics, would take a total power output equal to the entire US nuclear arsenal and a few million years to break. All of which are easily reversible/broken in SR on a pocket computer in under a minute. So, no, there is NO way to do it in SR that depends on any sort of shared secret or cryptographic function.
If you want this to be secure without assuming that the RAW is totally wrong about encryption you need to come up with an approach that doesn't depend on encryption, or secret functions or hashes or other things that are other ways of saying cryptography.
I'd rather have everyone agree that the RAW is totally stupid and we assume that unbreakable encryption exists, as it makes lots of other things hugely easier, but I'm not going to put a gun to your head. But I get annoyed and lose my suspension of disbelief when something only works when it's convenient for the plot and not when I'd want to use it.
Well I'm just hoping that we get decent Encryption and more secure PANs in Unwired, but I'm not holding my breath. 
So you all are saying that credsticks offer no anonymity. If my runner pays all his taxi cab fares , food bills, and prostitutes by slotting a credstick its the same (security tracking wise) as if he had just told his commlink to transfer the money to the person.
I totally disagree with that, that would make them completely worthless.
Bob has 3,977 nuyen left on his online bank account after a night of hard partying after another job well done. Now wanting to go home and leave absolutely no trail Bob decides to transfer the money onto a credstick. Bob slots his lucky credstick into his commlink and tells it to transfer all funds over to the credstick. The comm checks the bank balance, 3977, subtracts it from the bank account and adds that much to the credstick. Bob jumps in a cab and heads for home. Meanwhile Bob's commlink has immedeately updated his online bank account that his bank balance is now 0. If Bob goes online he would see that at 4:33AM Sunday morning 3977 nuyen was transferred to a certified(authentic) credstick.
After a 15 minute ride in a cab Bob arrives home and slots his credstick as he leaves the cab. The cab fare is deducted from the credstick and the cab's computer notes that it was paid X amount, for an X kilometer ride by credstick at 4:48 AM Sunday morning.
I totally disagree with that, that would make them completely worthless.
Bob has 3,977 nuyen left on his online bank account after a night of hard partying after another job well done. Now wanting to go home and leave absolutely no trail Bob decides to transfer the money onto a credstick. Bob slots his lucky credstick into his commlink and tells it to transfer all funds over to the credstick. The comm checks the bank balance, 3977, subtracts it from the bank account and adds that much to the credstick. Bob jumps in a cab and heads for home. Meanwhile Bob's commlink has immedeately updated his online bank account that his bank balance is now 0. If Bob goes online he would see that at 4:33AM Sunday morning 3977 nuyen was transferred to a certified(authentic) credstick.
After a 15 minute ride in a cab Bob arrives home and slots his credstick as he leaves the cab. The cab fare is deducted from the credstick and the cab's computer notes that it was paid X amount, for an X kilometer ride by credstick at 4:48 AM Sunday morning.
| QUOTE (kzt) |
| Many ways, involving hash functions or other cryptographic tools that, by the laws of physics, would take a total power output equal to the entire US nuclear arsenal and a few million years to break. All of which are easily reversible/broken in SR on a pocket computer in under a minute. So, no, there is NO way to do it in SR that depends on any sort of shared secret or cryptographic function. |
Y'know, the more times I read it, the more I start to think that the current cryptology rules were intended for communications encryption, not file encryption.
| QUOTE (Abbandon) |
| So you all are saying that credsticks offer no anonymity. If my runner pays all his taxi cab fares , food bills, and prostitutes by slotting a credstick its the same (security tracking wise) as if he had just told his commlink to transfer the money to the person. I totally disagree with that, that would make them completely worthless. Bob has 3,977 nuyen left on his online bank account after a night of hard partying after another job well done. Now wanting to go home and leave absolutely no trail Bob decides to transfer the money onto a credstick. Bob slots his lucky credstick into his commlink and tells it to transfer all funds over to the credstick. The comm checks the bank balance, 3977, subtracts it from the bank account and adds that much to the credstick. Bob jumps in a cab and heads for home. Meanwhile Bob's commlink has immedeately updated his online bank account that his bank balance is now 0. If Bob goes online he would see that at 4:33AM Sunday morning 3977 nuyen was transferred to a certified(authentic) credstick. After a 15 minute ride in a cab Bob arrives home and slots his credstick as he leaves the cab. The cab fare is deducted from the credstick and the cab's computer notes that it was paid X amount, for an X kilometer ride by credstick at 4:48 AM Sunday morning. |
No I'm not saying that, and the BBB is not saying that. When you pay with certified cred your bank account is not checked at all, in fact you may not need one. It's pretty much as anonymous as cash.
