So, you use your commlink as a debit card, to buy stuff, because it links right to your bank account, right? So can a hacker spoof your signal and just empty out your account? If so, why would highly skilled hackers actually do runs, when they could just rob the crap out of everyone?

How about...
...Why would Commlinks ever be used or useful if they were so shit useless and easy to crack ??

Even if you accept that Corps would distribute crap for the average consumer...
...The best of the best Commlinks still appear to be pointless at being secure.

So are commlinks super secure, thus meaning hackers have to be FastJack-level good to play with somebody's settings? Or is there some other identification needed to make online purchases, maybe plugging a credstick or something into the commlink? Or did FanPro just not think of that at the time because come on, who's going to look for ways to commit identity theft in a game where you get to play an Ork with a shotgun (a long time fantasy of mine)?

By RAW you can hack drain the bank accounts of 99% of the populace easily. Rating 3 across the board is average. Rating 6 comlinks aren't even mass produced.

What you do is hack a guys comlink, upload an agent with an edit and stealth program and admin access, and have it filter everything done with the comlink. Then the agent just transfers the money to an account. Hell, if you hack a guy's fridge you can drain his account.

joe smoe's comlink is a 400bp hacker's bitch so you have to have the security else where for it to mean a damn. I would handle this by saying that there are two protections in place. First so much get's tracked on-line and agents are so good at what they do fraud detection expert programs are likely very top notch. It's reasonable to imagine that the moment you had suspicious activity the banks agent would contact your agent and figure if the account holder initiated the transaction. One of the huge bits of data that 2070 systems would have to leverage that modern day systems do not is GPS. If your account makes a purchase at a stuffer shack while you are at work that's a very easy to find and flag. If not the account is frozen. Just like debt cards have spending limits today it's likely to think that people would establish levels of security for various amounts of money. 25 neuyen or less might only need a PIN. A car would likely need a retina scan. If you tried to move all your money to an off shore account (and your balance was large enough for them to give two shits about you) they might even have an operator confirm via some manner of real-time person-to-person check-up.

The problem is once you have the comlink you can bypass most of the protections. How does the person transmit the data? Through their comlink. What encrypts the data? Their comlink. If you or your agent owns the comlink then you can use their account to buy whatever and even say "Yes, this is me spending the money." when the fraud people call you up to ask if its you.

So long as stuff can be bought over the matrix then the hacker can drain your bank account if e gets your comlink. Hell, you can do it with their fridge. Just hack the fridge and have it order some caviar or whatever else from Random Foods XYZ which is nothing more than a front for you to transfer money to.


Think of it this way: If someone got physical access to your computer and uploaded spy ware, a trogan, and a few other malicious programs while replacing your anti virus ware with stuff that loosk exactly the same but doesn't report the viruses could someone else drain your bank account?

You spoof yourself with an agent into their commlink and start doing purchases from your five minute dummy companies. You keep each purchase under 40 nuyen for once a month all you have to do then is simply expand the business and once a month change the name of the company. All fine until the law of probability of being caught with every purchase increases.

Of course for a simple smash and grab this is probably faster and easier. Sit at a cafe somewhere and deduct from everyone's account in a fifty yard range 1,000 to a Medellin bank account and then transfer it in discrete sums to other accounts. 40,000 nuyen for fifteen minutes of work.

But I view Shadowrun as being Hollywood and what I outlined above does nto make good cinema.

-Chrysalis

But on the other thread you are saying agents arn't everywhere, whereas here you have them operating as the borg reviewing every transaction. A couple of agents buddying up will either make it so you crash the node as soon as you log in on 'lightweight nodes' or find you very quickly on high rating nodes, and is really a natural upshot of a million billion agents running around with 'analyze' reviewing everything

The problem isn't emptying the account, it's doing it in such a way that it's untraceable. Sure, you can move the funds; but where will you move it to? If you move it into one of your personal accounts, the switch will be noticed and traced. If you move it to a certified stick, that stick can be flagged and send out an alarm the next time it's used.

