‘Be aware of the potential risks of blockchain, not least where humans interact’
Secure but not invulnerable, blockchain is only as secure as the humans who use it
Owen Lewis: “To achieve the most value from blockchain, both now and in the future, organisations must take responsibility for its safety and security”
When it comes to secure technologies you won’t find anything better than blockchain. It’s immutable, meaning that once a record is created it can’t be deleted or altered, and the cryptography used makes it all but impervious to hacking.
Unfortunately, that’s a bit like saying a lock is unpickable but leaving the key under the mat in front of it. Nothing is completely secure where there is human involvement.
“Organisations need to proceed with their eyes wide open and be aware of the potential risks and weaknesses of blockchain, not least those which exist at the end points of the network where humans interact on a broad landscape of devices that may be open potentially to private key theft or other unlawful compromise,” says Owen Lewis, KPMG management consulting partner.
Antonio Senatore is chief technology officer with the Deloitte EMEA Blockchain Lab. He explains that blockchain actually gets more secure as the size of the network using it grows. “The larger the network the more difficult it is to break,” he says. “Smaller networks can be more vulnerable.”
That would allow them to spend their coins on something like a new Ferrari and then reverse the transaction when the Ferrari was delivered
This is due to a means that cybercriminals have found to compromise cryptocurrency exchanges known as double spend or force the network attacks. Also known as a 51 per cent attack, it involves members of a blockchain network trying to spend their cryptocurrency units or coins twice.
This works by a member of the network managing to take control of more than 50 per cent of a network’s computing. They use this power to prevent transactions being verified by the network. That would allow them to spend their coins on something like a new Ferrari and then reverse the transaction as soon as the Ferrari has been delivered.
As far as the network is concerned the coins used have never existed while the corrupt network member, or miner as they are known, still has their original coins in their possession. Of course, the transaction with the Ferrari dealer still exists.
Senatore explains that these sorts of attacks are confined to the smaller coin exchanges as they are expensive to carry out. Large networks like Bitcoin are therefore relatively safe.
“There is another aspect,” he adds. “No attack goes unnoticed. You can see a double spend.”
The underlying blockchain is still secure. In fact, Senatore says it should be viewed as a cybersecurity tool. “It is a way to keep up with the criminals. It is a way to understand if someone is corrupt. But a lot of work needs to be done on entry points. Different websites have been hacked but it is the website, not the underlying blockchain or ledger that has been vulnerable. It’s a people problem rather than a technology problem. Exchanges have been hacked, but it has been the exchange not the blockchain. If a criminal stole someone’s digital key, they would have a way in.”
This is very important, says Kevin Curran, prof of cyber security at Ulster University. “In the wider scheme of things people lose wallets all the time”, he points out. “And they can lose keys to blockchain information. What we have is a very good system but people have to know how to secure it.”
He refers to the ZenCash hack in 2018 as one example of a smaller network which fell prey to a 51 per cent attack. In that instance, a hacker managed to gain majority control for four hours and double spent 23,000 coins worth approximately half a million dollars. It was estimated at the time that the cost to the attacker was just $30,000.
Cristina Carrascosa Cobos, blockchain counsel at law firm Pinsent Masons, stresses that the underlying security of the technology is not in question. “Blockchain technology, at its core, is inherently resilient to integrity attacks,”she says. “If you take Bitcoin’s underlying blockchain, the level of distribution and decentralisation it has achieved makes it almost impossible for cybercriminals to attempt any sort of distributed denial of service (DDOS) attack.”
It is quite expensive to take control of a big part of the system in order to corrupt or attack it
This is in stark contrast to networks which don’t employ blockchain and which have been subject to very frequent DDOS attacks in recent years.
“Of course, when measuring how safe blockchain is, one compares it to other technologies and one of the most important variables is how easy and costless it is to provoke a single point of failure,” she adds. “As blockchain is distributed and there is no central administrator it makes it impossible for a single point of failure to occur and it is quite expensive to take control of a big part of the system in order to corrupt or attack it.”
Added to this is the asymmetric encryption blockchain uses to secure data, with public-private keys to encrypt it. “It is this combination of distribution, decentralisation and cryptography that makes blockchain a very secure technology when it comes to data integrity,” she says. “As a matter of fact, even though there has been several 51 per cent attacks to some blockchains due to their lack of decentralisation, these should not really count as integrity issues as they have been motivated more by code and functional discrepancies in the code, rather than cybercriminal intentions.”
In other words, it is easier for a group of coders in a blockchain community to agree upon a certain course of action, which is not actually an attack, than it is for a group of criminals to get hold of a majority of the computing power in a network.
The fact that such internal vulnerabilities exist is a cause for caution, according to KPMG’s Lewis. “There is no doubt that blockchain makes for an exciting value proposition,” he says. “Yet, organisations should not jump blindly into blockchain implementations, or move from use cases to production without having a holistic picture of the risks. To achieve the most value from blockchain, both now and in the future, organisations must take responsibility for its safety and security. By conducting a blockchain risk assessment and addressing key risks, organisations can make sure they are well positioned to leverage the efficiencies and cost-effectiveness provided by blockchain without opening themselves up to unexpected risks.”