Blockchain Technology: Balancing Benefits & Evolving Risks

The “blockchain” has the potential to transform the way financial institutions process transactions and corporations conduct business. While first introduced as the technology underlying cryptocurrencies such as bitcoin, financial institutions have partnered to apply the blockchain to streamline cross-border payment settlement and interbank settlement solutions. Implementing blockchain technology in pursuit of these types of efficiencies may fundamentally change how financial institutions conduct business and alter the risks banks face.

Fundamentally, the blockchain stores data about individual financial transactions in a decentralized way that should, in theory, provide greater security and limit the risk of fraud. It relies on cutting-edge cryptography to secure the authentication process. Before recording a block of transactions, “miners” authenticate them by applying a mathematical formula that results in a seemingly random sequence of letters and numbers known as a hash. The hash is produced using the hash of the preceding block, in a math problem. Although the math is difficult to solve, the solution is easy to verify.

The hash becomes the digital version of a wax seal. After using this process to authenticate a transaction, miners store the “block,” along with its hash, in a unique “chain.” If you change just one character in a block, its hash will change completely. The ramification for security is that if someone tampers with the block, the change becomes public.

A blockchain documents each transaction’s details, identifying the sender, recipient, input amount, and output amount. Only the parties to a transaction can unlock the contents of the block because only they hold the private key necessary to open the data. But since each entry bears a hash, anyone can verify the existence of a transaction within the block.

The application of blockchain technology could potentially increase the risk of fraud. That’s because a comprehensive review of fraud, alteration, and forgery may not occur in a blockchain transaction. The participating financial institutions may not receive the transaction’s original documents, on which the transaction is based, and thus may not have an opportunity to analyze those documents for fraud. Since parties using blockchain for transactions appear to be moving towards competing blockchain-based platforms, there is a potential for assets to be double-pledged or for conflicting financial transactions to be entered into on different platforms.

As financial institutions and their corporate clients move forward into the brave new world of blockchain technology, they must remain mindful of the fact that this is just another means of conducting business transactions, and the time honored principle of caveat emptor still applies. Parties entering into blockchain transactions should ensure that they are doing their due diligence on the representations underlying those transactions. This includes, when applicable, examining original documents on which transactions are based. Also, participants should be mindful that there may be multiple blockchain-based platforms on which business is conducted, meaning that the lack of a conflict on the platform in which the transaction is entered into does not mean that a competing or conflicting transaction will not be entered into on another platform.

The Use of Human Emotions

Organizations of all sizes, across all regions, and all sectors face an evolving risk from cyber criminals. Because businesses have become increasingly dependent upon technology, cyber criminals have shifted from theft of physical assets to the theft of electronic information. The growing use of technology-enabled processes exposes businesses to cybercrime – from direct theft of data (leading to financial assets) to the theft of personal data (that can be used to assemble an attack on financial assets). Cybercrime can threaten processes from point of sale purchases by debit/credit cards in the retail environment, to ATM transactions in the banking environment, to e-commerce or on-line sales, and to electronic business communications.

Cyber criminals have shifted their focus away from pure technological attacks and have increasingly attacked employees through techniques used to manipulate people into performing actions or divulging confidential information. Security is all about knowing who and what to trust. It does not matter how many locks you install if you trust the person at the gate lets in criminals. In the cyber world, the weakest link in the security chain is the human operator who accepts a person or scenario at face value. Thieves target this vulnerability. Securing hardware and software are relatively easy; it is the employees within an organization that sometimes fall prey to cyber attacks.

Criminals exploit human emotions (such as fear, curiosity, the natural desire to help, the tendency to trust, and laziness) to bypass the most iron-clad security measures and gain access to systems. The success of such schemes does not rely upon sophisticated technology. The success of these schemes depends upon human error. These schemes are one of the most difficult crimes to prevent, as it cannot be defended against through hardware or software.

Because there is no technology to protect against social engineering attacks, organizations should implement good security protocols. In order to build defenses against social engineering attacks, organizations need to design and implement comprehensive security practices:

  • Training Programs: Companies should invest in security training programs and update their employees on security threats.
  • Policies and Procedures: Well-defined policies and procedures provide guidelines for employees on how to go about protecting company resources from a potential cyber attack. Strong policies should include proper password management, access control, and handling of sensitive user information.
  • Risk Assessment: A risk assessment helps management understand risk factors that may adversely affect the company and track existing and upcoming threats. Determining security risks helps enterprises to build defenses against them.
  • Security Incident Management: To manage the incident, the help desk must be trained to track (among other things) the target, their department, and nature of the scheme. Such protocols will enable a company to actively manage the risk of the breach to mitigate potential losses.