[cyclonus743]

So I've got a hacker who is wanting to use stolen commlinks to empty out bank accounts.  I'm looking for ideas on how to handle this. 

I mean this brings up the question why wouldn't runners just stockpile commlinks to commit identity theft and empty out bank accounts.  Or why would hackers spend their time making dangerous runs when they could just hack commlinks of people on the street and steal their hard earned money.

And while i'm not opposed to someone doing this from time to time i would rather my hacker not emptying out every bank from every commlink he comes across. 

[FastJack]

Credit Account: A credit account is an online banking account that can be accessed at any time via your commlink. Transactions require verification such as a passcode, a correct originating access ID (p. 225), and/or biometric authorization. All transactions are encrypted (Rating 6+). Each account must be registered to a particular SIN, unless the account is handled via an underworld banking service or anonymous “offshore” bank (each with their own risks), and has a monthly fee (included in a character’s lifestyle costs).

So, even the lowliest squatter with a commlink has at least rating 6 encryption for transactions. I'd probably house rule that the encryption on a commlink is equal to 6+Firewall, implying that the better the commlink, the better the encryption for transactions. So, a wageslave with Renraku Ichi on their 'link would have an Encryption of 8 (6+2). Of course with a good Decryption program, it's still possible to beat it.

Now, let's take a look:

Hacker John (SR4A, p. 105) has Electronic Warfare 5 + Decrypt 3. So he has to make a 8 (16, 1 Turn) Extended Test.

Decrypt test (8d6.hits(5)=4) - 1st Turn
Decrypt test (8d6.hits(5)=3) - 2nd Turn
Decrypt test (8d6.hits(5)=1) - 3rd Turn Success

Of course, for 200¥, the wageslave could have put a R3 Biometric Reader on their commlink keyed to their DNA, making it so that the hacker couldn't even get that far without a viable sample of the victim's DNA.

Also, don't forget, he could call the transaction from the victim's bank, but he then has to figure out where to send the money to and to wipe the data trail of that transaction (meaning, hacking the Bank's network to erase the datatrail).

Yeah... Identity theft ain't so easy in the Sixth World.

[cyclonus743]

::bows humbly:: Thank you sir you are always such a great source of info to reign in unruly players

[Kot]

Jack, couldn't he hack the reader? It has to be connected to the commlink, and store information. He just breaks in, takes the bio reading from cache and uses it to spoof access.

[cyclonus743]

Also i assume one could hack a passcode, though not sure what that entails (hacking is the one thing i'm still not solid on)

[FastJack]

They'd have to hack the database that records the DNA records, which will most likely be on the Bank's network, not the commlink. The only other way to fool the DNA scanner is to get the DNA from the mark:

Breath, cellular and DNA scanners collect a sample of the user’s cells, either off the finger/palm, via hair suction, through exhaled particles, or something similar, and analyze the genetic material. In order to fool such a system, you need a sample of the correct genetic material, preserved in a specially formulated enzyme bath. The enzyme bath can be synthesized in a chemistry shop with a Chemistry + Logic (5, 1 hour) Extended Test.

[Kot]

Or just hack the commlink without stealing it, and wait till he makes a payment, and hijack it's transmission. Or better - wait till he makes a transfer, and just change the target account and amount.

[FastJack]

Or just hack the commlink without stealing it, and wait till he makes a payment, and hijack it's transmission. Or better - wait till he makes a transfer, and just change the target account and amount.

You're still dealing with the bank's software and not the commlink.

Think of it this way. Do you have an app on your phone to check your back account? If someone stole your phone, how hard would it be to empty out your bank account? (I'm talking the average person now, not a Hacker like on TV.) Yes, the thief may get into your account (if you're not careful enough about passwords/PINs), and they COULD set up a transfer to another account. But is it easy to do this?

[Kot]

Even if i hijack the data and edit it on the way?
It would probably require confirmation from the commlink user, to double check the transfer. But that's also hackable.

P.S. My phone is for calls/texting only. I don't trust the tech enough for anything else.

[FastJack]

You'd have to set-up the link so his comm-link sends the info to you're commlink which would send it up to the bank. Possible, yes. But also difficult and time-consuming, not too mention you'd have to make sure that his commlink and the bank's network didn't detect your decrypt/hacking.

Ultimately, my point is that to empty out the bank account from someone's commlink isn't about the commlink's ratings, but the ratings/security on the Bank side.

[Nomad Zophiel]

 Assuming the commlink can be used like a regular debit card today can, keep a few things in mind:
1. There's going to be a test of what you know (password/PIN) and who you are (biometric) to make a purchase, check balance or transfer funds. If the owner was dumb enough to save those on his 'link, you're in luck.
2. In order to use the commlink this way it is also handing out all the information on the original owner's driver's license (SIN, photo, metatype, sex, eyes, hair, height, weight). Does the thief match it?
3. Reporting your link stolen is trivially easy and will flag the user of it as a thief the next time it interacts (goes into public moode or is used for a transaction).
4. Because there is no cash, credit fraud is one of the worst crimes an individual can commit, right up there with murder and violating Intellectual Property rights.  

Edit: In brief, the commlink is not a wallet, its a debit card.

[Crossbow]

And even if the hacker is good enough to get in once, it doesn't mean that he is getting away scott free.  Banks would be very touchy about stuff like that, and would come down HARD on someone who gets in.

Just remember, for every good hacker running the shadows, the corps and the governments have one themselves that operates in the light.  I wouldn't be suprised if banks didn't have some guys in the node 24/7 just waiting for someone to try that kind of run, ready and itching to bring the pain.

There is a reason hackers don't do this, if your hacker insists on finding out what that reason is, just make sure he does.  The world is not a fair place.

[Nomad Zophiel]

On the other hand, that stolen commlink is good for setting up botnets, running agents and doing other things you don't want traced back to you. If a trace hits, just toss it in a dumpster and walk away. Looking up at the sky and whistling innocently while you do are optional.