Tha'ts exactly my point. I spent good cred on a fake SIN I don't want anyone messing with it. I especialy don't want anyone messing with it because its a Fake SIN thats type F gear and if someone else has stolen it and shit all over my profile I'm fucked.

I can understand how to Forge a SIN, crack the GSINR, plant the SIN # with the correct biometric data and associated profile (Edit the file date) that data streams out and get's recorded on about a billion other systems. Do the same thing for the National SIN redgistry of the nation of orrigion.

Crack Several of the Big Consumer Tracking data clearinghouses Plant the consumer profile (edit the file date) that data streams out to another billion smaller systems.

Crack the Credit bureaus... The data almost instantly spawnes in many many other systems.

Walk through a secure area where you have to broadcast your actual SIN# and some one steals it.

Next time you try to cross the Salish border they want to know why you robbed a liquor store in Cheyanne. Because that data was instantly recorded on thousands of systems and there's no way to clean it up.

It's not just a matter of disposing of a gear item I paid thousands of dollars for it's a matter of getting busted for something I didn't do and then getting busted for all the stuff I have done.

I don't think that shadowrunning is actually posible in the shadowrun setting. This stretches my suspension of disbelief further than almost anything in the setting.

QFT. Any time a run goes horribly horribly wrong, or even sort of wrong, or you suspect it's wrong.. you ditch your SIN. You buy a new one with a certified credstick (for obvious reasons) that you fenced after buying it with your old SIN. Sure, you might lose 5K in the fencing/laundering fees, but there's no big glowing neon sign that goes 'old busted SIN -> certified Credstick -> new squeaky clean SIN'. Yes, they do know who dumped the cash in that certified credstick if they care to check.

Of course, I am not your GM. Your GM may run things differently. But my players are always ready to drop a few K on a new identity if things start looking bad. Worst case, it's a new face too, but that's not hard. Heck, a latex face mask only costs 800 nuyen.

If you're the rigger who crashed a Wandjina drone loaded with plastic explosives into the Aztechnology Pyramid, and the GM ruled the explosion was in the right place and big enough to knock one of the 4 ton carved quartz blocks loose so it careened down the side of their step pyramid headquarters like a giant square slinky... yeah, it's time for a new SIN.

How do you know that you are connecting to your bank and not an imitation that a hacker put together? What gives you any degree of assurance that you are not trusting someone pretending to be your bank so they can steal all you money?

If you transfer $25 to Joe Smith's comlink for some semi-legal stuff why can't Joe just replay that 500 times to get $12,500? For that matter, what stops the guy down the street with the high-gain directional antenna for doing this?

When you get a phone call from you fixer how do you know it's the fixer and not Lone Star setting you up?

So that's why decryption doesn't require any skill rolls, right?

when i want to transfer some money today i have to enter 3 pieces of data, 2 are static, but i can change one of them when i want to, and 1 changes each time its used. none of these are related to encryption.

thats how the bank knows (to their acceptable level of knowledge) that the person doing the accessing of my account, is me. how would that change in SR? there are talk about linked codes, passkeys, and unwired may bring more.

then there is the level of enforcement. something i touched on in my posted but seems to be conveniently missing from your quote. how does a real life credit card company or bank handle fraud? how did they do so before the advent of encryption protected online banking?

sure, your example of a replayed transaction holds the clause of semi-legal. but even then there is a system of trust involved. joe have just broken said trust, and if the word spreads, no-one will do business with joe again. that is a system that have existed as long as there have been people.

as for the guy with the high gain antenna. he would have to change some part of the transaction to get the money into an account accessible to himself, or joe would get the money. and if the latter happens, joe better return them or the social trust factor is there again.

as for lone star or fixer, how do you do so today?

whats the chance that somehow lone star have gotten hold of the private key of the fixer for that matter? how do you know that the holder of the key is the correct person? you can add so many checks that you can be fairly sure that only the right person would be able to get past them all. but its never 100% sure, and no amount of encryption changes that.

No, decrypting doesn't require a skill roll, but to be in a position for your commlink to go about the processor-intensive activity of decrypting requires skill.

The basic action of decrypting is based on commlink response+decrypt program, as you're aware. This reflects that while the brain is an amazing thing, there's faster ways to submit data in incremental changes (did passcode 00001 work? How about 00002?). To get into a node to gain access to encrypted files? Skill test required, hacking+exploit. To decrypt wireless signals in order to copy/edit/whatever? Response+decrypt once again, but finding the signal requires Electronic warfare+sniffer. Same with intercepting wired traffic between two nodes or users, a hacking+sniffer test is required.

My point was that those with the skills to access and the tech to break the encryption (military data systems, higher level banking institutions, the whole SIN archive) are usually employed by corporations, leaving our Shadowrunners to fill in the cracks and pick up the slack. Any commlink can (given enough time) decrypt a datafile. Getting to that file.. there's your skill required. But typical bank use or whatever between legit users, then there's a simple action taken as the proper passcode is exchanged and the decryption takes place.

I doubt you'd want to tackle a high-end system with a low-level commlink with poor response and a mediocre decrypt program. Sure, you can get in the door, but the longer you take decrypting on the fly, the greater the chance you'll be detected by various means. But you won't have any chance of decrypting anything without the skill needed to find and intercept the files/data/wireless signal in the first place.

