The commlink is stated to be the hub of your online life. It's how you do your banking, update your facepage, even prove your identity. However, even the best civilian OS and data is looking at about firewall 3 analyse 4 (assuming a top-of-the-range commlink and off-the-shelf OS, plus a pro user suite. Obviously custom gear is going to be better, but how many day-to-day citizens are going to be carrying that?). In RL many people leave their computers and phones on overnight, and it's not unreasonable to assume that the trend has continued in the sixth world.

So what's to stop you parking your van outside of a middle class household and setting your pocket hacker to work making itself an admin account in the householder's 'link while they sleep (Or if they're not running top of the range gear you could even have it hack on the fly when they're across the street from your cafe. analyse 2 and firewall 2 is unlikely to notice the intrusion of even a pocket hacker unless they're unusually lucky or you're unusually unlucky, and with a few upgrades the odds are even further in your favor). Once you have an admin account, authorized a money transfer to a temporary account which then gets picked up by your friendly neighborhood money launderer for 30%.

Obviously not every runner is going to be happy robbing the working classes of their life savings, and once in a while you'll find someone security conscious enough to have set their commlink to powercycle on the hour every hour (which leaves hacking on the fly as your only way in, and a pocket hacker isn't really ideal for getting past higher level security like that).

Thoughts?

Those same people aren't going to HAVE a lot in their accounts, for you to steal. Thus, it is (or shuld be) a sideline to a runner's "real job".

(But the option should be considered a cautionary tale for GMs that tend to be stingy with payouts ...)

There's your reputation to deal with. How are Johnsons and other shadowrunners gonna feel about a hacker who spends his/her time robbing the common wageslave? Even such a hacker might be the laughingstock of the community by wasting his time on such rather soft targets.

And as Pax said, those people aren't likely to have a lot in their accounts. Is such nuyen worth the risk of a hacker's bleeding edge commlink & software? Even if it's laundered the nuyen is still going to have a data trail. Maybe very difficult, but not entirely impossible to track down, and all it takes is one FUBR to ruin it all.

That's why I said a pocket hacker. it's an agent program that costs a touch under five grand and can be told to go hack people for your non-hacker character. it's not particularly good and it's dead if they have some active IC, but still...

I want you to download Uplink: Hacker Elite (if you don't already have it), and try to hack a bank without using InterNIC as a bounce.

Good luck with that.

In my book any transfer above everyday merchandise (like 1000¥) or an alloted daily withdrawal limit would request an authorisation from the bank account, like a pin code/ generated authentication number or a biometric scan.
Banks while maybe not giving two shits about their customers realise that e-theft is bad for biz and would implement cheap but fairly secure roadblocks, heck they do that today

But thats just my two cents

Edit: Just an example, for my online games I got an physical authenticator. It's the size of my thumb, has batteries that last a lifetime, cost about 5$ to make and makes hacking a total bother.
The way that it works is that it's linked to the account via a serial number that serial number serves as a quickhand for the algorithm that it uses to create codes, each time you press the button it generates an 8 digit code that is functional for one minute, after use the code is defunct. What that means is that unless they get access to the physical device it's gonna be a total pain in the arse to crack (not impossible, just way beyond cost effective). There's a good reason banks use them aswell

And that's why I start threads like this: so that people who actually think things through can poke holes in my ideas before I implement them... thus letting me make bigger, better mistakes later!

If cleaning out bank accounts was easy why would anyone ever risk their neck on a run?

Because clearing out bank accounts is probably going to call down more heat in the long run? After all, going after the hacker who stole old Granny Johnson's pension is going to be VERY good press and is probably not going to rack up your medical bills as a security corp, where as tracking down some shadowrunners who officially didn't break into a facility that doesn't exist and stole a prototype that never was isn't going to get much public support (cos you can't tell them without risking your contract) and is likely to get some of your guys shot.

