Blockchain technology is often suggested as an answer to the financial world's security problems. Banks on the Swift network are being hacked? Put those international wire-transfer instructions on a blockchain. Card-not-present fraud is up? Well then, merchants should just let people pay with bitcoin. Problem solved.But is it? As recent events have shown, blockchain technology is vulnerable to security problems, too.
In August hackers stole $72 million worth of bitcoin from accounts at the Hong Kong cryptocurrency exchange Bitfinex.
In June $55 million worth of ether was stolen through a smart contract created by The DAO and executed on the Ethereum network.
It all raises questions about the extent to which blockchain can cure security ills.
There is some validity to the idea that blockchain technology will solve security problems in banking, experts say. The blockchain is a distributed file system where participants keep copies of the file and agree on changes by consensus. The file is composed of blocks, and each block includes a cryptographic signature of the previous block, creating an immutable record. The network verifies the integrity of the transactions.
"Nobody's been able to hack into the bitcoin blockchain and steal bitcoins," said Richard Johnson, vice president of Greenwich Associates. "In that sense, the blockchain itself is very secure. It has very strong cryptography securing it."
In a report released Wednesday, Johnson pointed out that for assets digitized on the blockchain, cryptography is used to identify and secure ownership of the asset. "Nobody can steal or copy the digital asset unless they have the secret code or private key that unlocks the cryptographic protection on the asset," the report said.
Cameron Camp, a researcher at the security software company ESET, noted that those private keys are generally hard to get because most people use secure software called "wallets" to keep their digital currency and private keys safe.
"When bitcoin first came out, since it was anonymous cryptocurrency, once you stole [what was in] someone's wallet, you could make transactions as if you were them and there was no way to verify it," Camp said. "That's where a lot of the beginnings of fraud started. Subsequently, a whole secondary industry popped up for protecting the wallet."
So-called multisignature wallets — wallet software that requires multiple users to sign a transaction before it can be executed on a blockchain — provide added protection, Johnson pointed out. "There are different configurations you can have, but generally you would need two out of three signatories or passwords to open the wallets, which is an extra level of security," Johnson said.
Another option for storing cryptocurrency assets and private keys is cold storage — locking them up in a USB drive or computer that is not connected to the internet. That strategy is impractical.
"It's very secure, but when you're applying this to financial markets, and you want to do trades and move digital assets around multiple times a day, it's not very straightforward having to take the computer out and get private keys off cold storage," Johnson said.
So What Could Go Wrong?
Anything can be hacked. If someone chooses to save their bitcoin and private keys on an internet-connected computer or a sticky note, they can be stolen. And once private keys are stolen, it does not matter how secure the blockchain itself is.
"Blockchain isn't a panacea for security concerns people have," said Microsoft Azure's chief technology officer, Mark Russinovich, who is one of the overseers of Microsoft's blockchain-as-a-service offering. "The high-profile breaches of blockchain exchanges show that blockchain participants and their access to the blockchain represent a point of concern, and any place where there's aggregation happening, like an exchange, could be compromised by a security incident."
In the Bitfinex hack, at least two private keys stored in a multisignature wallet hosted by BitGo were compromised, Johnson said.
"Bitfinex is a lesson to the banks and blockchain tech companies," he said. "Now we're building solutions that have the same weaknesses and vulnerabilities around securing passwords that exist in some bank systems."
In a statement released Wednesday, the exchange said the hack is still being investigated by Ledger Labs, a technology company that it hired. But it offered a few details on what it has learned so far.
"The key security breach, which allowed the amount of bitcoins released by BitGo to be increased without BitGo realizing it or alerting us, has been squarely addressed," the statement said. "We have currently suspended use of the BitGo segregated multi-signature wallet solution and have re-implemented robust and safe multisignature cold storage procedures, with minimal coins exposed on our hot wallet. We are reassessing our storage options, both internally and with potential third-party, multisig vendors."
Another issue, Johnson said, is that most people use bitcoins at exchanges and trust the exchange will look after them.
"You're putting a lot of trust in these exchanges having the right security protocols," he said.
Many exchanges are not fully regulated entities. They cannot offer federal deposit insurance on digital currencies. Some have not protected users' interests well at all.
In the case of the Ethereum cyberattack, it was a smart contract — a legally binding agreement translated into software code — that was breached.
Smart contracts have to be written, tested and deployed in a well-defined process, Johnson said. They need to have strong controls around them.
Regulators agree. The Commodity Futures Trading Commission has proposed Regulation AT, which would require Wall Street firms to apply controls to any smart contracts they use in trading. For instance, under the proposed rules they would have to keep a copy of the code for these smart contracts.
And the industry is responding. The Chamber of Digital Commerce, an advocacy group and trade organization, has set up a Smart Contracts Alliance, a working group of companies that build smart contracts. It will come up with a set of best practices, "which is exactly what this industry needs," Johnson said.
Bankers and technology executives polled in a survey Greenwich Associates released Wednesday expressed anxiety over the security and confidentiality of blockchain technology, even as several are moving blockchain projects into production.
Fifty-six percent said they were worried about transaction confidentiality, 52% were concerned about securing private keys, and 23% had qualms about the strength of cryptographic algorithms used in transactions.
Should they be so worried?
"Absolutely," Johnson said. "This study was done before the Ethereum and Bitfinex hacks. It's a very fast-moving space. The notion of securing private keys or securing digital assets will be increasing in importance in their minds."
The focus on transaction confidentiality shows banks are uncomfortable with the idea that each participant on a blockchain can see details of every transaction.
"It's not so much security in the sense of someone breaking in and stealing stuff," Johnson said. "It's more about a bank wanting to keep its proprietary trade information to itself, as opposed to having it recorded for the public."
It seems they would rather have a dark pool than a transparent blockchain. These and other security vulnerabilities will be worked on by smart people. But at the moment, it seems a little too early to declare blockchain technology a definitive security solution.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.