As a hacker, someone could pick a random guy off the street, hack his commlink, and use the wealth of ID info to withdraw from his bank account. To do so safely and successfully, the money would be transferred to a credstick, instead of another account, and then all traces of the hack removed.
Now, unless there's some flaw I've missed (please point them out if you find any) this is a relatively quick and moderately reliable way to get some easy money. Clearly, in game, if anyone was to use this technique more than a few times bad things would start to happen. But once or twice, for when you REALLY need the cash, it could pay off.
Of course, if you can do it, so can other hackers. So as a safeguard, keep most of your hard earned cash on credsticks or accounts more secure than normal.
Also, as I am nowhere near as immersed in SR lore compared to most of the users here, is there a bank that (like a swiss bank) is anonymous and grants "one time" accounts, for money transfers/laundering?
Full Version: Easy Money for Hackers
| QUOTE (Aeros) |
| Clearly, in game, if anyone was to use this technique more than a few times bad things would start to happen. |
Like what?
~J
Well, the random people would start to have 20 credits in their accounts, or the hacker's account might suddenly be empty. Or, worst case, some security or corp goons come looking for you.
| QUOTE (Kagetenshi) |
| Like what? ~J |
Like his evil GM reading this thread....
| QUOTE (Superbum) |
| Like his evil GM reading this thread.... |
exactly
| QUOTE |
| As a hacker, someone could pick a random guy off the street, hack his commlink, and use the wealth of ID info to withdraw from his bank account. To do so safely and successfully, the money would be transferred to a credstick, instead of another account, and then all traces of the hack removed. |
As long as they had a SIN or fake SIN and access to their bank account from their commlink, then sure. Why not?
| QUOTE |
| Now, unless there's some flaw I've missed (please point them out if you find any) this is a relatively quick and moderately reliable way to get some easy money. Clearly, in game, if anyone was to use this technique more than a few times bad things would start to happen. But once or twice, for when you REALLY need the cash, it could pay off. |
Right, once or twice wont tip off the securities too fast. However, if you made a pattern out of it you might fall under the prying eyes of another hacker (maybe even a hacker working for that bank).
Well, I would guess that for any large transactions (large withdrawals) additional verification would be required. Sure, you could get the guy's name, SIN and other personal data, but what about his bank PIN/password? What about a voiceprint? I guess he might have some voice recordings on his comlink, but not allways. How about a retnal scan? Or a finger/palmprint? The comlink does not need to keep copies of these on hand to compare them. A one-way hash function of the key values is enough to evaluate if this person is who they say thay are. Plus, you make the withdrawal and send it... where?
Even with access to the bank you need an account to send it to. That leaves a trace. Maybe you set up an account in the cayman islands or Zuruch-Orbital, but if you start funneling too much stolen cash there directly, the bank is going ask you to take your money elsewhere. They don't want their rep compromised, and they don't want to deal with the complaints.
Even with access to the bank you need an account to send it to. That leaves a trace. Maybe you set up an account in the cayman islands or Zuruch-Orbital, but if you start funneling too much stolen cash there directly, the bank is going ask you to take your money elsewhere. They don't want their rep compromised, and they don't want to deal with the complaints.
I'd say that this would be something that the bank would handle. The exact amount of money a person has is not on their commlink. Instead, their commlink simply provides information about their account information (i.e. routing number and account number to use today's lingo). Thus, when transfering money, the buyer sends the seller their routing number and account number, the seller then sends a request for funds to the bank via that routing number from the specified account. That request would have to include a SIN and information about the buyer.
Then, the bank would test that SIN against the identity databases. Obviously the SIN would have to be valid or at least spoofed well enough to beat the bank's SIN recognition systems. Then, the bank would send a response request to the buyer's commlink with information about the purchase. For legitimate purchases, the buyer's commlink, having been instructed by the buyer in some fashion (DNI, AR Gloves, tortise mode, etc) to accept the purchase would responde okay. However, for your hacker on the street idea, the buyer's commlink would respond not-okay and the transaction would halt, probably red-flagging the seller's (hacker's) SIN in the process.
