Credsticks

Credsticks in the Sixth World

The first thing to realize about credsticks: The quality of a credstick (plastic, silver, gold, platinum, ebony) and the quality of the associated fake ID are largely independent. Credstick quality is a measure of how much a bank likes you; if you don't have the minimum amount of funds for a given quality of credstick, its highly unlikely that a bank will like you that much. Fake ID quality is a measure of how hard it is to detect that your ID is not legitimate.

The next point regarding credsticks: the quality of the credstick and the amount of money it carries are not rigidly correlated. A bank will happily let you use a plastic credstick whose access to a million nuyen is protected only by a passcode, but since using such low security is risky, the bank is not going to give you any of the privileges that would go with accepting a higher-rated credstick and the corresponding higher quality of identity verification, and its probably going to require extra identification in order to transfer more than 5,000 off the stick in a single day.

Credstick quality generally involves a certain amount of security on your account, and a certain batch of attached privileges. In general, a credstick has access to a line of credit on the order of the minimum nuyen to have such a credstick. Credit is mostly useful to folks who have very little in the way of savings (in which case their rating is quite low), and for those who have money tied up in investments where they cant get at it immediately.

Another point is that you don't need to have a given quality of credstick in order to store identity information on it. No bank is going to object if someone wants to have retinal scan and cellular scan information on their silver credstick because they want to be extremely sure that no one will be able to steal their credstick and abuse it. (Some banks may charge a small amount extra for the higher security; many wont.)

One of their functions is holding E-cash. This is the equivalent of pocket change; you can carry around almost arbitrary quantities of the stuff, setting various levels of protection on it. (For instance, you might specify that you can spend no more than ten nuyen every ten minutes without giving a passcode or voiceprint.) E-cash can be stolen if someone swipes your credstick and it isn't designed to prevent someone from reading its memory; it can be traced to you, if you withdrew it from your own bank account and didn't launder it. However, you can spend it like cash without worrying about going through the tedium of verifying your identity. This is how you'd buy things the way youd pay cash today: instead of handing over your wallet, you just slot your credstick. (Most home telcom units will have a slot for hooking up to a credstick. This allows sending immediate payment to someplace you're ordering from over the phone, and makes it trivial to make your guests pay for their own calls.) You do need to go through an ID process in order to download more e-cash onto your credstick from your bank account.

It should be easily possible to transfer a variety of different currencies into subdivisions of this buffer on your credstick, giving you the equivalent of a subdivided wallet full of international cash.

Another of their purposes is connecting to your bank account for an EFT. Almost all major transactions for most people are going to occur with a direct connection to a bank account, rather than a side trip into e-cash on your credstick. This is equivalent to using your ATM card or credit card for a transaction, and requires going through a credstick verifier.

One common phenomenon on credsticks is private encryption key storage. Rather than keeping an encryption key where it could potentially be stolen, special credsticks (and other jewelry, such as rings that happen to be just the right size to plug into a credstick terminal) could have on-board processors that perform encryption and decryption themselves, rather than allowing a private key onto a potentially insecure computer.

The same processor can be called upon to verify your password and provide the appropriate data for matching up voiceprints, retinal prints, and so on. This data is often used with lower-rating credit verifiers handling E-cash. Medium-rating credit verifiers that handle the kinds of transactions you need to contact your bank account for will also verify your retinal prints and so on with the bank as well; as credit verifiers get to progressively higher and higher ratings, they will also do searches of databases to make sure that youre a legitimate being, in order to avoid electronic fraud.

One credstick can carry a large number of private keys, and can thus function as a key ring: you slot your credstick into the lock, submit to whatever level of identity verification is required to prove that you're got the right credstick, then prove you have the right private encryption key to show you have access to the rooms behind the door. (A lock can operate this way independently; it can also check with a central computer to make sure that the retinal prints also match someone in the database.) If you lose your credstick, you go down to the bank, have them verify that you're the person you claim you are with the identity information in storage, and get a new one. Credsticks offered by banks will often only yield up their store of private keys when talking to a computer that can prove its access to the banks private key. These keys can then be stored in a digital safe deposit box, protected by all the security surrounding the banks own information.

Many shadow credsticks are built to change their identities when appropriate manipulations are applied to them, allowing a runner to keep one credstick with multiple fake IDs. Anti-tamper circuitry is usually present to wipe such evidence from the stick before anyone can get inside it to look for such things during an arrest.

