One of the biggest conundrums with blockchain right now is security. A major facet of a public blockchain (i.e., Bitcoin, Ethereum) is it’s decentralized, replicated digital ledger, which is completely visible to the public, but in which transactions are verified and validated for public/private key-holders. This enables complete transparency of all transactions of validated public/private keys.
While highly decentralized public blockchains which have several thousands of miners, such as Bitcoin and Ethereum are very difficult and cost-prohibitive to hack, we have seen successful hacks and cyber-attacks. In fact, if you’ve kept your eyes on blockchain headlines recently, you’ll know about some hacks in the space, namely in the cryptocurrency space.
These hacks occur with wallets, exchanged and applications that reside on top of the blockchain protocol. Often as a result of poor software development practices.
Of late, with the emergence of multi-forked (fork of a fork of Bitcoin, etc.) blockchains that are not nearly as well decentralized as one would need them to be, we have seen successful attacks carried out on these.
So, if blockchain is built to be naturally secure on its own yet the larger ecosystem has vulnerabilities, what does blockchain security really look like and what needs to change?
What Blockchain Security Currently Entails
Despite these weaknesses and vulnerabilities, blockchain security involves some of the most practical ways to protect information and content from being changed once published on a blockchain. In fact, some industry insiders and tech leaders believe that blockchain can make passwords obsolete.
The Blockchain Itself & Public/Private Keys
Remember how the blockchain works? It’s a series of blocks containing information, content or assets that are completely visible to everyone with the ledger, but only accessible for transactions to those who have a special key-pair to access it. It’s like a unbreakable glass box with a tamper-resistant lock.
In theory, this distribution of information is un-hackable, because there is no disputing what’s in the block, and no one can open it without having the key.
Speaking of keys, everyone who uses a blockchain network has a public and private key. The private key verifies that the holder of the corresponding public key sent a message (also known as authentication). The private key is used to decrypt the message encrypted in the message send by the holder of the public key (also known as encryption).
To illustrate this, think of entering a buzz code at a condo. Entering the buzz code dials the tenant and you confirm yourself to them by letting them know who you are, and if they believe you (authentication), you are let in by the host by them unlocking the door. Once you hear the tick, the door unlocks and you walk in (encryption) - you now have access to that person’s suite and it’s clear that you’re a welcomed visitor.
Two-Step Verification & Account Encryption
Cryptocurrency, in particular, relies on “beefed up” login security, namely in the form of two-step verification (two-factor authentication or 2FA), and encrypted digital wallets.
Two-step verification essentially relies on:
1) Initial details such as usernames and passwords;
2) One-time passcodes or other details (secondary to usernames/passwords) to gain access to an account.
Encrypted wallets offer protection to crypto assets which do not come with these codes by default. They protect accounts from keylogging technology that can pick up a user’s password.
Blockchain Servers and Security Modules
This is where things get a little more “techie”. Blockchain networks require a combination of hardware devices and software applications to ensure that private keys and account data are protected.
One component of this are hardware security modules (HSMs). These devices are dedicated to protecting access data, such as digital keys, passwords and more. They are typically stored in a secured area such as a company’s data center which is inaccessible to all but a few people on staff. To go even deeper, these modules are often contained within other hardware for added protection.
As a result, they provide more security than software wallets and exchanges, and are perfect for large-scale enterprises where poor security can have crippling consequences.
The Weak Links in the Blockchain
Of course, blockchain technology is still new, and it will take some time before the industry and its users fully understand its flaws. With that said, there are some threats to a blockchain network, both theoretical and in actuality.
Blockchain Security Vulnerabilities
Network-based attacks - These hacks involve that direct attack on a blockchain network and its infrastructure. Sybil Attacks are theoretical and involve a large number of nodes of one network getting taken over by the same party. This is an attempt to disrupt the network’s activity by flooding it with bad transactions or denying valid ones. A 51% Attack (a.k.a double-spend attack) involves a group of miners who trick cryptocurrency networks in the hopes of secretly reversing transactions made with coins. For example, if you spent five bitcoins on a piece of artwork, a 51% attack would mean reversing the transaction so that you buy your painting but also get your coins back. While 51% attacks are difficult to mount on highly scaled (thousands of decentralized nodes and miners) blockchains such as Bitcoin or Ethererum, some off-shoots such as Bitcoin Gold, Zencash, Verge, and Litecoin Cash have seen successful attacks. Some of these 51% attacks, others have experienced a variance or attacks due to related vulnerabilities. Exchanges have opted to wait for more transaction confirmations (6 to 50 confirmations) to address these, especially as the chains are not as scaled (number of independent mining nodes) as one would want in a decentralized network.
Third-party services with weak security - Blockchain networks exist within an ecosystem created by digital wallets, crypto exchanges, startups and organizations using smart contracts and blockchain payments. Unfortunately, many of these third parties have very weak security which can allow cybercriminals access to an otherwise secure blockchain network.
Loss/Theft of Private & Public Keys - Ultimately, blockchain and cryptocurrency access lives and dies by the key. If an individual loses their key or it gets stolen (i.e., stolen phone), a cyber-criminal now has full access to their victim’s account.
As you can see, what really exposes blockchain to hacks are the services that support its functions and grant its users access. For blockchain security to improve, there need to be stronger protocols in place from third-party organizations with glaring weaknesses.
Blockchains Are Well Fortified, But Not Impenetrable
Ultimately, like anything else man-made, blockchain networks do have their weaknesses. This is more or less noticeable at the user-end, where theft occurs or mismanagement from a certain company takes place.
Nevertheless, the blockchain itself and the security features that support it are among some of the most safeguarded approaches to keeping data away from criminals. Once the outside infrastructure becomes more secure, then the truly fortified nature of blockchain will show.