Thus, to pull off, you'd not only have to hack the commlink to request the money, you'd also have to hack the commlink to send the right information to the right bank. But, you only have a routing number, well, a data search would probably turn up the right bank, but .... damn, now the pedestrian went around the corner and is out of range ....
Then, the bank would test that SIN against the identity databases. Obviously the SIN would have to be valid or at least spoofed well enough to beat the bank's SIN recognition systems. Then, the bank would send a response request to the buyer's commlink with information about the purchase. For legitimate purchases, the buyer's commlink, having been instructed by the buyer in some fashion (DNI, AR Gloves, tortise mode, etc) to accept the purchase would responde okay. However, for your hacker on the street idea, the buyer's commlink would respond not-okay and the transaction would halt, probably red-flagging the seller's (hacker's) SIN in the process.
Thus, to pull off, you'd not only have to hack the commlink to request the money, you'd also have to hack the commlink to send the right information to the right bank. But, you only have a routing number, well, a data search would probably turn up the right bank, but .... damn, now the pedestrian went around the corner and is out of range ....
Teach me to write a longer post than Lebo 
This is my area of expertise, and I can tell you that Bank (and especially the one in Switzerland to answer the creator of this thread) are carefully controlling the ID of the people opening the bank account. For example, in my job, before opening such off shore bank accounts, we have to do a full investigation on the client (due diligence).
The real pro of those off shore bank accounts in fiscal paradise is because of taxation and the less formalities compared to other jurisdiction. But don't think that you are opening a bank account over there like you would create an e-mail account....
The real pro of those off shore bank accounts in fiscal paradise is because of taxation and the less formalities compared to other jurisdiction. But don't think that you are opening a bank account over there like you would create an e-mail account....
| QUOTE (Aeros) |
| As a hacker, someone could pick a random guy off the street, hack his commlink, and use the wealth of ID info to withdraw from his bank account. To do so safely and successfully, the money would be transferred to a credstick, instead of another account, and then all traces of the hack removed. |
Although certified credsticks are very vaguely described, I don't think transferring nuyen to one is an effective method of moneylaundering.
The rules for forgery on page 125 says:
| QUOTE (SR4) |
| Bogus credsticks are especially vulnerable to detection; once either the original or copy has been used, verification systems will detect the anomaly as soon as the other is used, immediately flagging all transactions with either stick and preventing either from being used again until the situation is cleared up. |
The big deal with the certified credstick is that it's not registered to a specific person. That doesn't mean that the money is untraceable. The banks have registers of what credsticks they have issued, how much money is supposed to be on them, and where the money was originally transferred from. If they suspect something illegal is going on, they can prevent a credstick from being used.
So in your case I guess the owner of the comlink would complain that he didn't make the transfer himself, and the bank would flag your credstick. And then you would have to throw away the false SIN you used when the bank issued the credstick to you.
On the other hand I guess you can go to a shop and hack someones comlink to pay for your groceries. That can be pretty profitable too.
- Magnus
How would you prevent confirmation of the purchase from showing up in the retinal display of the owner? Itīd be unlikely to find someone going shopping with an active commlink without some kind of display. Suppose you could turn the display off temporarily without raising to much suspicion.
But on the other hand if that would be the standard way of doing "virtual shoplifting", then when a display goes dead in a store people would know whatīs likely to be going on and start yelling.
But on the other hand if that would be the standard way of doing "virtual shoplifting", then when a display goes dead in a store people would know whatīs likely to be going on and start yelling.