You can launder the money, but that involves a lot of time and effort. And it's probably not worth it for the sums you'd get from Joe Wageslave. Running the shadows is more dangerous, but it's also less boring.

This is another area where if you thing about it too hard your head will explode. The rules just don't make sense and hence they can't be expected to work. I'd stick to "no you can't do that. Here's a cookie."

First off I'm not trying to illustrate an undefeatable system, just one that the players and GM can suspend disbelief. Second off you didn't tippy failed to get my basic point. That point is that you can have security measures not on the account holders comlink, but on the other end. For the Retina scan for the new car you are using the dealer's scanner. The PIN shouldn't be stored in the comlink(that's kind of the point). Needing physical locations for these kinds of checks actually means that you have location in your game. I think that's a good thing. There is also the GPS issue. There is also the customer profiling. Just like RL Identity theft is crazy easy. Getting with it is the only challenge. 2070 gives you the tools to create a setting where getting away with this kind of crime isn't trivial and that is all you really need to do. If you make it hard enough to do then it won't be common. Yes your PCs could still likely get away with it. That really isn't an issue though because shadowrunning has really piss poor risk to reward ratio as it is, and if the characters are the kind of people who would rather grind out a living by hacking refrigerators than running your campaign has issues. All you have to do make it identity theft hard enough to get away with(not commit) that the people at your table can buy that it is rare enough that people have confidence in on-line business.

Hello even a SINless 400bp character should have the capacity basically declare that they are making some money on the side. A mage with heal and first aid should be able to claim real income as a street doc. A rigger should be able to getting money, rep, and/or favors being a gang's mechanic. Don't even get me started on what a face should be able to make as a dealer of various stripes. If you like this in your game let your deckers bleed accounts from 'fridges, while the Sammies work security at trog rock gigs, and magicians patch up the SINless.

The problem is that once you own the comlink any code the legitimate user enters is captured by the comlink and can be replayed later by the hacker. If you use a 3rd party to enter it then you have the problem that by hacking a stuffer shack register you can do the same thing.

"no you can't do that. Here's a cookie."

The 'reasonably strong agents' theory doesn't work to badly actually. If you assume that the credit card companies are data mining their own databases looking for fraud you can run it like today where you can buy some shit, but the CC companies will be along shortly to check out the mailing addresses etc you supplied, so buying DL-able content etc is probably a good idea, rather than physical goods you have to show up somewhere to collect.

Its what I do, combined with a ban on agents operating outside of their own computers it works okay. Conceptually data gets uploaded to servers with IC running data search etc. I give people longer if they follow the buying pattern of the owner, and less times if they don't. So jacking a 12 year olds cred stick and buying a 'Certified Explosives Expert Activesoft' off globaljihad.com might get your freshly stolen commlink/code locked straight up, but if you download 'My Little Pony' AR themes off hasbro.com, maybe no-one will notice, ever.

I took the liberty of writing down a whole lot of the files you could steal in the Shadowrun Sega game (An awesome play for anyone who hasn't already). Depending on what kind of DS node you rob, you can give them different names of data chunks they get. I base a lot of my 'Matrix Crawling' off that game. Anyway, here is my list of Datastores and what is in them:

-Systems files Datastore: System Activity Logs, Routing Requests, Access Request Log, System Usage Reports, Project Requisition Files.

-Project Files Datastore: Open Project Data, Project Utilities, Project Requisition, Closed Project Data, Project Expense Report.

-Outdated Files Datastore: History Data, Archived Files, Back Up Files, Canceled Accounts, Canceled Passwords.

-Security Files Datastore: Equipment Permits, Lone Star Reports, Security Records, Contact Dossiers, Camera Data, Knight Errant Reports, Surveillance Data.

-Management Datastore: Corporate Profile, Bank Account Numbers, Employee Scheduling, Personnel Dossiers, Client Information.

