How Blockchain's Inherent Security Vulnerability is Costing Companies
By Lior Lamesh, CEO of GK8
Since its inception, blockchain has been hailed as a generally safer way to carry out financial transactions, and it is. There’s no question that distributed ledger technology, which requires consensus among a large number of parties to approve every transaction, offers a level of security in financial transactions that didn’t exist prior to Bitcoin’s debut, as well as greater efficiency, effectiveness, and cost-effectiveness than current IT systems.
Nevertheless, blockchain does have vulnerabilities that need to be addressed, which largely stem from the endpoints using wallets to create and sign transactions before they are sent to the blockchain. These wallets are prime targets for hackers. What’s the point of using the secure blockchain if the applications allowing people to communicate the transactions are vulnerable?
In early 2019, Ethereum Classic (ETC), one of the cryptocurrencies people can buy and sell on Coinbase’s popular exchange platform, faced a sophisticated cyber attack. A hacker gained control of more than half of the network’s computing power and was using it to rewrite the transaction history, almost pulling off a $1.1 million theft of Ethereum Classic from other users. Among other hacks that took place at the time, the ETC attack was a turning point in cryptocurrency history, and the media headlines that followed reflected that reality.
“Once hailed as unhackable, blockchains are now getting hacked,” was one such title, featured prominently on MIT Technology Review a month after the attack. Analysts everywhere were beginning to reconsider whether distributed ledger technology is really as safe as its acolytes claim.
Interestingly enough, Coinbase caught the attack in time to warn the ETC community and prevent hackers from stealing any funds from its users. It’s lucky the San Francisco-based exchange, whose record of trust and top-notch security has earned it a reputation for being a sort of crypto exchange standard bearer, caught on when it did. Among other hacks that took place at the time, the ETC attack was a turning point in blockchain history, exposing the importance of engineering blockchain in a way that leverages its security advantages and avoids the compromising of its network. While the initial headlines about the hack were nightmarish, Coinbase staved off what could have been a much worse PR catastrophe.
That doesn’t mean its users have always been safe.
While tremendously difficult to hack a blockchain -- it’s a process that requires a single miner to gain control of more than 50 percent of the network’s computing capacity -- it is quite simple for even less sophisticated hackers to hack the wallets that facilitate transactions over the blockchain. And, as has been documented, such attacks on Coinbase users, including, as reported by Fortune, tech CEOs and blockchain proponents, have been subject to successful hacks of their accounts.
The method of targeting endpoints, as opposed to entire blockchains, reached new heights in May 2019 when hackers stole $40 million worth of Bitcoin from Binance exchange during a single transaction, in an enormous security breach that rattled the crypto world. The transaction was limited to Binance’s BTC hot wallet, which contains about 2 percent of the company’s Bitcoin holdings. But not only hot wallets are at risk of being compromised by bad actors. Most crypto wallets on today’s market, including cold wallets, are connected to the internet at some point and are therefore totally hackable. Every wallet can be breached, given the right return on investment for the attacking party.
That vulnerability is costing companies. Approximately $4.26 billion in digital assets have been stolen in the first six months of 2019 alone, mostly from exchanges. Blockchain’s endpoint vulnerability must be addressed if companies are to prevent such burdensome and needless financial loss, as hackers are only becoming more sophisticated. Furthermore, the damage inflicted by a cyber attack is far from only financial. The collateral damage inflicted includes reputation damage and the time it takes to restore trust, as well as the shutdown time required to pin-point the vulnerability during the attack.
A report published at the close of 2019 by Akamai, one of the biggest names in cybersecurity, predicts many more weaponized cyber attacks going into 2020. An overlap between criminal developers and nation-state actors creates a very dangerous reality for all financial institutions in the new decade, creating an abundance of zero-day tools for targeting specific organizations.
But we mustn't let them succeed. During medieval times, a castle’s weakest point was its drawbridge because it was built as a point of entry, and a point of entry is more vulnerable than a 40-ft. stone wall manned with archers. So the lords and kings of the time found innovative ways to defend their drawbridges, with moats, traps, and other devices. It’s high time for companies and crypto exchanges to defend their own weak points from attacks. Blockchain as a database is secure, sure. Let’s make sure blockchain as a service is, too.
About Lior: Lior Lamesh is the Co-founder and CEO of GK8, a cybersecurity company that offers high-security custodian technology for managing and safeguarding digital assets. Lior gained his expertise in cybersecurity while serving in an elite team that answered directly to the Israeli Prime Minister’s Office on matters of strategic state assets protection.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.