It's not so much that, as it is "if this system has access to my brainwave data, then it can use it elsewhere to authenticate as me."
Oh, I have an answer for this, but I didn't make it explicit above. Don't think of the "brainwave scan" as a passive thing. Think of it as a challenge/response. The host uses your DNI to provoke some transient state in your brain, then measures how it reacts to that state - like tossing a particularly size and shape rock into a pool, and observing the resultant ripples. No two hosts use the same rock, so your credentials are unique to each host. This is a desirable goal within the universe, so I'm comfortable with the idea it would be built this way.
For extra dystopic fun, this process might be fleetingly noticeable to the user. A burst of synthesia, the sudden unprovoked smell of fresh ground black pepper, a vivid unprovoked recall of a childhood memory - who knows?
As a footnote, I think this process would happen on a part of the commlink that is isolated from the rest of the device and is inaccessible to the Matrix - very similar to a modern-day TPM chip. Somewhere in there (this is where even I think you start handwaving) there's some crypto based on a private key you can't read out of the firmware. Even if you hack someone's commlink, you cannot extract via software alone the data you need to spoof their ID to this challenge/response process.
There needs to be a wall of no between PCs and the NPCs bank accounts. Otherwise, why bother with Shadowrunning? So, somewhere between a person, a persona, a commlink, a SIN, and a bank account, there is some arbitrarily unbreakable security. The 5th and 6th edition choices are, IMO, the most playable version yet.
Sure, of course. I can only apologise I have I not been clear about my objective. I want to leave the game mechanics unchanged, as far as I can, then expand the fluff to explain them.
My objective is not to allow PCs to steal personas. My primary objective is a personally satisfying reason why they can't. And if I can do that work, and share it, and at least one other person in the SR community finds it useful - well, that justifies the effort of sharing it. So that's my secondary objective.
When I ask "why can't PCs steal personas?", it's because I'm desiring to brainstorm ideas for the in-universe explanation as to why personas are inviolate, not because I seeking to find a way to make them vulnerable.
You're correct, if SINs and Personas are these perfectly unhackable/unspoofable then they should be the method every security checkpoint uses to validate IDs. But they're not used that way for the same reason they're unhackable, arbitrary decision for desired game play options.
I do have an idea here BTW (but I didn't want to lead with it because I didn't want to immediately shuttle the conversation down my own views.)
Re: security gates, I think it's quite reasonable that crudely spoofing someone's SIN (or their persona; the issues are very similar) might work briefly but not work long-term. So imagine I set my commlink to broadcast your SIN, which after all, is just a short string. Fine. But very shortly after that, some host somewhere is going to notice the duplication - that there's two different personas using the same SIN - and it'll start ringing alarm bells. Not long after that, any system using those SINs to do anything with will be alerted, and immediately start rejecting the SIN.
By "not long here" I'm thinking a few seconds.
So actually, you do have just about long enough to maybe get a security door open with your stolen SIN, but probably not do much of anything else. So that's why your corpsec doesn't use SIN verification; it can be cheated, just for a handful of seconds, and doors open faster than that. That's enough to give corpsec nightmares so they prefer their auth to live entirely inside their own architecture - so we're back to our beloved 80s keypads and swipecards.
As for stealing a bank account - it's one thing to steal an account and quite another to keep it. An awful lot of potential shenanigans can be headed off with "great, now you have a million nuyen... and now the bank's audit AIs have noticed.... and now they've reversed the transaction." These would be some of the beefiest computer systems on the planet and I'm pretty comfortable saying laundering stolen money out of their grasp before they notice is supremely difficult. Even if you shuffle the cash to a credstick and then attempt an onwards (anonymous) transfer, you can guard against that with an escrow window - say that funds loaded onto a credstick cannot be used for 60 seconds, and that is easily long enough for the AIs to notice the theft and claw it back.