I'd call doing this a good way to handwave a hacker getting Cash for Karma, honestly. You're not gonna be able to steal much unless you, yourself, are a hacker rocking six-rated programs and can park in a residential neighborhood in Hot Sim VR and brute-force every Rating < 3 commlink you can find; and even then, if you get a lot, various checks and balances against you doing exactly what you propose to do are going to mean your options for using the money are going to be limited to "right now" and require laundering such that the datatrail stops with someone that ZOG can't just demand the records from. Which, of course, means filtering it through organized crime, and they're gonna want a cut which is likely to be 50% or greater.

Don't forget that the 6th world is saturated with wireless nodes. When you're just doing a general scan for every rating < 3 thing you can find, you'll pick up tons of random stuff to sift through.

I think you might want to look at setting that pocket hacker up to Mass Probe (unwired p 99). That should get you admin access to around 200 nodes in a month, of which you at least should be able to make rent, even when unlucky with which ones you hit.

Just use the "spoof lifestyle" rules for it ^^


That's why you use the degrading dice ppol rules - then your pocket hacker won't hack anything.

Also, if the average wage slave is anything like the average person today, they don't actually have all that much money. What they have is credit and debt. They work to pay the interest on the debt they incurred to get the stuff they want. So at best, you would be hacking their credit account and credit card companies tend to take that sort of thing pretty seriously. Not to mention the itemized data trail of what you bought with the credit, daily credit limits, etc, etc, etc.
I'm not saying you can't do it but much like stealing cars for a living, it isn't really a shadowrun thing to do. The hassle and the actual payout should be less than what you make running otherwise the game would be cartheftrun or creditcardrun.

And indeed, if you want to do non-shadowrunny illegal things to make a living, other threads have explored that option thoroughly. I won't go over the details for fear of starting the arguments again, but stuff like chemistry can mass-produce items with a high street value.

Which, like Mantis alluded to above, makes the game ChemistRun rather than Shadowrun.

At least until you have to start breaking bad just to turn your profit. Then it turns into Shadowrun: Fun with Chemistry.

*shrug* Sounds boring to me.

Welcome to one of the fundamental problems of the Matrix: Hackers should have a reasonable probability to get into an R. 4 security cam, but the average personal commlink has a far laxer security...

A houserule I'm currently tinkering with is to let devices block everything coming from the outside, which translates into +X (yet undetermined) on the Firewall. The average private commlink has no need for external access, therefore can claim this bonus. A security cam or corporate system needs to be accessed remotely, which also makes it easier (or rather, not more complicated) for hackers.

Or just requiring transactions above 10nY to confirm with a biometric scan on the comlink.

Which can be bypassed if the hacker first edits the bit of code of the requirement to make it think it got the biometric scan for the transaction when in actuality it didn't (though, assuming said hacker finds or thinks to look for such code first).

In "Anatomy Of A Shadowrun", a hacker edited a program that monitored for blowing dust and patterns in a security camera so that they could feed it a looped video without setting off an alert; a simple edit of a true/false statement so it was always true/true.

Well, if you can hack the node this bit of code is on, you deserve the money ... have a look at Unwired, p. 78/79: "Zurich Orbital Terrestrial Substation".

Just wait for the next time the user makes a scan, record the biometrics, problem solved. And in either case, it does not protect sensitive data on the device.

So to make any transaction larger than 10 you have to walk to into a Zurich Orbital bank and put your thumbprint on a machine?

Yeah, somehow I think ZOG would suddenly become the least popular bank in the world.



You're hacking the guy's commlink. It's only going to be like, Rating 3, 4 at the most, if he's an average joe schmoe. You can make the commlink believe it has received the biometric authorization.

You can use an AI to hack. Don't you think the bank will have an AI that would notice the weird account-emptying behavior? You had better hope that your security is strong. They might quickly find out where you're parked.

Probably it sends the biometrics from him to the bank's nexus to ask "Hey, does this match what's on file?". It would still be easy, but the process would be more like "send the same biometric data you sent last time, with the following changes..." (changes in the metadata, i.e. time, location and the like).

It helps to have someone else - preferably a few someone elses, at least an Agent - ready to throw Spoofs up if you start getting traced.




