Closing the security gap at the point of access to secure Blockchain

By Mike Lynch, Chief Strategy Officer, InAuth.

  • 7 years ago Posted in
Pick up any publication aimed at cybersecurity, payments, financial services or financial technology and more often than not, two topics dominate the headlines: blockchain and fraud.

While experts in the payments industry opine about the possibilities afforded by an anonymous and transparent distributed ledger technology (DLT) that eliminates third-party intermediaries from all types of peer-to-peer transactions, one thing is certain: In order to be widely accepted and used by the public at-large, it must offer assurances and protections akin to what all parties expect in the current transactional ecosystem.

For this reason, many current academic discussions regarding blockchain are focused on fraud.  As with any emerging technology, fraudsters are hard at work looking for ways to capitalize on security loopholes using techniques like identity compromise, as well as ways to bypass authentication using fraud tools, malware and malicious apps.

Much of the security buzz around blockchain revolves around the potential for it to eliminate fraud altogether; however, those discussions focus on the security and transparency of the ledger itself, failing to take a holistic view that includes who conducts those transactions and how they are conducted.

A recent paper by SWIFT and Accenture investigating how distributed ledger technologies (such as blockchain) can be used by the financial services industry (SWIFT on Distributed Ledger Technologies - Delivering an Industry Standard Platform Through Community Collaboration, April 2016) found a number of critical factors that need to be addressed before industry-wide adoption of DLTs, including building an identity framework – the ability to identify parties involved in transactions to ensure accountability and non-repudiation of transactions – and security and cyber defense – the  ability to detect, prevent and resist cyber-attacks, which are growing in number and sophistication.

For a transaction to be trusted — whether the person is accessing the blockchain to make a transaction in the ledger, or making an online purchase paid for using Bitcoins — there needs to be a strong understanding that the person involved in the transaction is the person authorized to perform it.  There also must be validation that the device itself is “clean” and doesn’t contain malware or crimeware.

While many enterprises may be watering at the mouth at the prospect of greatly reduced or eliminated fraud related to their payments and transaction networks, it will remain of the utmost importance for firms to ensure transactional trust by implementing sophisticated device intelligence solutions that leverage multi-factor authentication (MFA) to determine the riskiness or trustworthiness of the device.

Multi-factor authentication leverages various identifying elements to prove that the person doing the transaction is who they claim to be. These forms of proof can be something the person knows (password), something the person possesses (private key and device), or is intrinsic to them (fingerprint).  Combining at least two or more of these elements is considered MFA, but more factors can be incorporated to lower the risk of fraud. By instituting MFA as part of an enterprise’s consumer trust and risk mitigation strategy, the enterprise can reduce the likelihood of fraudulent access to the ledger by means of stolen identity.


Growing Focus on Biometrics

Of growing importance in the face of blockchain’s proliferation is biometrics. In a post for cointelegraph.com (March 2, 2016), Julia Daimio writes that both blockchain and biometrics “…are working in the same direction - securing the safety of monetary transactions in cyberspace. That is exactly why, (sic) the idea of combining these two technologies is hardly fringe.”

Biometrics are inherently more secure (answering the “something the user is” test of MFA) and offer a greatly enhanced user experience over passwords. Still, firms should not rely on biometrics alone to secure transactions.

While expert opinions again differ on just how strong biometrics are as defense measure, most can agree that biometrics alone are not 100 percent fool-proof. In the same cointelegraph.com post, world-famous security systems expert, Andreas M. Antonopoulos, states that there are several weaknesses inherent in biometrics, including the immutability itself of the biometric – once stolen, it cannot by changed and reissued.

The potential to exploit weaknesses in biometrics alone only serves to underscore and validate the soundness of a true MFA strategy that includes protecting digital transactions by securing the device (mobile phone, PC, tablet, etc.) being used as the access point to enter the blockchain to conduct legitimate – or fraudulent – business to reduce/eliminate fraud and secure the public’s trust and comfort with blockchain. 

Blockchain and other DLTs offer a world of possibilities for disruption – from digitizing assets and democratizing the global financial system to eliminating intermediaries from a whole host of legal and financial transactions – but enterprises considering both the possibilities and risks to their operations must stay one-step ahead of fraudsters who exhibit limitless endurance for finding ways to exploit security loopholes within emerging technologies.

 

By Barry O'Donnelll, Chief Operating Officer at TSG.
By Dr. Sven Krasser, Senior Vice President and Chief Scientist, CrowdStrike.
By Gareth Beanland, Infinidat.
By Nick Heudecker, Senior Director at Cribl.
By Stuart Green, Cloud Security Architect at Check Point Software Technologies.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Damien Brophy, Vice President EMEA at ThoughtSpot.