You could just spoof the Display...
this is similar to doing credit card fraud today. only that picking up said info is "somewhat" simpler (you could allways grab said card out of a pocket, write down the relevant info and then drop it of somewhere and say you found it on the floor).
this is one of the reasons why i dont shop online with a credit card until i can have a sort of one time number that only applys for said order and that i get, securely, from the issuer of said credit card.
only using the basic info on the card is silly as a physical card have the added security that there can only be one card in existance (in theory).
i seriusly dought any physical shop would accept a simple white plastic card with some raised numbers and maybe a chip or magnet stripe. but thats what the online ones are more or less doing when they do not require a second, independent, piece of verification info that can only come from a known company.
this is one way of doing it tho, setting up a encryption on the data and then altering the key every time the data is read so that the next time you need the new key and so on.
so i use my comlink to buy a nuk'em burger on a corner, the terminal gets the encrypted package of sin data and other needed for the trade and when verified the data i carry is overwritten by a new package of data from the bank that maintain my account or maybe my credit issuer. so, if someone goes and copy said data then they have to use it before i do so. if not then their data is flagged as invalid and the salesperson notified of said problem. maybe ill get a mail sendt to my comlink about the problem to from my bank so that i can contact them about it and my account locked until i do so. given that im walking around with a mobile phone on me at all times it should not be to hard to make a call on the spot to my bank and talk to them about the problem.
inside said package there should at the very least be a passcode or password of some sort in a one way hash so that i have to physicaly id myself using said code.
a certified credstick however will omit said passcode, instead it will have a prepayed amount attached to it and maybe allso have that amount stored inside the data packaged carried.
this is one of the reasons why i dont shop online with a credit card until i can have a sort of one time number that only applys for said order and that i get, securely, from the issuer of said credit card.
only using the basic info on the card is silly as a physical card have the added security that there can only be one card in existance (in theory).
i seriusly dought any physical shop would accept a simple white plastic card with some raised numbers and maybe a chip or magnet stripe. but thats what the online ones are more or less doing when they do not require a second, independent, piece of verification info that can only come from a known company.
this is one way of doing it tho, setting up a encryption on the data and then altering the key every time the data is read so that the next time you need the new key and so on.
so i use my comlink to buy a nuk'em burger on a corner, the terminal gets the encrypted package of sin data and other needed for the trade and when verified the data i carry is overwritten by a new package of data from the bank that maintain my account or maybe my credit issuer. so, if someone goes and copy said data then they have to use it before i do so. if not then their data is flagged as invalid and the salesperson notified of said problem. maybe ill get a mail sendt to my comlink about the problem to from my bank so that i can contact them about it and my account locked until i do so. given that im walking around with a mobile phone on me at all times it should not be to hard to make a call on the spot to my bank and talk to them about the problem.
inside said package there should at the very least be a passcode or password of some sort in a one way hash so that i have to physicaly id myself using said code.
a certified credstick however will omit said passcode, instead it will have a prepayed amount attached to it and maybe allso have that amount stored inside the data packaged carried.
Thank you for all the constructive replies. That credsticks are that easily traced would be probably the biggest hole that I didn't see. Which makes the "one use" shady bank accounts more necessary. Since no one replied as to the existence of a bank specializing in short term, no questions asked accounts, I assume that the subject hasn't been covered.
As to the difficulty of withdrawing large ammounts, it would probably be like using a credit card (or debit card) today, some safeguards in place, but a normal person can go spend the entire balance of their account without requiring confirmation beforehand (although, probably afterwards). This seems to point to the banks tracking down any ID theft. That'll be something to watch for then.
So, the solution so far is to spend the ill gotten gains as fast as possible, and hopefully you can get away with it. Hanging on to the funds will probably be a lot easier to trace.
As to the difficulty of withdrawing large ammounts, it would probably be like using a credit card (or debit card) today, some safeguards in place, but a normal person can go spend the entire balance of their account without requiring confirmation beforehand (although, probably afterwards). This seems to point to the banks tracking down any ID theft. That'll be something to watch for then.
So, the solution so far is to spend the ill gotten gains as fast as possible, and hopefully you can get away with it. Hanging on to the funds will probably be a lot easier to trace.