At the very worst, you'd have to program the node to carbon-copy you the information it sends, so you can send it again later, so you can grab the info the schlub uses the next time he does an actual transaction.

So basically with the mechanics that exist in the game this is a viable option for earning extra nuyen. If the hacker sets it all up right he can pull this off with little work and little chance of getting caught, unless he uses the same technique over and over at which time people would start making changes in the actual transaction system or how you can withdraw nuyen or move it around.

However such a character is more a vanilla criminal and not so much a shadowrunner. If your character wanted to steal money from common people he could have easily become a banker (some offense intended) or worked for a corporation instead of risking getting fried by black IC every couple of weeks as a runner.

Unlikely. The sheer number of Joe Generic Wageslaves in the world would make such a "constant scrutiny" approach to security rather expensive. And none of those low-roller wageslaves are WORTH that kind of scrutiny.

Also, if that level of scrutiny was applied even to Joe Wageslave ... it'd also get applied to Joe Shadowrunner, too. Which would pretty much put the kibosh on the entire game, right there.

Easy way to bypass all the security discussed in this thread:

Sit in a busy location.
Hack every comlink.
Have said comlink authorize a 5 deposit to your offshore account.

Figure it takes 10 seconds to hack each one and that you can only hack one at a time (these are reasonable assumptions, given the game*).

In 8 hours you've made 14,400

I don't know about you, but a wage of $1800 an hour doesn't sound too bad. And each account was only deducted by $5, and can easily be disguised as a coffee purchase or a slice of pizza at that streetside food vendor.

*A 10 second hack is about par for the system for hacking on the fly, and honestly, if you look closely you might even determine that the duration is even lower. Only one at a time means we aren't using an agent. Finding a location where almost 3000 people walk by every day? Trivial.

No.

Buy a Novatech Airwave (R3 Si3; 1,250¥), running the Mangadyne Deva OS (F2 Sy3; 800¥). Upload a cracked Pocket Hacker to the commlink.

Then buy a roll of gecko tape, and use a 4cmx4cm square of it to stick said commlink to the underside of a table or chair, in that busy area.

Then walk away and do not ever return to retrieve that commlink. Once you've collected your money, you're going to push it all through a one-time credit account (Unwired, p93; costs 10% of the deposit amount), leaving you with 12,960 nuyen.

Yes, you're writing off about 2,100¥ of gear. But, even if you assume a fairly-steep 50% laundering fee (I call that steep because you've already reasonably-anonymised the funds by using a one-time account), you're grossing about 6,500¥. So your profits are over 200%, at 4,400Ñ.

Per day. For functionally zero risk, if you don't run the scam too often. Twice a month would support a Middle lifestyle, with plenty of cash left over ...

I was ignoring steps such as this.

But yes.

That sounds suspiciously like a "Spoofing a Lifestyle" roll..

The trouble with these two theories is that they require that these commlinks and these hacks go unnoticed for a long period of time, but this is not necessarily so.

If the commlink is operating in Hidden mode, it could be detected by anyone searching for hidden nodes. If the commlink is in Public mode, then it will not take long before an unattended commlink is detected. Additionally there is the risk of accidentally trying to hack a security conscious passerby (if only their throwaway secondary commlink) every now and then.

I kinda consider such skimming tactics to be the mechanics behind Spoofing a lifestyle personally, and prefer the gains from such activities to be abstracted under such rules, but YMMV.

Of course not. But if you only need it to work for eight hours ... *shrug* ... that's not all THAT terribly long a time.


Eh. Any hacker worth the name will have scouted the area, and know the frequency (and maybe pattern) of "sweep for hidden nodes" efforts if any. Keep in mind, we may be talking about the commlink being taped to the bottom of a chair or table in a sidewalk cafe, in the middle of Times Square, hacking the commlinks of pedestrian passers-by.

It's not guaranteed to escape notice, but, it probably will do so, anyway.

