Blockchain

Blockchain security isn’t bullet-proof. Here’s how to not get hacked.

Blockchain offers a safer, more transparent way to handle your business data. But what security challenges do you need to overcome?

Art by

sodavekt

Share article

blockchain business vulnerabilities

According to a PwC survey (of 600 business executives in 15 countries,) 84 percent of respondents are actively involved with blockchain. Blockchain is just one example of a distributed ledger technology (DLT), a digital system for recording the transaction of assets (money or data) without a central data store or admin functionality.

More companies are turning to DLTs like blockchain to help streamline their business, improve data transparency and reduce operational costs. From smart contracts that automate secure payments to managing customer interactions, blockchain can improve how we do business.

But, like any emerging technology, new risks and vulnerabilities can cause damage. We’ll get into that, but first, an important distinction.

Public vs. private distributed ledgers

Public ledgers mean an open network which anyone can join and contribute to. They work best for cryptocurrencies, due to anonymity features and allowing transactions across borders. Then there are private or enterprise DLTs. These identify and authorize users and determine their roles. Data is encrypted and only authorized users can operate it. Read more about both here.

Let’s explore private DLTs, which more companies are using for their benefits, from accelerated workflows to authenticating data.

DLTs usher in a new security paradigm. But for business process automation, there are risks to quash.

Joint ventures on blockchain

DLTs are great for joint ventures – notably because they act as both a registry and a financial database for payments and transactions between partners, which are logged and approved by all participants on the blockchain. It’s a trusted, transparent system – everyone authorized has access to data and knows how it’s logged. Essential features are decentralization (for data transparency and trust), scalability (which enables adding new participants to the network) and the use of smart contracts.
blockchain business vulnerabilities
But centralization can create a security risk. Blockchain data is trusted when it’s distributed, so the more nodes (those who have access to the blockchain system, either computer programs or authorized users) that can approve transactions, the more you can trust the data. That’s why deploying blockchain within a single company or organization to secure data doesn’t make much sense as “consensus” comes from a sole authority.

Why one of the most successful enterprise blockchain platforms isn’t as secure as you think

One of the best known enterprise-grade platforms, Hyperledger Fabric, creates consensus using a permission voting algorithm. But how secure is it?

Once the majority of nodes in the blockchain validate the transaction, we reach consensus and finality (a new block or sequence is added to the ledger.) Hyperledger Fabric provides channels – isolated “subnets” of data exchange between specific network members. It’s useful for industrial and manufacturing scenarios where a blockchain may include potential competitors. The separate channels in Hyperledger Fabric can prevent data from being accessible to participants from outside of a designated channel.

But the consensus mechanism could be misconfigured – this might happen at design and deployment stages, often revealed too late to fix easily because, for users, everything seems to be working fine. Then it can’t validate nodes, even for transactions involving many participants across several channels. As a result, the consensus is limited to validators of a single channel who confirm adding the transaction to the blockchain.

Beware of blockchain after a cyberattack

Beware hacked user accounts. During a cyberattack, data could be tampered with and then submitted to the blockchain. For example, let’s say a user is attacked while approving commercial purchase agreements in a joint venture, further executed by a smart contract. If the attacker gets access to the contract, they can tamper with the supplier’s bank account and amount in the contract. The “correct” agreement will then trigger execution of a smart contract, meaning some or all of the money goes to the attacker.

Due to blockchain’s inherent immutability (i.e. it can’t be changed), it’s going to be very difficult (and expensive) to fix the incorrect data. What’s more, if this data gets into smart contracts, the issue will snowball and subsequently cause big problems. In this purchase agreement example, to fix the incorrect transaction, payment needs to be reconciled. But that’s not simple.

They can try to stop and revert a bank transaction, but blockchain can’t undo its immutable records. It will store information that a certain company (blockchain participant) has paid, whereas the supplier has not received the funds. It’s a double loss: companies spent a fortune on the blockchain solution, then get their money stolen.

Blockchain risks for large enterprises and corporate groups

Similar blockchain technologies are used for transactions between banks or groups of banks. As the technologies are the same, they have the same vulnerabilities. This opens wide opportunities for an attacker: having performed a successful attack on one bank, they’re more likely to be more successful and quicker with the same attack on another member of the group.

If just one vulnerability of a single participant is exploited on the blockchain, there’s a huge cybersecurity risk for other participants on the same system, running the risk of a mass leak of sensitive financial or private data across a group.

Blockchain can cause a bottleneck

Blockchain is designed for transactions, so it works well for trading and integrates with financial systems to support the supply of goods, automated pricing and using smart contracts to execute financial transactions.

Smooth running in good times. But blockchain could also be a bottleneck. Lots of transactions are processed simultaneously, which a good platform should process rapidly. But if the system can’t handle the load, it can fail.

Getting blockchain right for your business

There’s no “one size fits all” with blockchain. Right now, given DLTs nascent maturity, it’s difficult to know how well any individual solution will perform. It’s unlikely we’ll soon see a solution that works perfectly straight out of the box. You’ll need to invest in customization to create the right process for your business needs.

These steps can help plan your best-fit blockchain strategy.

The right tools for the job

Consider the process you want blockchain to automate. It should be iterative, involve many parties, and it shouldn’t include data that needs to be modified or deleted. If it doesn’t fit these criteria, blockchain and DLT isn’t the right tech.

Start the journey with small steps

So you decide to launch on blockchain. Like other big IT projects, plan the rollout in stages to test and fine-tune. Keep in mind that DLT is most powerful at handling large-scale processes. You may not get immediate cost savings from a solution for one department, even if it works smoothly, but you can start small to test how it works. Then take the next step – scale to counterparties working with that department. Then get bigger by adding external suppliers.

Even with blockchain, you still need to pay attention to cybersecurity

Blockchain is more secure than many other enterprise data solutions, but it’s not bullet-proof to cyberattacks. You’ll need an endpoint cybersecurity solution on all corporate devices accessing the blockchain, which should be assessed with a third-party cybersecurity provider.

Audit your smart contracts. A vulnerable or inconsistent contract may lead to an expensive problem to fix down the line.

By deploying blockchain, you’re establishing a new IT infrastructure in your organization. A vulnerability could lead to an attack and penetration of your corporate network. So new software and servers need protecting. Always use firewalls and install server cybersecurity tools to run scans, encrypt data and renew licenses. Finally, run a penetration test to reveal weak spots.

All parties in your blockchain must apply the same level of security. Agree on common security policies with participants; it may be tricky due to different security practices but otherwise, your data and systems are at risk.

There’s no doubt; blockchain will revolutionize how companies collaborate for the better. But as with most new techs, pay attention to how you can best protect your data.

Kaspersky Blockchain Security

Kaspersky Blockchain Security, specifically for decentralized environments, ensures your blockchain is protected against all kinds of cyber-threats.

About authors

Business developer with 20 years’ experience around the world, Maxim is the Blockchain Security team lead at Kaspersky. With technical background, Maxim combines engineering and businesses thinking to deliver life-changing technologies to real life’s good