-Financial Datastore: Corporate Account, Capital Expenditures, Local Accounts, Bank Account Numbers, Accounts Abroad.

-Case Files Datastore: Outstanding Warrents (Never got any others on this one, will edit if I ever take the time to)

-Confidential Datastore: Blackmail Information, Strike Team Orders, ShadowrunInformation, Prototype Blueprint, Long Range Goals.

-Competition Datastore: Competitor Profiles, Competitor Security, Competitor Budgets, Competitor Marketing

-Legal Files Datastore: Pending Lawsuits (Never got any others on this one, will edit if I ever take the time to)

-Simsense Files Datastore: Educational Data, Entertainment Data, Experimental Data, Toxic Data, BTL Data.

Note that this list is probably a little less then half incomplete. I just got bored one night and sat documenting system maps (Which make for dandy system guides when I am pressed to make one up) as well as downloading data and documenting it all so I could tell my deckers the cool shit they are finding. Let em download as many Megapulses as they can hold, then give them some random amount depending on how gnarly the system was and a couple rolls of the dice. They will burst their little minds wondering if they should dump more of their Equipment Permit data in favor of more Bank Account Number data. If they get too crazy about doing it too much just roll your dice behind your screen and sigh and say 'This data is useless!'. Finding a fence should be a tough thing to do, make sure he screws the PC at least some of the time. No hard working Decker wouldn't...

Can you order stuff over the matrix in SR 4? Yes. How is the information for payment sent? By your comlink.

Yes, if I was at the rental place in person I may have to run my finger print. But what about when I rent my car over the matrix? I need to use the finger print scanner built into my comlink? Ok. Now that finger print has gone through my comlink and the agent has a copy of it. Which it can supply anytime said ID is needed.

It could be that the hardware produces a time sensative hash function with a key provide by the authenticate agency, and that is a hardwired function of specially engineered fingerprint scanners - and thus unhackable but this is getting to the point of retarded.

The hacker has broken into Jimmy's commlink and after looking through his files sends him a personal message from another commlink:

"Hi Jimmy, my name is Darla and I think you are cute. I saw your profile on nerdzprofiled.com and I wanted just to invite you to my own personal PAN. Just sign yourself up to intrepid-dating.com add your personal details and maybe we can then do more than swap pictures . See you later. Darla."

Any computer system no matter how advanced is only as strong as every link of those who control it. Humans can be manipulated, cajoled, extorted, and talked into doing things. This is called social engineering. The above example is of phishing.


Tusker is in the back of Dante's enjoying a well earned tinkle, when he notices that someone has carelessly forgotten their credstick there. Being a finders keepers kind of troll, he goes back to the bar and orders a beer on the loser who lost the credstick. Unknown to him the credstick once in the system took a photograph of the system from the inside and sent it to the hacker several hundred miles away. She now could develop an exploit. Tusker got a beer.

The above is an example of a road apple.


You can also run honey traps (takes time), pretexting, phishing, gimmes, road apples, and quid pro quos.

I read yesterday that a net security manager tested how easy it would be to plant spyware and keyloggers in the syste of a credit card firm by "losing" 20 to 30 USB sticks with a spy program on them on their parking lot. I think 11 were used, allowing the program to install itself.
That could be some security measure to prevent credstick theft - hidden agent in the commlink that always sends a call "home" when the commlink is used for a transaction.

@Tippy, you have this belief that a hacker can make a comlink do anything that a legit user can, therefor a good hacker can clean out anyone with stock comlink. Yes you are right if you can order things on-line a hacker can get your money no if's and's or but's about it. Can you order stuff over the matrix in SR 4? Yes. Therefor that system hasn't crash because people get there bank accounts cleaned out the second they order something. I acknowledged your point in my first post and move the discussion to a broader level to explain why that fact doesn't mean that e-commerce has totally collapsed. I offered sever checks that are admittedly not perfect, but raise the difficulty of such crime. I feel that it raises the difficulty of profiting (not committing) such crimes enough that it isn't hard for players to believe that the system works well enough. If you care to discuss my actual position I'd love to hear from you.
Quick recap:
-agents do automated fraud detection
-verification from real people
-verification from 3rd party devices
-verification of purchases point and account holder via GPS.