Alternately? Use an LTA drone, with a higher Signal rating. One that is, in fact, also a legitimate advertising node, hovering over a busy pedestrian thoroughfare broadcasting advertisements for the latest "mal;e enhancers" or whatever (potential bonus: score some REAL advertising money on the side). The nice, legit, spamvertisig node? Is also where your Pocket Hacker agent is sitting.

Add a holographic projector to put screamingly-obvious "lookit me I'm a marketing venue" holo-billboards around the drone, too. Hide in plain sight.

...

Memo to me: must remember that trick for future Rigger builds. ^_^


Yes and no.

If done on a regular basis, with the motivation of "I want to pay my rent with this money", then you're right.

But if done as a one-off, a "we need some extra cash before our next run" effort? Then it's not spoofing a lifestyle, because the cash is almost certainly going elsewhere than rent, food, etc.

...

Also, it's useful to have the math worked out this way, so that a GM who is being overly stingy can have this fact pointed out to them in the clearest possible manner: "Nah, I give a pass on the run. Not stickin' my neck out that far for only five hundred nuyen, no way! Instead, I'll head down to the local mall and <insert scam description here>. Just buying successes to cut throught he die rolls, I figure on average I should clear <insert much higher sum here> ... for less than one-TENTH of the risk. ..... oh, and I can do this next time, too, if the Johnson tries to low-ball is that bad again."

IOW, "why should we do shadowruns for peanuts, when we can [mug people / steal cars / hack commlinks / etc] for ten times the money and half the risk?"

1. It's very likley the banking operations aren't done on the user's commlink node but on the bank's node. The commlink just send the authentication data, which might be some biometric data or other form of authentication that requires user input. You can hack that authentication, but you'll be up against the bank's system rather than the commlink's.

2. The Matrix is not exactly safe. Everyone who does buisiness over the Matrix is aware of this. Therefore, they probably have some security to avoid having too many problems. If you just steal a little every day, you can probably stay under the radar. If you want to do this, just follow the rules to spoof a lifestyle. If you steal more (even if it's stealing 1 nuyen many times), you'll probably attract some attention. And banks will jump on the occasion to make an example out of you and show everyone else you don't fuck with them.

3. Nuyen is an electronic currency. Which means that each nuyen can be traced down. If the user discovers that a hacker has stolen some nuyens, he'll call his bank, and the nuyens that were stolen will be flagged as such. There might be ways to launder it, but you'll lose a lot in the process.

And once you have rooted the target's commlink you can just wait until he provides that authentification information, record it, and from then on use it at will. Or change the destination account behind the user's back, which is how IRL trojans bypass even TAN checks.

I seem to remember it being mentioned somewhere that there are still paper currencies (Corp script ect). Convert nuyen into paper (at a loss for conversion costs), put those in circulation (hopefully getting some different ones back) then convert them back again, losing a bit more in the process. Boom, the specific nuyen that was being tracked is no longer attached to you. Of course you also have to effectively scratch a fake SIN and a tube of nanopaste if you want it to have any real effect at making you harder to track down... though if you can find a scapegoat and disguise yourself as them when you do the initial pickup that'll help immensely.

So let's agree that it's possible, carries some risk if you're not careful, and is generally not going to be a shadowrunner's first port of call for cash unless they're on a job and find themselves in need of some liquid assets in a hurry.

Hang on, did I just ask for people to agree on the internet? I must be losing my mind.

Unless the authentification information is a 2-step method generated from an external unit (that uses a dynamically changing algorithm) combined with biometrics.
A quick example: scan your fingerprint on the passkey plugged into your comlink, which generates a unique code, which is sent to the bank. Now you get a message to press button X on the passkey which generates the matching confirmation sequence for the transaction.

For the cost: A standard passkey costs 100¥ and a biometric scanner costs 200¥ - and it is likely that these things will be provided by the bank (and is included in the fee for account managing).

Let's assume that having rooted the target's commlink you can to the Intercept Traffic action without having to decrypt the encoding first. It's still not certain that you can use a recorded transaction to fake a new transaction. At least IRL it's not always the case. This is part of the things that should have been explained about the SR4 Matrix but that are left to GM's whim.