Credstick Specifications

A credstick is usually a small plastic cylinder about 10cm long and 1cm in diameter, with the end tapering to 5mm in diameter over the last 2cm of its length. The interface at one end is capable of slotting into a port on a machine or another credstick, permitting stick-to-stick transfer of certified credit. A small LCD display near the back of the stick can display the amount of certified cred on the stick, or the amount its ready to transfer. The back centimeter of the stick is usually in a locked position, but by pushing down and twisting it can be released to spring outward, allowing the user to set up a stick-to-stick transfer by twisting in one direction to increase the amount and in the other to decrease it. (The control operates like many car stereos: you twist it a bit and hold it there, and the display starts incrementing its numbers faster and faster until it reaches the amount of cred on the stick. Twisting the other way decreases, and pushing down twice quickly on the control authorizes the transfer. Double clicking allows switching between different buffers on the same stick, a useful feature when carrying multiple different currencies of E-cash.)

Credsticks usually have a very tough plastic casing; most are a neutral color like grey or black, but some have a fake finish to resemble wood grain or some form of stone such as serpentine, granite, or obsidian. They may bear the logo of the issuing bank, though those purchasing designer credsticks may prefer the elegance of anonymity. Anti-tamper circuitry will usually wipe the contents if the stick is opened. The quality of the credstick is sometimes displayed in a band near the readout, so gold, silver, and platinum credsticks often have a very thin band of the appropriate metal embedded in a tough piece of plastic. Certified credsticks have narrow rings around that end of the barrel, indicating the order of magnitude of nuyen they're permitted to carry. (Thus, a three-ring certified credstick holds up to a thousand nuyen, and a six-ring one carries up to a million.)

The credstick may carry personal information such as photographs, sums, and so on; however, it is not going to hold credit balance and financial records. (Those will be in the bank its linked to: after all, transactions can take place without the credstick knowing about them, such as automated bill payment.)

In Europe, most people use European Cash-Free Transactors (ECTs), which are basically credsticks that are boxes about the size of a pack of cigarettes. There are, of course, adaptors to allow ECTs to use credstick jacks and vice versa. Very expensive credsticks can be unscrewed to fit inside a specially designed ECT case, or have two stacked screw-on attachments at the far end that can be stacked in either order, one to talk to ECT ports, one to credjacks.

Alternative credsticks do exist in the form of rings, cyberfingers, knife hilts, and anything else you can imagine.

Credstick verifiers, as described in the Neo-Anarchists Guide to Real Life, are just a bit silly. There's no reason to do a credit check on someone every time they get food in a restaurant. They attempt to combine two different functions into one device, and are much more easily dealt with as two different ones.

The first one is that of identity verification: this is all you need for normal financial transactions. Your standard credstick verifier comes with a quality suitable to the quality of credstick its designed to handle plastic, silver, gold, platinum, ebony and a rating, which is how good its hardware is for verifying that youre the person thats supposed to be using this credstick. (These are simply the standard ID verifiers in Shadowrun II p. XX. You can use the tools mentioned in Corporate Security on p. XX to attempt to fool one, if you want to access a credstick not keyed to your personal data.) High-class terminals can still verify lower-class ID methods, so an Ebony terminal can accept cellular scans, retinal prints, voice prints, fingerprints, and passcodes.

The other function in NAGRL is that of doing a background check, the equivalent of probing into someones credit history in the modern era. The notion that a Stuffer Shack is going to do a background check on you as you buy a Nukit burrito is ridiculous: they're just interested in getting valid nuyen. Nothing bad is going to happen to them if you have a shady background. This extends throughout a large amount of the market. All you need in a credstick for this purpose is having a bank behind it willing to vouch for you. (In theory, you don't even need a SIN. In practice, very few banks are willing to give accounts to folks who dont even have a SIN.) Background Checks.

Background checks are only performed by people with an interest in avoiding trouble caused by shady dealings. Opening accounts at banks, buying expensive things such as land and vehicles, renting apartments at Middle lifestyle and above, and crossing national borders will tend to trigger background checks.

Running a background check consists of asking a mainframe somewhere to talk to a bunch of other mainframes about a particular identity. These people are verification service providers (VSPs), and most credstick verifiers have a slot for attaching a standard black box provided by VSPs containing the Matrix grid location and appropriate encryption information for the VSP. When someone wants to verify an ID, they just push a button on the verifier that has it contact the VSP, which then goes out and checks up on the persons background. Subverting a VSP via the Matrix is extremely difficult, as it requires getting into the VSP mainframe or obtaining the black box codes from the VSP (which are not even kept on the Matrix!) and intercepting the Matrix connection from the verifier. The better the VSP (or the more thorough the search), the more expensive the service; most VSPs offer a wide range of service, and keep search results in cache for several minutes in case someone wants to upgrade the rating of the background check they just performed.

