For all the press it has garnered over the last decade, blockchain technology is surprisingly simple – it is ultimately a means of storing data, much like an Excel spreadsheet or SQL database.
Its history does not begin with the publication of the original Bitcoin Whitepaper in 2008, but stretches back to 1982 and was iterated on by computer scientists over the decades until ‘Satoshi Nakamoto’ improved the design by timestamping blocks without them being required to be signed by a trusted party.
The core concept is quite simple but the details are subtle and change from blockchain to blockchain. The blocks in blockchain are batches of data (‘Bitcoin wallet X sent 1 Bitcoin to wallet Y’ etc.) and they are chained together cryptographically. Each block contains information about the block before it, forming a chain, and the data in these blocks cannot be retroactively altered (for example, editing a transaction to change one bitcoin to a hundred). Other forms of data storage are essentially walled gardens – a bank’s ledger of transactions is protected by nigh-impenetrable security but, if you could somehow bypass it, you could, theoretically, alter the balance of accounts or delete transactions.
With blockchain technology security is ‘baked in’ since the very structure of the blockchain itself and the ‘consensus’ system that underpins it are by their nature secure. If, for example, you wanted to edit a previous block to spend the same bitcoin twice (a ‘double spend’ attack) then that would create a new hash for that block, breaking the chain and causing the rest of the distributed network to reject this change. It is possible for ‘51% attacks’ to occur in which a single entity controls more than half of the computing power on a blockchain, giving it the ability to decide what is ‘true’ and perform double-spend attacks – this has happened to Bitcoin Gold three times.
There have been other instances where blockchains, particularly those used in cryptocurrency, have been breached. Mt. Gox, which at one time handled 70% of all bitcoin transactions, is an early example of a catastrophic security failure, with creditors alleging that they had lost £2 trillion in the bankruptcy that followed the exchange losing the majority of coins it held. Its replacement, Bitfinex, has also lost staggeringly large sums to hackers. Recently the Poly Network, a major player in decentralised finance, or DeFi, was hacked and although the money was returned the hacker achieved what they had set out to – this proves that blockchain technology is by no means safe (the hacker was asked to become the network’s chief security advisor).
Despite the promises of bulletproof security being questionable on closer inspection, financial companies, particularly those who would be classed as ‘financial technology’ or ‘FinTech’ companies seem to be bullish on the possibilities that blockchain technology represents and are confident about its security.
To clarify, cryptocurrency is by definition a financial technology and companies like Bitfinex, Poly Network and others in the space are by definition FinTech companies, but for the purposes of this article we will be talking about companies using blockchain technology for purposes other than cryptocurrency. Citi Bank and JP Morgan, for example, are trialling an application of blockchain technology to significantly speed up cross-border transactions. While previously sending money to another country could take days, JP Morgan’s ‘Confirm’ system allows for it to be sent nearly instantaneously, with greater transparency over the whole process. It also uses traditional fiat currency instead of less stable cryptocurrencies.
Despite the slick veneer of the financial services industry many processes are based on literal paperwork and some even involve contracts being sent by bike courier. Trading, for example, shuts down on weekends and if you are in London and want to buy a stock listed on the New York Stock Exchange then you will have to wait until the exchange opens at 9am EST. Blockchains can be adapted to systems where all participants can easily check and verify trades and execute them in real time, 24 hours a day, seven days a week.
Companies like Figure are using blockchain to provide personal loans and mortgages, again with much faster reported turnaround times than have been standard in the industry for decades. They can do this because verifying identity and other information is far easier in blockchains – because blockchains are immutable and accurate there is no need for administers, trustees and others to verify paperwork, significantly cutting down on the time it takes to approve loans.
Smart contracts are another possible application. These are essentially small pieces of code running on blockchains that execute when certain conditions are met, for example – ‘If X and Y both sign this contract then 1 ETH from X’s wallet will be sent to Y’. Because the contract is self-enforcing, smart contracts will significantly cut down on the ‘paperwork’ required for, for example, ensuring that loans are paid on time. This would also be particularly useful in auditing transactions and resolving disputes as it creates a ‘single source of truth’, the contract itself, that can be referred to whenever disagreements arise.
Although double-spend attacks have happened they are rare. Much more common are the same kind of account breaches that can affect any other type of online service: blockchains are linked to individuals through ‘wallets’ that are accessed through similar means to eCommerce and banking accounts, usually only with a username and password.
Poor password management, easily guessed security questions and a lack of two factor identification could all mean that you could lose the contents of your wallet. In addition, if a person has a blockchain wallet linked to a loan provider then a fraudster could take out loans in their name. Compromising usernames and passwords would also be the easiest way to compromise larger entities like financial service companies and this has been the way that the majority of blockchain-related hacks have been carried out.
This means that companies need to concentrate on traditional forms of security in addition to the natural security provided by moving data to blockchains.
Ultimately, the strong cryptography provided by hardware security modules is going to be key for blockchain-based FinTechs. HSMs generate, store and protect the private and public keys that form the ‘root of trust’ in any application – the guarantee that both parties in a transaction are who they say they are. Because blockchains are by their very nature distributed – with each node having access to part of the chain – there is no central location where data can be protected behind firewalls. With HSMs however, companies handling sensitive financial data can be assured as it is possible that their blockchain is secure.
With regulations around blockchain technology still evolving, it is difficult to tell what will and won’t be compliant a few years down the line. In spite of this, HSMs have provided the backbone of security in so many industries and applications that there is no doubt that they will continue being a vital part of securing blockchains in FinTech.
By Mario Galatovic, Vice President Products and Alliances at Utimaco
To learn more, visit: www.utimaco.com