Blockchain – magic technology or dark threat?

Blockchain technology is fascinating, and even the more conservative firms regard it as a game-changer. The main arguments for the relevance of the technology are the decentralized approach, the possibility to store transactions irreversibly, and the possibility to link transactions with programming code to make “smart contracts”. But is the technology really as secure as the public debate seems to think? Dr Michael Kreutzer from the FinTech & Cybersecurity Hub Frankfurt/Darmstadt flags up the weak points in the blockchain ecosystem.

Top article

Blockchain – secure and transparent?

Buying, paying, sending money: blockchain technology aims not only to make all of that quicker and easier but – in particular – more secure. Blockchain is transforming not only the financial world, but also the energy sector, logistics and supply chains. The technology really does offer quite a few advantages. The two most important ones are transparency and decentralization. To stick with the financial example: every transaction conducted using blockchain is documented and can be viewed in a logbook. And this logbook is not held and administered centrally – as would be the case in a bank – but is stored on a large number of computers. The logbook cannot simply be altered in front of everyone, because it is confirmed by the majority of participants, and as time goes on the previous transactions become more and more cemented by their position further back in the chain. The storing of new transactions in a block is linked up cryptographically with all the previous transactions – hence the name, blockchain. Despite this, there are ways to trick the technology.

Weak points and vulnerabilities due to bad programming

The simplest error is obvious, but is often overlooked: like all programmes, blockchain and the related applications – e.g. the wallets in which cryptocurrencies like Bitcoin are collected – are programmed by human beings. Human beings make mistakes. And that offers hackers a way in. So the security of a blockchain and its applications depends on the quality of the programming.

Suddenly, the decentralization becomes a problem for security: the fact that installing a patch involves a lot of coordination between the participants can give attackers time to do their worst. The same applies to the cryptographic mechanisms used. Cryptographic procedures which might be secure on the basis of today’s technology can be insecure tomorrow. If it is difficult or even impossible to change procedures, the security of blockchain as a whole is at risk.

Blockchain isn’t secure enough

As I have said, blockchain does not function as an isolated system, but is linked to external applications and platforms. Last year’s theft from the NiceHash mining marketplace attracted a lot of publicity. The hack didn’t target the blockchain technology, just the provider’s website. The hackers were able to empty the users’ accounts. The actual amount of damage was never made clear, but it could be above ten million.

Another popular target for cryptocurrency hackers is the users’ wallets. Not all of these are stored on servers in secure online systems, meaning that they can be manipulated or stolen. Attackers use Trojans, specially prepared websites and apps, and sophisticated email phishing attacks to get their malware out. And that brings us to the next target: the person using the system.

Taking advantage of people’s lack of experience

Many people can’t cope with the new technology and the security rules they need to observe. Attackers take advantage of their inexperience. A current example is IOTA. IOTA stands for Internet of Things and Tangle. Like Bitcoin, it is a cryptocurrency which needs to be kept in wallets. (IOTA itself uses highly promising technologies, but is not blockchain-based.) To join IOTA, the users currently still need to do a lot of things themselves, including the creation of the seed, the private key for the wallet. Clever hackers offer “online seed generators” – giving them their own copy of the private key. The attackers coordinated the timing of their attack, and according to press reports, even the rescue attempts by the “light side of the force” met with massive counterattacks.

And of course, you can lose your cryptomoney without being hacked: if you forget your password or lose your hard drive, you can’t simply go to a bank with your passport to identify yourself. In the case of Bitcoin, as with other cryptocurrencies, if you lose your private key, you can forget your coins. If they are stolen, no-one is liable, and no bank will make good your loss. Finally, let me say that blockchain is an up and coming technology, and it has the potential to transform a lot of sectors – as long as sufficient attention is paid to protecting cybersecurity and privacy. 

About the author:
Dr.-Ing. Michael Kreutzer is in charge of strategic industrial relations at the Fraunhofer Institute for Secure Information Technology (SIT). Previous to this, he coordinated Darmstadt’s IT security research centres (DZI, CASED, EC SPRIDE und CRISP). He has been publishing research work on IT security and technical privacy protection for more than 20 years.

This article was first published by Business Insider.