Since most places don't want to lose too much money on verification, they're unlikely to spend more than a fraction of a percent of a transactions size or profit on a background check; 0.1 is a good value to consider (so if someones opening a bank account with a million nuyen, the bank is probably going to run a level 9 check unless you're getting yourself a numbered bank account). The UCAS generally spends 100 on a background check when verifying a persons passport, which corresponds to a rating 6 check; border crossings are usually handled by a quick query to the passport database.

When a VSP discovers an inaccuracy, it will tend to highlight the problem for future reference and (if it finds any glaring problems) may notify appropriate authorities. Part of the process of making a new fake ID often includes spending money on successively better VSP checks. When the VSP starts providing cross-examination questions, the folks creating the fake ID punch in the appropriate answers and go back to shoring up the ID.

Identity Verification

Identity verification often involves cross-checks with financial institutions (banks), government institutions (SIN registry, DMV, passports), and educational institutions (K12 and college). I can see no reason why it wont be possible for a decker pretending to be a good credstick verifier to get a great deal of information about someone; however, this would require getting access to a good credstick verifiers sealed black-box encryption software, as credstick verifiers will use encrypted group computation. This means that people who wish to keep things secret will pay for banks to not keep their records available to credstick verifiers; getting one of these banks to vouch for you as an account (but not disclosing your transactions) is a good way of establishing yourself a high-quality fake ID. (Because of this, such banks will make it very difficult to do so, with high security and either through a great deal of background verification or requiring that you keep a great deal of money with them. Some will have better reputations than others, and this will factor in to the quality of a fake ID.)

A fake ID should appreciate with time, if its being used well. Misuse of one should be able to degrade its quality almost instantly (if you perform extremely spurious transactions, such as money-laundering). A triangle-number system (like that used for spending karma) is used for increasing quality, so the amount of effort required to create a level 3 credstick could improve one from 5 to 6.

Improving Your Credit

Things that make your credit rating get better include:

  • Proof of stable residence. This is often done through having your name on electric bills, phone bills, cable bills, and so on in the same place for a given time.
  • Making payments on time. Always paying your credit account on time looks good. The bigger the purchase you're put on your credit account and paid back, the better.
  • Verifiable income. Having a company that says they're hired you as a full-time employee helps a lot. (Even if this is an offshore holding company owned by shadowrunners…)

Legitimate IDs do exist. It should be possible to manufacture something that works as a legitimate ID and is immune to all electronic background checks. (Naturally, if someone becomes suspicious of the ID, they might check it out with real legwork, but that's much harder to do.) This process should be defined. Alternatively, there should be a reasonable number of people every year who get picked up because their own credstick isnt very well rated, and the process by which they exonerate themselves (or get shafted) should be documented.

Suspicious IDs

When an ID is called into question, a number of levels of suspicion can operate:

1. Cross-examination. If the verifying computer looks askance at your records, it will query the computer containing the potentially suspicious records and have it generate some questions to ask the person with the ID. This usually consists of questions about their coursework at university, when they opened a bank account at a particular institution, the geography of a place they resided for a long time, their mothers maiden name, and so on. Some are allowed to be missed, such as the name of the cafe next to the college campus bookstore; some aren't, such as the mothers maiden name. This can occur at any level of background check.

2. Cross-correlation. This can take a few minutes as the computer spends some time checking different databases to make sure that all the records match up: spending activity correlates with income or adjustments in credit rating, large transfers of credit don't involve other transactors that are on publicly available lists of shady dealers, and so on. This is part of what takes time, starting with a level 4 background check, and becoming more thorough at level 6.

3. Backup verification. This can take a while as records are pulled out of successively older and older storage to show that a persons account records didnt suddenly appear with backdating or data suddenly change. In general, this kind of retrieval takes time and resources, and people paying money for verification service are only going to pay for so much background checking. Of course, if someone else is already running a search or records just happen to be in cache from a recent search, the runner might get unlucky… Fortunately, this is unlikely until you reach level 8 background checks.

4. Investigation. This can take some time and quite a lot of nuyen if it gets expensive. An investigation can involve contacting college professors, relatives, coworkers, and so on, often requiring real legwork (since a good decker can play merry hell with an investigators phone calls). Passing an investigation is a mixed blessing: people with access to the appropriate background records will find it suspicious you went through an investigation, but will take the amount of nuyen spent on the last one as a guideline on whether they want to bother with one themselves. (Of course, most VSPs will not release the record of an investigation occurring or its result to anyone who isnt paying for it, so there's always the chance that someone will mount a fresh investigation. And yes, investigation records can be doctored…) In general, this is only done to check out major transactions such as giving someone a security license, purchasing valuable property, getting a passport when you're under suspicion, and so on. This qualifies as a background check of level 10+.

Fake IDs

SINs can be acquired in a variety of ways with a variety of qualities. All are necessary for a decent fake ID.