Actually, Hobgoblin, there is a second line of defense--the shipping address. ALOT of companies now doing online business WON'T ship to anywhere other than what the address is on file with the credit card company, even if you can prove that you KNOW that address as well. I had this problem a couple of times in college, where i was trying to buy something online, and have it shipped to my apartment, but my bills were still going to my parents and my (permanent) residance.
glad to hear that aku. still, some joker could make my life a living hell by ordering all kinds of sex toys and other insane stuff on my bill to my house.
sure, not as bad as having someone burn my money for their benifit, but ill have a hard time explaining that i didnt order that stuff
sure, not as bad as having someone burn my money for their benifit, but ill have a hard time explaining that i didnt order that stuff
| QUOTE (hobgoblin) |
| glad to hear that aku. still, some joker could make my life a living hell by ordering all kinds of sex toys and other insane stuff on my bill to my house. sure, not as bad as having someone burn my money for their benifit, but ill have a hard time explaining that i didnt order that stuff |
But you'd have a fun time with them after the initial shock wore off.
no comment 
There are a few steps to stealing a pedestrian's cash:
1) Get said pedestrian's personal information off of his/her commlink
2) Set up temporary bank accounts in Hong Kong and the Barrens to launder money
3) Steal access information that must be a mental signature or finger print, that sort of thing that is stored at the bank rather than on the com.
4) Make sure that the pedestrian is not paying attention or able to access to his/her commlink as it will undoubtedly notify the user of any transactions in said account
5) Log in and transfer money to laundering accounts
6) Transfer money from laundry accounts to certified credstick
7) Shut down laundry accounts
The trick is to use semi-legal laundering accounts to prevent an easy trace, as while it would be easy to spoof the system into thinking the transer request had come from a pedestrian. It would be much more difficult to erase the information from the transfer. There would have to be banks allowing totally anonymous access because people always need ways to acquire less than respectable goods. How else would an average wageslave get a hooker or BTL without being fired or blackmailed by the corp that owns his soul? So there would be semi-legal wink and nudge bank accounts that the corps own and charge significantly for (which is their cut in these dealings), and have to be foreign or extraterritorial for legal reasons. That account could be recognized by the first bank and recouped the illegal transfer, so there has to be a third bank that is convenient to pick up a certified credstick.
The ease of recognizing forged certified credsticks is in the fact that they have the same information, so using both would be spending the same money twice, rather than recognizing an illegal transaction or something like that.
1) Get said pedestrian's personal information off of his/her commlink
2) Set up temporary bank accounts in Hong Kong and the Barrens to launder money
3) Steal access information that must be a mental signature or finger print, that sort of thing that is stored at the bank rather than on the com.
4) Make sure that the pedestrian is not paying attention or able to access to his/her commlink as it will undoubtedly notify the user of any transactions in said account
5) Log in and transfer money to laundering accounts
6) Transfer money from laundry accounts to certified credstick
7) Shut down laundry accounts
The trick is to use semi-legal laundering accounts to prevent an easy trace, as while it would be easy to spoof the system into thinking the transer request had come from a pedestrian. It would be much more difficult to erase the information from the transfer. There would have to be banks allowing totally anonymous access because people always need ways to acquire less than respectable goods. How else would an average wageslave get a hooker or BTL without being fired or blackmailed by the corp that owns his soul? So there would be semi-legal wink and nudge bank accounts that the corps own and charge significantly for (which is their cut in these dealings), and have to be foreign or extraterritorial for legal reasons. That account could be recognized by the first bank and recouped the illegal transfer, so there has to be a third bank that is convenient to pick up a certified credstick.
The ease of recognizing forged certified credsticks is in the fact that they have the same information, so using both would be spending the same money twice, rather than recognizing an illegal transaction or something like that.