When bob buys certified cred, he might use his bank account yes, and if he does the bank knows he has done so. However, there is no way for them to check what these certified nuyen are spent on. Sure, the taxi driver could tell them someone who looked like someone paid in certified cred (the taxi may even demand basic SIN), but after the nuyen is transfered to a certified credstick, no one can trace them back to the account.
or was just done that way to make the hackers life easier, rather then just have the GM declare ever so often "sorry, its encrypted"...
still, there is always the "datatrail".
as in, the transactions will have a non-encrypted number that follow them from point to point. and if a transaction number shows up in two places at the same time, the last on is discarded or something.
hell, isnt someting similar built into the tcp/ip protocol? a kind of session number that increase over time in a semi-random way? this to avoid that a packet is simply sniffed and retransmitted. as in, it has nothing to do with hashing or encryption, its just a serial number pr package iirc.
still, there is always the "datatrail".
as in, the transactions will have a non-encrypted number that follow them from point to point. and if a transaction number shows up in two places at the same time, the last on is discarded or something.
hell, isnt someting similar built into the tcp/ip protocol? a kind of session number that increase over time in a semi-random way? this to avoid that a packet is simply sniffed and retransmitted. as in, it has nothing to do with hashing or encryption, its just a serial number pr package iirc.
Yeah I'm thinking more like what hobgoblin says.
The driver would slot the credstick and the verification might be like.
Credstick A53XP219g442 says the code for it's 395th transaction is 442872376287368796243.
If that checks out you gets your money.
If another credstick claiming to be A53XP219g442 later makes a 395th transaction with code number 442872376287368796243 the verification system will tell the owner that that credstick account is now not valid, please contact your bank.
The driver would slot the credstick and the verification might be like.
Credstick A53XP219g442 says the code for it's 395th transaction is 442872376287368796243.
If that checks out you gets your money.
If another credstick claiming to be A53XP219g442 later makes a 395th transaction with code number 442872376287368796243 the verification system will tell the owner that that credstick account is now not valid, please contact your bank.
"Please Contact your Bank" pretty much the most annoying words on the planet; especialy if you've ever been on the receiving end of one of those conversations.
Oh and "amount on credstick" and "amount of transaction" would probably have to be in there too.
But the point is the bank doesn't know who used the credstick (though they could suppose it's the person they gave it too). But they have no way of knowing who was paid with it, barring back hacking the verification call.
But the point is the bank doesn't know who used the credstick (though they could suppose it's the person they gave it too). But they have no way of knowing who was paid with it, barring back hacking the verification call.
| QUOTE (Abbandon) |
| If Bob goes online he would see that at 4:33AM Sunday morning 3977 nuyen was transferred to a certified(authentic) credstick. After a 15 minute ride in a cab Bob arrives home and slots his credstick as he leaves the cab. The cab fare is deducted from the credstick and the cab's computer notes that it was paid X amount, for an X kilometer ride by credstick at 4:48 AM Sunday morning. |
It would show 3977 was transfered to certified credstick somenumber certified by bank y.
The cab shows it received x from credstick somenumber certified by bank y. Which means that if you get the cooperation of the bank it can tell you who has put money into it or gotten money out of it.
If the bank refuses to credit it later because it later decides the certified credstick is a forgery the person who took the credit is just screwed. Just like visa or MC. So the likely approach would be to immediately validate the transaction, which means you can track in real time what is being purchased and where from a certified credstick.
You might not know who actually is carrying it around, but that's about it.
According to the section "Certified Credsticks", the stick isn't tied to anything.
A bank loads the stick with raw funds for a fee, then the bearer without need for ID can use it as he sees fit.
Now as a credstick can't be used as ID and its untrusted nature there will be a lot of places that simply won't accept it. ( Think personal checks.)
A bank loads the stick with raw funds for a fee, then the bearer without need for ID can use it as he sees fit.
Now as a credstick can't be used as ID and its untrusted nature there will be a lot of places that simply won't accept it. ( Think personal checks.)
| QUOTE (bait @ Jun 25 2007, 09:57 AM) |
| According to the section "Certified Credsticks", the stick isn't tied to anything. A bank loads the stick with raw funds for a fee, then the bearer without need for ID can use it as he sees fit. Now as a credstick can't be used as ID and its untrusted nature there will be a lot of places that simply won't accept it. ( Think personal checks.) |
Then we know where 15 year old juvenile delinquents get their money. . . .
yep, just like how they get hold of a credit card number and gets their stuff of the net today...