If you can believe that these check work well enough to scare off two-bit deckers your game world is fine.

Two things:

1) Remember that in Shadowrun, the persona goes on the node he wants to act. So even if Joe has a low-end commlink, his persona will be on the super-secure bank node when he'll use his bank services.

2) This reminds me of the "hacking" video game Uplink. Once you were good enough, you could easily hack bank accounts. But your connection was tracked back to you in a matter of seconds and if you didn't make sure to remove the trail, you'd get caught very quickly.

hey sorry I missed this post.


I'm not sure what comment of mine you are referencing here, but if you are talking about the AR vs. Hotsim thread, I never said anything about agents not being everywhere. All I said was that sometimes deckers need to sneak to get the job done and that 1 guy with a slightly larger dice pool is a better bet than ton of agents with a slightly lower dice pool.

About where the fraud detection happens, the whole point is that it doesn't happen on user's comlink, the bank as a agent that check your ever transaction request to see if has the right authentication(ie correct PIN), and isn't obviously fake (order is in Sri Lanka, account holder in L.A.) and is small enough that it doesn't need escalation for approval (You want to move all your money in all your accounts to the Cayman Islands? Hold on while I get a human). They also comb the bank's records of your transactions looking for that 12 year old ordering truck loads of fertilizer. Honestly I don't think it's that big a deal data wise to have an agent look at every transaction made. 1 agent can look at 180 transactions a minute. That's a whole lot. That one agent could likely be looking after 5000 people at the same time, and still have the idea cycles to do more long term analysis. And yes I'm totally breaking RAW and saying that banks have computers that can have more than 12 simultaneous users programs running at the same time(forgive me if I got the number of apps wrong, I don't actually use the matrix rules).

And again I'm almost in kzt's camp. I like to sugar coat my cookies with a little justification.

Well

I currently work in a bank, and part of my remit involves dealing with online fraud, identity theft and a whole raft of other issues that come about due to online banking.

I'll tell you one thing, the banks long since realized that it is impossible to protect the user. With current technology, next generation viruses and assorted other things that most of Joe Public have never even heard of, your PC can be hacked, controlled etc etc from afar, and your bank account drained.

So what do the banks do, well they look at the other end of the process, the bit they can control. Their own systems. More fraud is prevented through the use of sophisticated checking technology now, than is prevented by sophisticated Anti-Virus stuff. More viruses/trojans etc are released per week than the AV companies can deal with.

So, rather than stopping the customer from being hacked and having their identity stolen, the banks work on protecting the money they hold, making checks on the receiving account and checking for links with the hacked accounts holder. Fraud still happens, banks aren't perfect, but the amount stolen goes up and down a lot, as the banks develop new systems, new processes, which the fraudsters then have to work out how to bypass.

One thing worth remembering, the job of bank security is not to make the bank impregnable to attack (it costs too much to do that, in both cash and customers), but rather to make it more expensive to attack them than some other less secure bank.

You only win as a fraudster if you manage to get away with the money. The banks are getting to the point where they assume that a user will be 'hacked' and proceed to build security accordingly

If a hacker or agent has an admin account then he can do anything the legit user can do. That is a non negotiable fact of RAW. If data is sent through a comlink then it can be altered, copied, saved, or otherwise utilized. Really, to get money from people's accounts is dirt simple.

Step 1: Hack admin access on a comlink.
Step 2: Upload an agent with control over said admin account and a good stealth and edit program.
Step 3: Have the agent act as a filter. Anything and everything sent to or from that comlink is routed through the agent.
Step 4: Have the agent sign the legit user up for some matrix subscription for 25 per month.
Step 5: Have the agent alter any bank account information sent to the comlink so that the 25 is removed.
Step 6: Have the agent alter any "Yes that is my bill" statements from the user to add in the 25 charge.
Step 7: Have the agent selectively edit any conversations that occur over the comlink so that both parties hear what you want them to hear.