Now, what about average joe spoofing the 500 nuyen transfer? There's an issue where (even in real life right now) if I go down to the corner store and use my check card to buy a pack of smokes, the cashier has the chance (either unintentionally or deliberately) to ring up a second, identical transaction. Possibly even three, if they were feeling ballsy. So when my statement comes, I could notice and challenge the validity of the transaction. I'd imagine a commlink makes that even easier. If I transfer 500 nuyen to Bob, and I agree to the transaction, he could try to spoof the whole transaction over again. I know that right now every duplicate transaction is assigned a different transaction number in real life, so why would the world of SR4 not be able to generate a random passcode/identifier for each transaction? If you copy and paste the same transaction, the bank would go 'whoa, why did that series of transactions use the exact same identifier over and over?' and bam, red flags go up all over. At the very least, when Bob resubmits the data I'd imagine a secure window pops up asking if I agree to the transfer. "That's odd" I think, "I swear I hit yes before." A quick AR trip to my bank shows I did give Bob 500 nuyen. I decline the second transfer and tell my bank to flag transfers to Bob's account.

I know that even today credit card cloning and fraud are commonplace, and I doubt that in 2070 it's not a problem. I'm not saying you couldn't do some low level fraud and credit spoofing, but I'd imagine there are many checks on the system.

What I'd imagine is a little more feasible is waiting for Jimbob to buy something with his commlink, intercept the data, and then use his identifier to make purchases. That'd be simply intercepting the data, decrypting it, and then recording it before he makes the purchase. Okay, so now we have his data. To use it, we then have to spoof the system with the required checks, which could be easy if it's a pack of smokes, or hard if it's a brand new car (requiring fingerprint, retinal scan, etc). Not easy, but easier than trying to fool the bank into repeat requests. Of course, if you're trying to buy something at the same time Jimbob is, that could cause problems.

My first character in Shadowrun was a decker. But if it was possible, even at the highest levels of skill and ability, to basically make money by spoofing transfer data... once runners reached that 'magic number' why would they ever work again? Fragging with the banks, chummer.. that's the fastest way to get dragged, kicking and screaming from the shadows and thrown into a dimly lit cell. Or end up in the foundation of a new bank, depending.

Moral of the story.. buy the best commlink you can to start, then hire the best hacker you can find to write better software for it.

Today it's technically very difficult to produce an electronic replica of someone's voice in a call, and impossible to do an electronic replica in a live video stream. It isn't impossible to do this in the world of SR4, it's actually very easy. So all the clues that you might use to passively tell that this a phony are gone. You instead have only active elements, like some sort of challenge and response, which has to be continually recreated in face-to-face meetings, since it's safe to assume that anyone who cares can listen and watch your previous calls.

This makes it pretty hard to take calls from someone you don't regularly deal with, and makes calls from you teammates kind of odd as you spend the first minute of each call trying to assure each other who is there.

Today getting access to someone's private keys is quite difficult. The only well reported case I can think of it involved the FBI implanting a key logger in a mobster's PC via a black bag job.

In SR4 it doesn't take soemone taking a big risk by breaking into your house and implanting bugs to do this, but you neighbors bored 13 year-old kid can do it from their bedroom.

that's true, but it doesn't change the fact that if you can't verify someone's authentication with any degree of accuracy, no one is going to use your service. yes, the human factor means that no level of encryption will ever 100% guarantee protection for your assets. but just because you can't get 100% doesn't mean that 10% or 20% or 50% is as viable as 95% or 99%. there's a threshold of protection below which the usefulness of frequent online financial transactions is outweighed by the risk that those transactions could be hijacked or faked by a third party.

Ok, I'll try you question if you try mine. How do you know that you are talking to your bank when you connect to their web site? If someone spoofed the web site, how would you know that this was the case BEFORE you performed a transaction.

The way that banks protect their customers against fraud varies. For physical checks it relies on you actively pointing out that this is a bad check, since banks will process anything. If you can make a decent case they are likely to credit you back, eventually.

This only works if it's your checks they are faking. If you TAKE a fake check you are screwed, call the cops.

If you take a bogus certified check from Joe and give him merchandise based on it you are screwed. The same thing for regular checks. If you take a bad check from Joe for something and it turns out he stole that check you are screwed, as the bank will take the money back from you.

For credit cards it's based on the fact that you have to have set up a merchant account to submit charges to the bank. The bank has a series of requirements about how you have to go about securing this and it involves various pieces of encryption. Banks stop dealing with people who don't do this and require a pretty good amount of detail to keep you from setting up a totally bogus merchant. However, merchants have no recourse if someone comes in with a fake credit card and buys stuff. The bank will take the money back and the merchant is out the merchandise.

Second the banks and card processing companies look at your transaction history to see if this makes sense via some simple AI routines. These look for nonsensical transactions (Ie, it's hard to buy a tank of gas in two seperate cities 500 miles distant in 5 minutes and have it be valid) and for things out of the ordinary for you as a customer. So if you don't ever buy jewelry with you card (instead buying groceries, beer and gas) the first time you buy a $5,000 ruby necklace it likely going to draw extra scrutiny.

Lastly you can protest credit card transactions, assuming you notice them in time. This can require police reports and such if it's more than a trivial case, as the merchant will often try really hard to make you pay.

All the credit card protections are based on the idea that it's good business to provide consumer trust. If there is no incentive (and SR4 is a dystopia) then they don't have to do that. And if you are dealing with Aztechnolgy bank, there is no law that says they have to do anything for you, as they are the law. What will they choose to do for you?