[BreachExchange] Blockchain’s security weakness lies in the very thing that makes it secure: cryptography

[Audrey McNeil]

https://blogs.lse.ac.uk/businessreview/2019/05/16/blockchains-security-weakness-lies-in-the-very-thing-that-makes-it-secure-cryptography/

Blockchain was originally designed as a technology to support
cryptocurrency, and its use is expanding beyond its financial roots to
benefit organisations across different industries. From enhancing customer
experience in day-to-day trade, finance and cross-border payments, to smart
contracts and IoT security, blockchain is transforming the way companies do
business.

Despite its cryptographic history, organisations should not see blockchain
as a silver bullet when it comes to security. Like all technology, it has
its own weak points and hackers are increasingly manipulating these
weaknesses for their own financial gain.

Unfortunately, the most common weakness in blockchain security lies in the
very thing that makes it secure, namely cryptography. Blockchain is open to
abuse if the keys aren’t secured. Since the inception of key-based
encryption, cyber criminals have been using a host of methods, such as
brute force attacks and phishing and social engineering, to get hold of
information about private keys from their owners. One of the most notable
examples of this resulted in the theft of over $500 million from a Japanese
cryptocurrency exchange. It has become so common place that there are even
scores of videos on sites like YouTube that provide step-by-step
instructions on how to hack private keys.

Given the high-value financial and safety-critical nature of some proposed
blockchain use cases, it is imperative that nothing alters data prior to
its placement on the blockchain. While multi-signature features will
enhance levels of security by introducing additional distributed keys for
recovery and authentication of transaction, they still rely on the use of
original keys that could be vulnerable to attack. Therefore,
multi-signature cannot be used alone and relied upon for exclusive
security. This doesn’t mean blockchain should be abandoned; businesses just
need to layer additional security, such as tokenisation, on top.

Tokenisation

Initially developed for the financial services sector, tokenisation is a
highly secure means of protecting account-based transactions. It works by
replacing sensitive information with unique randomly generated alphanumeric
numbers known as tokens. An individual’s primary account number, for
example, would be replaced with a token, which is then used for an
individual transaction. For each subsequent transaction, a new token is
generated and used.

Because tokens have no value outside of the specific transaction they are
used for, they make an ideal choice for systems where individuals want to
minimise the potential exposure or manipulation of sensitive data.

How blockchain and tokenisation can work together

To vastly improve the security of blockchain, the addition of tokenisation
will provide a bank-grade, combined solution that can be used regardless of
industry or use case.

Unlike the private keys used to authorise blockchain transactions, tokens
cannot be used by a third party to conduct transactions if intercepted. By
replacing sensitive private keys with a limited use token that can include
domain controls for device or channel, tokenisation mitigates fraud risk
and protects the underlying value of credentials.

When applied together, blockchain can help to protect the integrity of
data-related records showing the transaction process that the token was
involved in, while tokenisation can be used to protect credentials, and
allow user domain controls to control where and how they may be used. This
combination could be used to keep the most sensitive of data, including all
forms of personal data from account details to patient IDs and social
security numbers inherently secure.

Looking ahead

In the same way cryptocurrencies aren’t going away any time soon,
blockchain is here to stay. The current generation of businesses being
built on, and around the blockchain are beginning to adopt the necessary
technologies and processes, such as multi-signature transactions, and
tokenisation to improve the levels of security that consumers expect for a
tradable commodity.

However, if businesses truly want to benefit from this technology, better
levels of security must be applied by all, not just the few. Once this
secure ecosystem is in place, the speed and flexibility of having assets on
blockchain is going to transform many types of transactions, and it’s only
when this happens that we will start to see wider adoption of blockchain
across businesses and entire industries building operations on the
blockchain.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190516/61559c1e/attachment.html>