Now do that to a thousand comlinks. Thats 25,000 per month. Do it to four thousand people and you are making a hundred thousand per month, thats a luxury life style.

And its child's play for most PC hackers. The harder part is laundering the money. You need a bank contact to really do that right, or be able to hack a banks systems.

It's possible, but it's much more difficult than "I own his commlink lol".

Joe's commlink is incredibly easy to exploit, yes. If you want to pull off wiping any significant amount of Nuyen from his account, you're not hacking his commlink anymore. You're hacking his bank, a secure financial institution.

So you want Joe to pay for your coffee? That's under 5000 Nuyen, so it will only require a PIN code, and breaking the Default R5 Encryption on his account access. Once you break the encryption, you have to authorize the transaction by sending the PIN/Alphanumeric Code to the bank account to verify the transaction. If you don't know the PIN and don't edit his AR/wrist display, then he will suddenly see "Double Mocha-latte-soya-chino with extra soy-whip, 7:nuyen: AUTHORIZE? _ _ _ _ _" pop up. Oops. Let's try that again.

You'll need to use a sniffer program (basically a keylogger for this purpose), and you'll need to wait for him to authorize the transaction of his own coffee to get his PIN code. Then, when you want to use his cred to pay for your soykaf, then you have to edit his display so he doesn't know he's authorizing, and then send his PIN to the bank, who then send the money to the cafe's e-register.

No problem, really. But not as easy as people seem to think.

The more money you want to steal, the more complicated it gets. If you require a retinal scan, how are you going to get that, without tricking the guy into authorizing a large sum of money. And unlike the pin, you can't just sniff the retinal image, because the bank actually logs on to his commlink (possibly with an agent) and checks it itself. And that's if Joe has his own retinal scanner built into his comm-link. It's likely that he's authorizing the purchase through that car dealership's desk retinal scanner, that you'd have to also hack.

And what if you don't have Joe's biometrics and you don't want to bother. Surely there's another way? Sure, if you want to get into his account without any of that annoying handshaking, why not just hack the account? OH WAIT. The account is not on the commlink that you have exploited. It's in the r6 (and up, depending on the GM) Bank node. It's guarded by the bank's analyzing, tracing and brain-frying IC, not to mention a complement of security hackers.

Again, if you're a good hacker, you might be able to do it.

This, of course, just covers the process of stealing money from a soft target. It does not cover how you're going to cover any traces you might leave, or how you're going to legitimize those funds for actual use.

Yes, a commlink is weak. Yes, Joe Schmoe isn't that security conscious. But a bank is not weak, and it's in the business of being extremely security conscious. They are a bottle-neck to all but the smallest attempts of financial hacking.

This is why people have bank accounts. They protect people's money.

Well said Sir_Psycho!

Also, if you run an agent, with two programs on someone's commlink, they are slowing it down. And isn't there a threshold for detection? - Meaning that eventually even the sloggiest Firewall will catch up and kick out the hacking party?

I mean, you are also under some kind of time-pressure to do the logging and so on, and if the user doesn't use the codes you need before your trojan is detected, then you got zip other than a call from the users commlink, to his Firewall providers Node, requesting analysis of the detected intrusion and countermeasures to be implemented and distributed to all Firewall users in the next patch.

Now you have to go rewrite your Agent and subscribe to a new provider, cause your serials are now flagged as compromised by hackers.

Of course, the wise hacker knows this and sends his Agent prepped with a throwaway serial, but he still has to spend time setting that up, and changing it when he gets caught to avoid tripping security as soon as it smells his program.