  • Natural SIN: one assigned to you at birth. Makes for an excellent legitimate ID, but if it gets associated with criminal activity, its sunk.
  • Naturalized SIN: one assigned to you on becoming naturalized after immigrating. This is just as legit as a natural SIN, but if someone gets really suspicious, they can start checking your datatrail in the country you immigrated from.
  • Appropriated SIN: a natural SIN that belongs to someone now dead or vanished, or who never existed in the first place. These are also extremely good, though you need to make sure that all references to that SIN (in all the computers that have interacted with it) now believe that your ID codes are appropriate for it. This is the most common one used in fake IDs.

The main trick is obtaining them without generating a death record that inactivates the SIN: appropriating a SIN from someone by mugging them generally gets their relatives up in arms. This means that part of the process often involves tracking down people who have very little in the way of folks to care about them, and assassinating them for their SINs. Muggers who kill will often try to fence credsticks in order to get a little cash; the people who make the money off these SINs are the deckers who find out if the SIN is worth anything or not. (This provides a splendid plot hook for troubling runners with consciences…)

  • Decked SIN: a SIN that has been added to the central databanks by an external decker. If it gets called into question by a credit verifier, it can be checked against backups, at which point its sunk. This checking can take a while; the longer a time has passed that youve had a decked SIN, the less likely it is to be noticed in a backup check. (But there's always the possibility someone just checked one of your neighbors and its in cache…)
  • Bulletproof SIN: You added the SIN to the central computers and changed the backups, you sly runner. Your SIN cannot be disproven without some serious amounts of legwork costing tens of thousands of nuyen (at least). However, if someone got that suspicious of you, youve already got some problems tied up with that SIN now. These are almost impossible to obtain.

Morgue SINs

Note that *morgue SINs* as specified in the Lone Star sourcebook should be nonexistent. (If its possible to acquire a SIN from a computer in the morgue, its possible to flush the record from the computer that it ever acquired it, and you get to wander off with a brand-new official SIN that isnt going to generate any of the cross-checking *you should be dead* problems suggested in the sourcebook. SINs are for tracking citizens, not bodies; you can track a body quite well with any random index.)

In general, doing a search based on a SIN requires knowing which database to talk to and providing a query based on the SIN. The main SIN registry at the UCAS Department of Records, for instance, merely keeps track of name, date and location of birth, date and location of death, date of SIN issue, and current address (for voter registration purposes). However, the SIN links to a number of other databases, none of which a person is required to be in.

  • Department of Motor Vehicles: keeps name, fingerprint, height, weight, hair color, eye color, photograph, date of birth, contact information, sex, and visual correction required. If you want to drive, you have to be in here.
  • Passport Agency: name, fingerprint, voiceprint, photograph, date of birth, sex, state of birth. If you want to leave the country, you have to be in here. They also record entries into the country. An extensive background check finding that you keep coming back to the UCAS but your ID doesn't turn up in other countries can raise eyebrows.
  • Internal Revenue Service: name, all past addresses, all past tax returns. If you have a fake ID that makes any reasonable money, it has to be in here, if only to submit returns that show why you owe no taxes.

Federal Bureau of Investigation: name, fingerprint, voiceprint (if possible), retinal scan, DNA scan, data from hair samples and blood typing, results of cyberware scans, and your full arrest record. Its rare to get in here without being booked, but even a fine for carrying a weapon with an expired permit will wind up in their databases, unless something gets in the way when the security company arresting you goes to file the report.

Making Good Backgrounds

In general, it can be assumed that these databases are indexed by SIN (so its trivial to get a record out based on its SIN) and by simple things such as name and address. Looking up a SIN and then checking the listed identifiers (voice prints, etc.) is a very quick operation. Looking someone up based on such identifiers should take a little while, its an O(n) operation, taking an amount of time proportional to the number of people in the database. Cross-correlating all identifiers on file in a database is O(n2), taking an amount of time proportional to the square of the number of people on file. If finding one person from a million only takes ten seconds, it could end up taking eight weeks to cross-check the whole database. (These numbers are pure fudge; if its too easy, it becomes improbable that anyone could keep a fake ID.)

Creating a good background can require a sizable labor force. Fixer networks that provide fake IDs probably have a number of people whose jobs are to go around spending money to make IDs look legit: buying books, groceries, trideo, paying rent, ordering food in, and so on. Many of the apartments are available as rentable safe houses from these same fixers, or come with the IDs. (These people could also take part in a money laundering operation, moving small amounts of money around to completely confuse a data trail; these same people could also be professional tenants, happy to verify to investigators that a person had indeed lived there for a given period of time and seemed a fine, upstanding individual.)

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License