Here's another big factor to consider
IF credsticks are 100% anonymous that means that there's no way that the bank that sells them to access any info off of them (such as what purchases were made on the card). This means that there can be no support for them. The only way institutions are able to offer fraud and id theft support in today's world is that they can track purchases done on the acct. They can even tell in many cases whether the card was swiped or whether the card number was entered manually. That's also why you have a 3 digit security code on the back of your card. There are only two places where that number is found. On the back of your card and in the master database of the company that issued the card. No employee of the company can access that number so the only "person" who should have the number is you. Most on-line purchases require the use of this number and it is pretty much the equivalent of showing a photo id when purchasing something over the internet (it is supposed to verify that you are holding the card)
So theoretically (and I hate to go here because I don't want to open a can of worms) IF the certified credstick is truly 100% anonymous and there is no way to track transactions done on it than there is no way to provide fraud protection for the users of the certified credstick and no way to track the criminal responsible for the theft or forgery of the certified cred.
IF credsticks are 100% anonymous that means that there's no way that the bank that sells them to access any info off of them (such as what purchases were made on the card). This means that there can be no support for them. The only way institutions are able to offer fraud and id theft support in today's world is that they can track purchases done on the acct. They can even tell in many cases whether the card was swiped or whether the card number was entered manually. That's also why you have a 3 digit security code on the back of your card. There are only two places where that number is found. On the back of your card and in the master database of the company that issued the card. No employee of the company can access that number so the only "person" who should have the number is you. Most on-line purchases require the use of this number and it is pretty much the equivalent of showing a photo id when purchasing something over the internet (it is supposed to verify that you are holding the card)
So theoretically (and I hate to go here because I don't want to open a can of worms) IF the certified credstick is truly 100% anonymous and there is no way to track transactions done on it than there is no way to provide fraud protection for the users of the certified credstick and no way to track the criminal responsible for the theft or forgery of the certified cred.
As checksticks are the electronic equivalent of cash - that's pretty much what is inteded.
You lose them - you crie.
You lose them - you crie.
I think part of fraud protection is you need the origional stick to make the copy. Or have some clever hack in both systems in place. Either way you're having to get involved in such a way that you risk detection.
Credsticks have no security and aren't tied to an account.
Essentially its up to the other party whether or not they accept it as payment, its more as a stepping stone to having it converted to a real account or buying tickets items on the shadow market.
Essentially its up to the other party whether or not they accept it as payment, its more as a stepping stone to having it converted to a real account or buying tickets items on the shadow market.
Credsticks have to have security, at least in terms of the electronics involved. Otherwise, there is no control over money. At all. Hackers just run rampant over the economy.
There may be no security in terms of who can use a credstick, but in terms of how much money is on the credstick, it has to be the most secure thing on the planet.
There may be no security in terms of who can use a credstick, but in terms of how much money is on the credstick, it has to be the most secure thing on the planet.
On page 259 of BBB says:
| QUOTE |
| Similar to a cash or bearer bond, a certified credstick is not registered to a specific person and is worth the amount of credit encoded on it. |
Since they compare certified credstick to bearer bond, maybe they work the same way... the credstick comes with a value on it, and is as worth as hard cash, but maybe you can "change" it for real cash only on the bank.
They are called Certified Credstick because the security behind it is so good that the bank "put their hands on fire" for it. Maybe, if you get one "bogus" credstick (that looks and reads just like the real one) the bank would pay the money for it (since they're the one's responsible for the security) and then they should use their own means to find de criminous who did the fake.
That said, maybe Credsticks cannot be hacked since they have the value hardcoded on it, and only the bank (through serial numbers checking, cross reference and so on) can create and vallidate a certified credstick.
That way the certified credstick isn't something like a "annonimous account" from where you can take cash, in little amounts... but something like a check, that have a value specified on it, and can only be exchanged for money on the bank (but, like RL checks, are sometimes used like money on some negotiations).
Well... just my 2Y.
Maybe just BS... i would like some official on that.
Think personal checks man, those have little security and most businesses won't touch them for that very fact.
But there still used for personal payments between private interests, or require guarantees before being allowed to be processed.
The only requirement for the raw cash is that its unique, so there would be an encode for that but it won't go much past that point.
But there still used for personal payments between private interests, or require guarantees before being allowed to be processed.
The only requirement for the raw cash is that its unique, so there would be an encode for that but it won't go much past that point.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.