In summary:
Details of SIN checks can be found on pg. 364 of the core rule book
Yes
No, but stealing one isn't a good idea
First, let's look at the SIN Verification Details on pg. 364 of the core rulebook:
Rating 1 - Do you have a SIN?
Rating 2 - Basic redundancy check on the number and vital statistics
Rating 3 - Redundancy check on number and statistics; query for external data attached to SIN
Rating 4 - Verify all vital statistics; external data checked for obvious conflicts; biometric must be present
Rating 5 - Full verification and consistency check; biometrics tested against sample
Rating 6 - All possible verification; multiple biometric samples must match; random supporting data verified externally
Reading the chart above, it appears to me that up to Rating 4 the scan can be considered "automatic". Rating 5 and 6 appear to require input from the runner. Pg. 364 includes:
Biometric data associated with a high-Rating SIN will be from a real person with the same sex and nationality as the purchaser with (if the extra fee is paid) matching organic samples available (blood, skin cells, hair—just don’t ask where they came from).
Essentially, 1–4 take the form of some device that is of unknown size and volume. 5 and 6 likely include some sort of scanner, either retinal, DNA, or all of the above. There is no set form factor, so it's left to our imagination.
The book doesn't mention at all stealing one that I can find, and that makes sense: If you steal someone's commlink, then you likely have their SIN, and can use it when you need (provided you have the technical mojo). But, if you steal a SIN and the person isn't dead, then you'll likely get caught as soon as their SIN history is checked or they recover their SIN from wherever they would do such a thing.
Duplicating a SIN would be an extremely dangerous affair. Remember, a SIN is required for almost every purchase (pg. 363 mentions “Hastily created identities may work if someone just wants to be able to buy a Nuke ’em Burger at the Stuffer Shack”), and chances are a legal SIN will constantly be broadcasted. Suddenly broadcasting the same SIN would immediately rouse suspicion. Essentially, you'd run into the same issue as above.
In most cases these devices would be automatic. I would expect a level 5 or 6 would be found at an extremely exclusive club, the offices of corporate CEO's, or other higher-level places. Level 4 assumes the biometric data is broadcasted along with the SIN (Unrelated to the rating, but “Related information such as biometric data will likely be missing or obviously false if checked (‘Hey, this is the DNA of a chicken ...’).”)
Comment Answers
I see that stealing long-term might not be a good idea, but is there anything against copying it, keeping it secret and then use it for a few seconds while passing an entrance check?
In RAW, not that I've found. I would allow it under most circumstances. It could be a very useful part in breaking into a secure part of a facility, as example. I wouldn't allow it under the more extreme situations that I can't think of.
What kind of roll would you take to determine whether this temporary duplication raises suspicion?
Probably an edge test. I would either allow them to use a point of edge to make it work, or use the difficulty threshold chart to determine what sort of edge test would need to be passed. It should be a hard thing to do, after all. I would give modifiers based on factors like how soon it's been since it was stolen, if anyone was aware it's stolen So, in a situation where a middle manager was walking down the hallway and someone sniffed away the commlink, I would give a +2 or +3 since it's unknown and recent.
Obligatory Disclaimer: Since this isn't RAW it's up to the GM to make the best decision. I've provided my point of view as a GM.
You prevent this by either killing or banishing the spirit before they can act. Killing is usually the prefered method used by most shadowrunners, but is by far the least efficient, unless the entire team can act before the conjurer does, which could happen. The conjurer has to command his spirit and spend one service so they can force/ask the spirit to use a certain power, unlike telling the spirit "Fight them!".
This means that removing services from a spirit, exactly what the Banishing skill does, is the fastest method of getting rid of spirits. It's a contested roll of Banishing + Magic [Astral] against the spirit's Force (normally around 6 dice), and each net hit means one less service for the conjurer to use. You would be surprised at how good this works.
A lot of people will not recommend the Banishing skill (preferring to Stunbolt them), especially if you treat it as secondary to your other skills (and most do), resulting in checks that only net one or two successes, not enough to fully banish the spirit and leading to frustration. But a good (and possibly Edge-fueled) Banishing check can remove the spirit from the game completely in a single action.
If you know what is coming your way and you realize it's a nasty effect (like Fear, Confusion or Compulsion), it's generally a good idea to use your Edge before you make the roll, so you can take advantage of the exploding 6's. Re-rolling should only be done when odds are in your favor, but the dice are not.
Best Answer
You didn't miss anything.
There are no guidelines beyond the 'task difficulty table' on p48, which is about as helpful as nothing at all. The general assumption appears to be that you will only use Cybertechnology or Biotechnology to repair damaged cyberware and maybe bioware? 'Repairing' is the only example given, both in terms of matrix damage and non-matrix damage (a broken car). There are currently no rules or guidelines for upgrading, modifying, or building cyberware or machinery, much less bioware. Biotechnology might as well just be a Knowledge skill as far as game mechanics are concerned. At most an ad-hoc check to manipulate machines in a bioware lab or some such.
There are no explicit rules whatsoever, and no rules you could use to determine the general sphere or extent of those skills' use or reach. Anything you do with them is purely homebrew.