No, the firewall will never catch on. The agent is a legitimate program logged on to a legit account. The stealth is to hide from the user, not the firewall. And as for slowing the comlink down, sure. But how many programs does the average person have actively running at any 1 time?


Hack in as an admin. Create an admin account. Disconnect. Log in on the admin account. Do what you want. The firewall does nothing. You are a legit user as far as it is concerned.


That's when the agent just fries its self and the comlink. And remember, this agent is a legit user with root access. It can call in to base every day for new instructions. Or know that if it gets a call from X then the call is for it and you can upload/alter the instructions that way.

If you hack a person's comlink and set it up right then you can keep said individual in the dark so long as all information is routed through the comlink. And almost all information is routed that way; bank info, purchase history, software alerts and updates, phone calls, mail, etc.

Hacking comlinks for acount codes is incredibly stupid. If you want real money you need to do it in bulk and that's easy to accomplish. All you have to do is go to any mall, enter a popular store, and begin recording traffic between the register and anyone else. Whenever someone walks by the register on the way out their comlink automatically sends the necessary account codes to make the payment. The communication may be encrypted but that doesn't matter becuase once you have it copied you can take it home and decrypt at your leisure. In a popular mall you can collect hundreds of accounts as you pretend to window shop. Once you've got them you don't empty them, that's just stupid. You give them out as gifts, use them as shadow currency, share them with friends, and use them to but cheap stuff in increments so small that no one will bother checking the validity of the purchase.

By the way, you guys are talking a lot about agents. Where do you get them? Do you buy them, or program them yourself? What are their ratings? I don't see any info in the SR4 rulebook about them, so presumably they're in a supplement?

BBB p. 227

Any or all of the above. They're in SR4, just spread out all over the place. The costs to buy are on p321, and the rules for programming them is (mostly) in the back of the Matrix chapter.

Today its very easy to do a single transaction of a few hundred dollars on someone else's account (order a pizza on your buddies credit card and see if they do anything about it, some banks and businesses will, others won't). Look at the number of receipts out there that carry the full credit card number + the signature of someone. Thats why there are the 3 and 4 digit codes on the back, pins and flags set up by the banks. Its a reactive rather than proactive approach. There are several safe guards though, one of my cards limits to $400 a day without calling in first. Whenever I travel with one card I'll get a phone call from the bank within an hour asking if I am traveling (and when I expect to be home) or if its a fraud charge. Some banks more actively screen for fraud than others. Ultimately in the US it the businesses that get burned as both the bank and the person with the account are protected by the government leaving the burden of payment to the stores if fraud occurs.

First off it is really silly to think if a bank wants to know if you've been hacked they would try to contact you on the hacked device. Second even if they do, I really don't think that a rating 3 agent (assuming an "average" comlink) has the Con skill and that is exactly that it would take to fake a realtime verification check, even if hand wave the edit roll. Rolling with the r3 assumption, the comlink can only run 6 programs if the mal-agent is a program, and it needs to load even just one other program at a time that mean wal-ware is tying up a third of your available aps before your system down grades. That's not like hiding a 2 meg process in RL.
An other issue that people have mentioned is actually punishing people trying to get this money. I know were are all in the mode of thinking that the corps don't give a damn about people, and they don't. But the corps do give a damn about people's confidence in the market. That right there is what makes the world go round. Defending the planet's capacity to do biz is the #1 priority of corporate court. Neuyen is largely (if not entirely I forget) electronic, and maintained by the CC. If your action devalue the that they will stop you.

Now here is the thing we are playing a game. What we need is for the world to work(to a point), and the characters to be able to behave logically (to a point) and enact the stories we want them to (to a point). I'll be the first to say the matrix rules are in shambles, I don't even use them at my table. That's why I've largely been sticking to fluff. But I can image a take on 2070 where this kind of crime is common, but not common enough to topple the system. So the world works well enough. And there are any number of things that will make runners way more money than running especially the with the low payouts a lot of people give. So you want to patch the easy criminal money money whole with back story. That handles the problems as I see it.