Without the book to double check, the impression I got from an above post is that Credsticks basically have serial numbers and add those to all transactions. If so, then Credsticks are unnecessary for the scheme. With your description of laundering accounts, that's basically the kind of bank I'm looking for a description of. However, due to the fact that information is difficult to destroy, I wouldn't count on closing the account to cover my tracks. The only solution I've found so far is to go buy something with the money before it gets fully traced (note: not order via AR, but actually go out and buy). As long as you no longer use any of the accounts involved in the scheme, and change the RFID of whatever you buy (if it was legit) then you should be clear. Keeping the money seems to lead to more problems with tracing.
Since this clearly implies that it's easier to avoid traces with PHYSICAL goods, a better way of making money would probably be to just steal cars. Of course, there's already a thread about that.
Since this clearly implies that it's easier to avoid traces with PHYSICAL goods, a better way of making money would probably be to just steal cars. Of course, there's already a thread about that.
No, no, no. What you do is get a contact in the Mafia to launder your money for you.
Simple explaination why this would not work:
1) Certified Credsticks are created by banks. They have a precise balance when they are created and can not be added back to.. only subtracted from. Otherwise the bank can not get another 5% charge when someone needs another certified credstick (the runner would just add funds to an old one).
2) Although the encryption rules are very simplified.... It is understood that bank transactions are encrypted at a high level (6+). Also, as it was said before in this thread, just because you have someone's SIN/Bank ID does not mean you have their bank password, etc.
3) For larger sales (anything over 5,000
) a customer would probably still need to use a biometric reader to validate the sale with the bank. They could be paranoid and use a personal biometric reader they have with them, or use the biometric reader (print scanner, retinal scanner, etc.) from the store. This would then be encrypted and sent to the bank for validation.
Purchases from 1 to 4,999 would probably still use a "passcode" type verification... This MIGHT be stolen, but only if you hacked somone's PAN, and then spoofed the feed as they were making a purchase.. but I would still make the decker have to deal with the encryption (6+)
Once you have somone's SIN, Bank ID, and passcode.. in theory you could then use that to withdraw funds... but you would first have to install that into a Commlink.
Also.. with the wireless world, and everyone plugged in... The person would notice all the "extra" purchases he was making if he was monitoring his bank account (most people in 2070 would have a system of Instant Messages, etc to be sent from their bank when money is withdrawn.
If someone noticed a bad charge, they would contact their bank, and the bank would freeze the account. The SIN holder would probably be under credit card protection (Pay 50 and not have to pay any of the bad charges). The Bank would notify Lone Star / Police who would start an immediate trace on that SIN/Comcode.
.. Overall.. not worth it.
1) Certified Credsticks are created by banks. They have a precise balance when they are created and can not be added back to.. only subtracted from. Otherwise the bank can not get another 5% charge when someone needs another certified credstick (the runner would just add funds to an old one).
2) Although the encryption rules are very simplified.... It is understood that bank transactions are encrypted at a high level (6+). Also, as it was said before in this thread, just because you have someone's SIN/Bank ID does not mean you have their bank password, etc.
3) For larger sales (anything over 5,000
) a customer would probably still need to use a biometric reader to validate the sale with the bank. They could be paranoid and use a personal biometric reader they have with them, or use the biometric reader (print scanner, retinal scanner, etc.) from the store. This would then be encrypted and sent to the bank for validation.Purchases from 1
to 4,999 would probably still use a "passcode" type verification... This MIGHT be stolen, but only if you hacked somone's PAN, and then spoofed the feed as they were making a purchase.. but I would still make the decker have to deal with the encryption (6+)Once you have somone's SIN, Bank ID, and passcode.. in theory you could then use that to withdraw funds... but you would first have to install that into a Commlink.
Also.. with the wireless world, and everyone plugged in... The person would notice all the "extra" purchases he was making if he was monitoring his bank account (most people in 2070 would have a system of Instant Messages, etc to be sent from their bank when money is withdrawn.
If someone noticed a bad charge, they would contact their bank, and the bank would freeze the account. The SIN holder would probably be under credit card protection (Pay 50
and not have to pay any of the bad charges). The Bank would notify Lone Star / Police who would start an immediate trace on that SIN/Comcode... Overall.. not worth it.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.