QUOTE (almost normal @ Nov 19 2012, 12:53 PM)
And there'd be a log of that particular access ID being the last thing in the node before everything crashed. Quick way to get caught.
Great. A log of an AccessID
that can't be traced anywhere except to an abandoned, black-market commlink.And, here's teh catch: it would only hold the log of that AccessID
deleting itself. BEcause "Everything" includes the Access Log.
(... or if you want to get extra-fancy, you load the Agent with Corrupt, and have it CORRUPT everything, then delete itself - keep in mind, Corrupt can be attached to a file the same was Data Bomb can be, so it can go off
after the Agent has been deleted.)
QUOTE (Eratosthenes @ Nov 19 2012, 12:54 PM)
Hrm, I disagree (though that does not preclude me from being wrong).
Here's something to keep in mind, from SR4A p331:
Credit Account: A credit account is an online banking account
that can be accessed at any time via your commlink. Transactions require
verification such as a passcode, a correct originating access ID
(p. 225), and/or biometric authorization. All transactions are enderNote that one of the possibilities is to require
just that the transaction come from the correct AccessID. You know, like the customer's commlink.
Also note, most commlinks
are not equipped to provide biometric scan data. Which kind of puts the kibosh on "always" for that sort of thing, right there.
QUOTE
An example transaction from Bob to Sally, for $5:
1) Bob tells his commlink to transfer $5 to Sally's commlink.
2) Bob's commlink notifies Sally's commlink that a transfer shall take place. It gives her his banking information, and receives her banking information. Effectively a banking handshake.
3) Bob's commlink notifies his bank (hereforth known as Bank) to transfer funds to Sally's banking information (hereforth known as Recipient).
4) Bank sends a verification ping to Bob's commlink, for a verification passcode, biometric scan, (perhaps parental consent sent to a guardian's 'link), whatever, via encrypted subscription (basic encryption software baked into the banking software the commlink comes with).
4A) Hacker spoofs propr response. You can encrypt it as strongly as you like - you can pop full-blown MilSpec R9999 encryption on it if you like. Since the commlink itself
must be able to understand the message,
IT HAS THE DECRYPTION KEY ... and thus, so does any hacker who has successfully obtained Administrative access.
QUOTE
The handshake, and verification, are nigh instantaneous.
Not if you require data entry by the customer - passcode, biometric scan, etc.
QUOTE
The only reason we forgo needing a signature for credit card purchases for amounts less than $20 today is because it's a hassle for the merchant (cost/benefit/risk analysis).
Um, yes, exactly.
QUOTE
Given the ease of obtaining verification there's no reason to not do it for every transaction. Can the verification be spoofed? Sure. But you're spoofing the bank's system, not the more vulnerable commlink.
Actually, since you "have" the commlink, the odds are very good that there's no spoofing needed. Because 5¥ is almost certainly at a level where the only verifying data needed or asked-for is "has this request come from a device bearing an authorised AccessID?" (See above rules reference.)
Which, given the nature of the hack,
it has.QUOTE
Certainly. I've had a similar situation happen to me. But when you're hacking large numbers of people, some of them quite possibly will notice something funny. Even if only 1% of people pay attention to their spending habits, that's still 1 person out of 100 that'll notice, which may (or may not) invite the banks to investigate for similar behaviors.
Great. At the 14K¥ level, and 5¥ per person, we've hacked ~2800 people. Call it 30 folks who notice "by the end of the day".
First question: how many different banks do those thirty people do business with? (Keep in mind, each Megacorp probably operates a bank or "credit union" for it's employees, and participation in it may be mandatory; even AAs probably do this.)
Second question: how many of those thirty immediately make a fraud report? And how many instead say "that's weird, I'll have to watch and see if it happens again?"
Third question: given the above, and given a habit of running this scam at most every ten days (preferably every fifteen), in different locations and possibly different cities
or even different nations (there's four within reasonable travel distance of Seattle, after all) .... and in light of the destination account changing every time you run the scam, too ... how long will it be before even ONE bank pegs to a pattern at all? And then how long before they share that information with their nominal competitors?
Fourth and final question: how long do you think those Food Courts etc are keeping uneventful video recordings around?
...
Time is the insulating factor here. By the time "the authorities" even realise something has happened, the something is already at least 1 month, and probably 3 months, old. The trail is cold and dead. Impossible to follow, no. Easy (and importantly,
inexpensive) ...? Also no.
QUOTE
If we're talking anecdotes, what about those people who get hacked, and are on a really tight budget? Suddenly they're getting overdraft notices for no reasons, because that $5 charge sent them over the edge. Or their rent check bounced because they had less money than they expected.
Actually, overdrafts are extremely rare in Shadowrun. The rules state that almost all banking transactions are conducted "in real time".
Also, you could simply script the Agent to check someone's balance, and not transfer anything if less than X number of nuyen are there.
QUOTE
All I'm saying, is that if you're hacking one or a handful of people for petty larceny, fine. Large scale? Odds become good that it gets noticed quickly by someone.
And I'm saying, "quickly" for the institutions in question tends to mean "in less than half a year". Especially where each theft is
five measley nuyen. Each incident is "small beans"; the authorities won't mobilise until a pattern is detected, and
that will take significant time.QUOTE
The "deployed commlink auto-hacking and stealing from people around it" bit has numerous problems, off the top of my head. From what happens when it fails a hack-on-the-fly (which will happen), to being detected, to being too-sophisticated for all but the most high-end agents (making it not cost effective), etc. IMO.
Let's say Joe Wageslave is running a Sony Emperor with Renraku Ichi, and a Basic User Suite. That gives him Firewall 2 and Analyze 2. Let's also assume that Joe isn't a total chump, and he didn't disable Analyze. So, great, his 'link is getting 4 dice to detect hack-on-the-fly attempts.
The link I posted upthread? Stats of 3. Stealth 5 (optimised +2), Exploit 5 (optilised +2); it's getting 8 dice against a threshold (for an Admin account) of 8; meanwhile, the target link has a threshold of 8 to detect the attempt. (Possibly more if there are appropriate autosofts.)
Which link do you think will reach that threshold first - the one with 4 dice, or the one with 8? I dunno about you, but
my money's on the 8 die pool. Yes, it may fail occasionally - but not vry often, and even then, the physical link won't be easy to find. And WORST case, we're out the cost of the link, period - which we already wanted to treat as disposable already.
As for the whole high-end Agent thing? It's all Warez. Buy it once, then make as many copies as you like.