Anyway, it is possible that you can easily get the commlink to transfer money after hacking it, but my point is that it's not without risks. It's the same situation as the team infiltrator using his palming skills to steal jewelry, the face using his social abilities to run a scam and things like that.

The way I see it there are three ways to handle that kind of things:
1. You can do it, you do a check every month and you get x nuyens * net hits nuyens off your lifestyle. You run the Shadows for something else than money, or because you want more money.
2. You can do it, but running the Shadows bring you enough money so you don't need to.
3. You can do it, but there's a risk of getting caught in the long run, either by the authorities or by other people who "control" that kind of business and want a cut. So runnning the Shadows is a better option.

All can be correct, depending on the world the PC live in.

... and the systems necessary for a commlink or nexus to READ that passkey cost 15,000¥. That's right, fifteen thousand. That should be well outside the reach of "Joe Wageslave" - honestly, it's probably an entire year's salary for him.

Puts that idea in perspective, doesn't it?

(I know this off-hand, because I actually DID install that system into my hacker-adept's commlink. Because he really is that bloody paranoid about computer security.)





If this is held to be true, then the first time you runt he shadows .... you're fucked. The very moment you get paid, in fact. And so is your fixer, and also the Johnson who hired you.

Because if Joe Wageslave's 5¥ can be tracked that accurately, and despite laundering the funds through the local organised crime syndicate ... then what makes you think that Jimmy Shadowrunner (the guy who commits murder, arson, kidnapping, and maybe even rap for hire on semiregular basis) is going to not have his 5,000¥ traced with exactly the same speed and precision?




This whole scenario simply illustrates that SR's entire financial system has to firmly grasp the Idiot Ball (<--- tvtropes link, YOU HAVE BEEN WARNED), or else the entire house of cards that permits the game to happen in the first place, comes crashing down around our ears.

Please note that a passkey is also an authentification method for remote access, like the access to your online bank account - the bank needs the passkey system, not "Joe Wageslave".
Please read UW, p. 64 for more details ^^

That's why you don't get paid with direct money transfer, but use methods that exist for the purpose of making the transfer untraceable, such as a certified credstick.
So sure, you can get Joe Wageslave's commlink to ask his bank to create a certified credstick with 5 nuyens on it, but the logistics get a bit complicated when you need to pick up a thousands of credsticks. I guess there are other easier ways to convert the traceable nuyens into untraceable money, but you'll lose a share of the money (around 20% based on today's costs) in the process.

http://www.youtube.com/watch?v=MyqpbdCKoMo

Ah-hahahahahahahahaaah.

That's a good one.


Truely, rapping for hire is one of the most heinous crimes a Shadowrunner can perpetrate.

Shove it into a credstick. All back-tracing information is lost.

Indeed...

That is because IRL we have crypto systems by which two sides can establish that their counterpart knows a shared secret (like a fingerprint, or the key embedded in those electronic tokens), but the actual secret cannot be derived from the communication in realistic time. In Shadowrun on the other hand, encryption is fundamentally broken (and that is stated quite clearly), and by extension all other crypto techniques went down with it. This does not just follow from mathematic theory but also from simple gameplay logic -- if secureID tokens would work in the setting we'd be back at practically unbreakable encryption, which makes poor fun.

So any additional authentication at worst makes the hacker roll Decrypt once against the strength of the Encrypt program on the commlink/peripheral device...

Yeah, either the security measures are unbreakable (real life) or they're unsecurable (gameworld).

I think one-time pads still work, but evidently they're so much of a hassle that nobody ever bothered to install such a system on the THOR shot satellites.

That, or that run wasn't just a hack, but they actually broke into AZT's main base to crack the safe with the launch codes in it...

Or AZT were gigantic knobs and kept their earthside one-time pads on a system connected to the 'trix - or, somehow, the runners hacked the satellite and got into its pads to send them back to itself.

Haven't you heard? Everything is wireless.