Fraud and privacy problems on the blockchain

As potentially useful as blockchains can become, companies must recognize the potential for fraud and the threat to privacy posed by fraud countermeasures.

broken silver key
Credit: Thinkstock

The blockchain technology that drives the Bitcoin economy is essentially a decentralized, immutable database of transactions open for anyone to view and validated by a distributed collective of verifiers. The purpose of its design is to ensure that no one can alter any past transaction record.

From a purely technical perspective, blockchains accomplish this goal very effectively. This all sounds great so far but the technology has a severe weakness that, until comprehensively addressed, will make blockchain applications very costly in terms of fraud, theft, and legal jeopardy. There are ways to solve the fraud problem but some solutions will introduce another problem.

The fraud weakness lies at the transaction endpoints. By the term ‘endpoint’ I mean the boundary between physical space, where living, breathing human beings exist, and cyber-space, where the blockchain databases reside. The endpoint is where physical space users interact with the cyber-space blockchain.

Any legitimate, non-fraudulent blockchain transaction is dependent on trust between two or more counterparties. The foundation of trust is that counterparties are absolutely certain of the physical-space identities of all those involved in a transaction.

In the blockchain scheme, a human being occupying physical space is represented in cyber-space by a public identifier – which helps others find the person’s cyber-space representation – and a private key which is used to digitally sign blockchain transactions. In cyber-space, the private key is the digital identity standing in for a real human being in physical space.

[ ALSO ON CSO: How blockchain will disrupt your business ]

This is all good so far but how do physical space human beings interact with blockchain applications and use their private key? They log in to a website with a password or, in more secure applications, they use multi-factor authentication procedures. This mechanism is not sufficient for blockchain transactions because passwords and multi-factor authentication processes by themselves cannot identify a physical space human in cyber-space. A second person can steal passwords or second-factor tokens and then execute a blockchain transaction using the private key assigned to the first person. A first person could voluntarily give passwords and tokens to another person in the course of engaging in criminal activity.

Let’s illustrate the identity problem by considering two friends enjoying conversation and coffee in a café. They both exist in physical space and have no doubts about each other’s identity. Suppose one of them wants to sell a house to their friend using a new blockchain real estate product that eliminates middlemen from the process. Throughout, they each use passwords to apply their blockchain private keys. Here there is no problem. Their identities are never in doubt.

Now consider the situation where one of the friends wants to sell the house to a complete stranger in Eastern Europe. Both parties use the same blockchain real estate product. There is no trust since they do not have conventional human intermediaries to represent them (in keeping with the idea of blockchains eliminating middlemen). The identity of each person involved in the transaction is represented in physical space by flesh, blood, and bone. Their blockchain identities in cyber-space are represented by the private key. As long these respective identities remain disconnected, blockchain fraud will always be possible.

[ RELATED: Is the blockchain good for security? ]

While I used a real estate transaction involving individuals in this example, the same reasoning applies to corporations. At some point in a corporation-to-corporation blockchain transaction, the identities of human beings in physical space must align with cyber-space blockchain identities represented by private keys.

Solutions will answer this question:

How can each of the two parties in a complex, high dollar value transaction know with absolute certainty that the physical space and cyber-space identities of the other party are legally equivalent?

Any comprehensive solution must include a biometric measure that forms a bridge across the physical-cyber-space boundary. For complex, high value blockchain transactions, this legally reliable biometric connector will require a third party to confirm that the biometric measure is indeed the one belonging to the physical-space identity. Additionally, the blockchain application must incorporate a digital representation of a person’s fingerprint, iris or retina pattern, or a photograph into the blockchain transaction. This means that the person’s biometric information will not only exist permanently in cyber-space, it will be stored on hundreds or thousands of blockchain nodes, all beyond the control of the physical-space human being to which it belongs.

Clearly, this introduces a serious privacy problem. Many people resist biometric authentication because they fear their biometric reference data will be lost to identity thieves.

The hype surrounding proposed applications for blockchain technology must be tempered with the understanding that human biometric information will eventually find its way onto thousands of blockchain servers. As a consequence, before adopting any blockchain application involving complex transactions, companies should first consider how company employees will feel about placing their biometric data beyond their control – forever.


This article is published as part of the IDG Contributor Network. Want to Join?

Cybersecurity market research: Top 15 statistics for 2017