Is Blockchain Technology Really Secure?
By Alexandr Khomich, CEO at Andersen
Blockchain is considered one of the most secure technologies for storing and transmitting data. With an average of more than 1,200 cyberattacks per year, the maximum number of cryptocurrency exchange hacks has been 12 so far. What is blockchain security? Is the technology reliable?
A brief insight into blockchain
Blockchain is a decentralized architecture for building databases. It can also be a secure limitless log for storing transactions (financial operations or records of everything that has value). A database is stored not on a common server but millions of computers (nodes).
There are two types of participants in a blockchain network:
– validators (miners) who check the validity of data;
– users who initiate operations recorded in a blockchain as transactions.
Validators create new blocks from accumulated transactions. The number of accumulated records to form a block depends on the type of blockchain. At the start of technology development, one block could contain about 500 transactions. A new block is encrypted with a cryptographic hash. It joins a chain through mining.
Each block contains a header, a list of transactions, a unique hash, the hash of the previous “parent” block, the date and time of creation, and other data. If the parent block changes, its hash and the hash of the child block also change. Thus, a cascade effect protects the network from hacks. To break a blockchain, you need to gain access to each link in the chain. This is impossible without a high-end computer
Transactions in a block are shared between network participants. It is difficult to change or fake data. This would mean hacking 51% of node computers, and there can be millions of them in a blockchain network. A consensus mechanism prevents each network user from manual verification of data authenticity. This algorithm keeps track of whether a transaction is correct and whether network participants follow the security rules.
The essence of blockchain security
The three pillars of blockchain security are:
– cryptographic encryption;
– consensus mechanism.
A blockchain cannot be completely invulnerable, but decentralization provides powerful defense. A network is distributed; therefore, many people participate in it. They check each other’s actions thus preventing unscrupulous participants from hacking the system. To get hold of blocks, a hacker must gain access to more than 50% of the computers. Hacking hundreds of thousands of devices at the same time is extremely difficult.
Cryptography converts block transactions into a hash function. A hash is generated randomly using a special algorithm and is related to the hash of a parent block. Therefore, when an attacker wants to hack a blockchain, they need not only to decrypt hashes connected in a cascade but also to make changes to all blocks. For example, there are four blocks in a chain. Transactions in the last one will be confirmed once while the records in the first one will be confirmed four times. With millions of blocks in a network, it is almost impossible to change records and recalculate hashes. One needs huge computing power to perform such an operation.
Consensus maintains trust between network members who do not know each other. A protocol contains the rules for the behavior of blockchain participants. It ensures that each new block is genuine and consistent between nodes in the network. Thus, the consensus mechanism keeps track of any attempts to falsify data, delete it, or play the “double-spending” trick.
Security of public and private blockchains
Blockchain networks are divided into public and private ones depending on network participants who have access to data. They have different security mechanisms.
A public blockchain is an open network that anyone can join by reading the protocol. No special invitation is required to participate. Transactions are public and nodes are peers. After verification, data is written into blocks, and it is no longer possible to change them. For example, the Ethereum platform is a public blockchain. To join the network, you need to open a crypto wallet, buy ETH coins and transfer them to it. Public keys provide security, and there are no additional methods of control and identification.
A private blockchain is a non-traditional representation of network operation, with “centralized decentralization”. Such a blockchain belongs to a certain organization, and representatives of the company can invite someone to participate in it. Participants cannot act without permission to read, write, or verify the blockchain. Only privileged members verify transactions and keep a log. Personal identification and other access control mechanisms are needed in a private network.
As a rule, a private network is more secure than a public one. The choice of blockchain depends on the goals of software development.
How scammers attack blockchains
Despite strong protection, blockchain technology has certain vulnerabilities. According to SelfKey analytics, cyberhackers are finding more sophisticated ways to hack blockchains. In 2011, two cryptocurrency exchange hacks were recorded. In comparison, the number of incidents increased by 6 times in 2020. In addition, cyber-attacks constitute 15-25% of the total number of all types of attacks.
Attackers use four main methods of hacking: phishing, routing, Sybil attacks, and 51% attacks.
Phishing: weak link attacks
Phishing is the number one cause of cybercrime. No matter how strong a system is, there is always a weak link in it. For example, it can be a gullible person who opens phishing emails and clicks on dubious links.
Hackers send emails with fake tokens or crypto wallet keys that look legitimate. One must enter personal data to follow a link. Having obtained user data, scammers gain access to crypto wallets and a blockchain network. The latest high-profile case of this kind was the compromise of bZx’s wallet when $55 million was stolen.
Routing attacks: “hijacking” of digital currency
The operation of a blockchain network can be interrupted through the Internet routing infrastructure. Hackers take advantage of this by trying to intercept data as it is being transmitted by an ISP. In brief, an attack goes like this. An attacker divides a network into several components, blocking communication between nodes and creating parallel blockchains. After an attack, the mined blocks are discarded, and the scammer receives confidential data and currency.
Sybil attacks and 51% attacks: capturing numerous nodes
Other attackers try to manipulate a network by creating many accounts or nodes as one person (Sybil attacks). By creating pseudo-identities, hackers seek to capture the majority of votes. This way they can control nodes, collect information, and create fake nodes. Typically, such actions lead to a 51% attack: hackers control most of the network’s processing power or hash rate. And this is a direct way of obtaining the participants’ data.
How to maintain blockchain security?
To protect a blockchain application from possible risks, a business must ensure security at all levels of the technology stack. It is important to develop a comprehensive solution including traditional mechanisms and unique blockchain security methods:
– set up identity and access management;
– ensure secure communication on the Internet (web application firewall, DDoS protection, advanced bot protection);
– secure an API for API-based transactions;
– control access in smart contracts;
– implement multi-factor authentication;
– store private keys of participants in HSM devices;
– choose the right consensus mechanism;
– try not to follow links in suspicious emails.
Contact a cybersecurity specialist who will help you develop a secure solution to protect your blockchain platform. They will monitor the corporate blockchain infrastructure, evaluate the state of nodes, and respond to suspicious activities on the network.
Although blockchain is a secure technology, it is not 100% secure. It is reliable compared to other databases but has its vulnerabilities. By using the right blockchain security tactics, you can minimize their impact.
About the Author
My name is Alexandr Khomich, and I am the CEO of Andersen, a software development company. Since 2007, I have led my company in every part of its growth: management, security, marketing, and finance. I have significant experience in generating actionable insights from large-scale data sets and enjoy working on complex problems with little direction requiring planning, critical thinking, and unique insights to solve.