How To Avoid Blockchain Pitfalls
Fri, 07/03/2020 – 10:08
Blockchain has been one of the most-talked-about technologies in recent years. IDC estimates spending on blockchain will rise from $2.9 billion in 2019 to $12.4 billion in 2022.
People see blockchain opportunities everywhere. That long list includes banking, connected cars, food safety, healthcare, identity, insurance, smart contracts and more. The thinking is that anything requiring preservation of the integrity of a record could benefit from blockchain.
But while blockchain offers a lot of promise, it also presents a variety of risks.
A cautionary tale
Mt. Gox serves as just one example of how blockchain can go horribly wrong.
Users relied on the giant bitcoin exchange to manage their bitcoin transactions. Mt. Gox failed to properly secure its customers’ bitcoin, which led to a litany of concerns, including fraud, mismanagement and bitcoin theft.
3 keys to successfully upskill your workforce virtually
Bitcoin was easily stolen by bad actors who exploited poor security practices including leaked credentials and transaction malleability, allowing attackers to hijack transactions to their own gain.
Mt. Gox lost a half-billion dollars’ worth of its customers’ virtual currency as a result. The company then filed for bankruptcy protection and suspended operations.
Bitcoin and blockchain represent a new paradigm. People thought they could implement these technologies without having to worry about security. Mt. Gox showed why that thinking is wrong.
A lack of accountability
Traditionally, liability has resided with banks, which are regulated businesses. That way, if something went wrong, you could point your finger at the financial institution. You could call out their weak authentication and demand that they cough up your money.
With blockchain, the model has changed. There is no central regulatory body. You have no recourse, no way to dispute things or get things corrected.
Users have to manage their encryption keys, shifting responsibility from entities like banks to individuals. If you lose your key, you have nowhere to go.
Who is accountable? No one.
That’s part of the challenge — because with blockchain we’ve turned the model upside down.
A brief word on smart contracts
Speaking of liability, the smart contract also warrants consideration.
Smart contracts are computer programs or protocols running on blockchain. The smart contract says that if A does something to B, then C must happen. You only get your reward if you do things in the correct manner.
But contracts are typically the domain of lawyers, who understand and deal with intent. Managing disputes is not something that we can easily encode into an algorithm. Yet, smart contracts encode that behaviour onto blockchain, and they are written by coders — not lawyers.
An inability to change
Another challenge with smart contracts and blockchain is that they are really hard to change.
You can’t verify what the contract is doing and that it’s executing as intended. And you can’t alter it if it’s incorrect.
Blockchain’s immutability also conflicts with privacy regulations, like the European Union’s General Data Protection Regulation (GDPR). GDPR and other rules provide individuals with “the right to be forgotten,” but blockchain never forgets.
The fact that blockchain is difficult to edit also makes it attractive to bad actors. Privacy poisoning can easily render an entire blockchain unusable. The attack involves using blockchain to store illegal data or defamatory records, putting the entire network in conflict with local laws.
A new kid on the block
Some of the risk attached to blockchain has to do with its maturity level. It’s important to remember that blockchain is a technology — it’s not a process or a framework.
Blockchain is simply a ledger that can’t be corrupted. The actual practices of how users do things with and around blockchain, however, are unclear.
It doesn’t have the security development life cycle of security technologies like encryption and key management systems. A security development life cycle includes everything involved in how a solution provider or an implementing organization produces something. That goes from design to implementation, testing and operational maintenance.
Know who holds the keys to the castle
The key life cycle is critical because the one holding the key controls everything.
So, you need to know who is holding and controlling the encryption key.
You need to have a plan for what happens if the key gets lost, too. Again, it’s not that simple on blockchain. It’s up to the blockchain designer to build a backup process for such situations.
Choose use cases with care
Developers and users may be able to avoid “the blockchain graveyard” by selecting use cases wisely. Blockchain works best in situations not bound to the constraints of data or subject to volatile markets. It’s also smart to choose use cases in which the data is not that important from a financial perspective.
One potentially appropriate blockchain use case is a supply chain. Then you can actually have peer review with other people. Blockchain could also be used for airline loyalty points.
These are good use cases because they don’t require tight time constraints. If you want something instantly, blockchain is not going to be your friend. But if my loyalty points don’t appear on my frequent flier account immediately, that doesn’t really bother me.
Be selective about what goes on the chain
Also, think about whether you really want to put certain data on the blockchain. And if you have personally identifiable information (PII), don’t put it on a blockchain.
Blockchain does not allow users to easily exercise their right to be forgotten or to correct their data. And PII creates legal risks for the organizations that implement blockchain.
Build an escape hatch
There’s a growing appetite for automation. Against this backdrop, having no method of intervention or error correction is a big problem.
If there’s no escape valve to error correct, you’re in dangerous territory. That said, if you’re designing a system, make sure you build in error correction.
It’s not always possible to get ahead of the game with blockchain. But it is important for blockchain designers and users to appreciate these threats on the blockchain landscape.
This article first appeared on Forbes.
*** This is a Security Bloggers Network syndicated blog from Drupal blog posts authored by pali-surdhar. Read the original post at: https://www.ncipher.com/blog/how-avoid-blockchain-pitfalls