Before exploring ways to use blockchain in business, managers should know where its vulnerabilities lie.
Sometimes it seems as if everyone has bought into the hype: Industries as far-flung as real estate and diamond sales1 have embraced blockchain without entirely knowing what it is or how its most vaunted features might fail or have unintended consequences. Blockchain assures users that once information has been stored, it can never be deleted or falsified. This means that when people in finance, say, pore over the history of a transaction, they feel content in the knowledge that illegalities have nowhere to hide. It means that people in the supply chain of a product trust that they can check its provenance without fear that misinformation has been slipped in along the way. In essence, blockchain promises not just complete data security but also something more intangible: that we will never be conned. Is it really so important that we understand what’s under the hood?
The truth is that blockchain is not as secure as it is believed to be, and its features can rebound in unfortunate ways. In research I conducted with Jae Lee, described in detail in his graduate thesis2 and a forthcoming paper for the Cybersecurity at MIT Sloan (CAMS) initiative, we cataloged 72 breaches reported between 2011 and 2018. These breaches cost users a grand total of more than $2 billion. Many of these breaches were possible because blockchain is actually vulnerable in some of the same ways that conventional, centralized record-keeping systems are. The rest are even more troubling, because bad actors were able to exploit the very features that make blockchain revolutionary: transparency, distributed control, anonymity, and immutability. In this article, we will look closely at both categories of vulnerabilities so that organizations can weigh the risks and decide whether to make use of blockchain.
Old-Fashioned Chinks in Blockchain’s Armor
Blockchain is widely viewed as unbreakable because advanced cryptographic techniques are used to encode the data and ensure that it is not altered. But there are vulnerabilities to be exploited. Let’s focus first on the ones that have long been present in more conventional systems as well.
Private keys. Much like traditional passwords, private keys must be written down, whether on paper or in a digital wallet, because they are such large numbers. Once they’re written down, of course, they can be found.