• United States




Fraud and privacy problems on the blockchain

Nov 07, 20165 mins
FraudIT SkillsSecurity

As potentially useful as blockchains can become, companies must recognize the potential for fraud and the threat to privacy posed by fraud countermeasures.

broken silver key
Credit: Thinkstock

The blockchain technology that drives the Bitcoin economy is essentially a decentralized, immutable database of transactions open for anyone to view and validated by a distributed collective of verifiers. The purpose of its design is to ensure that no one can alter any past transaction record.

From a purely technical perspective, blockchains accomplish this goal very effectively. This all sounds great so far but the technology has a severe weakness that, until comprehensively addressed, will make blockchain applications very costly in terms of fraud, theft, and legal jeopardy. There are ways to solve the fraud problem but some solutions will introduce another problem.

The fraud weakness lies at the transaction endpoints. By the term 'endpoint' I mean the boundary between physical space, where living, breathing human beings exist, and cyber-space, where the blockchain databases reside. The endpoint is where physical space users interact with the cyber-space blockchain.

Any legitimate, non-fraudulent blockchain transaction is dependent on trust between two or more counterparties. The foundation of trust is that counterparties are absolutely certain of the physical-space identities of all those involved in a transaction.

In the blockchain scheme, a human being occupying physical space is represented in cyber-space by a public identifier - which helps others find the person's cyber-space representation - and a private key which is used to digitally sign blockchain transactions. In cyber-space, the private key is the digital identity standing in for a real human being in physical space.

[ ALSO ON CSO: How blockchain will disrupt your business ]

This is all good so far but how do physical space human beings interact with blockchain applications and use their private key? They log in to a website with a password or, in more secure applications, they use multi-factor authentication procedures. This mechanism is not sufficient for blockchain transactions because passwords and multi-factor authentication processes by themselves cannot identify a physical space human in cyber-space. A second person can steal passwords or second-factor tokens and then execute a blockchain transaction using the private key assigned to the first person. A first person could voluntarily give passwords and tokens to another person in the course of engaging in criminal activity.

Let's illustrate the identity problem by considering two friends enjoying conversation and coffee in a cafe. They both exist in physical space and have no doubts about each other's identity. Suppose one of them wants to sell a house to their friend using a new blockchain real estate product that eliminates middlemen from the process. Throughout, they each use passwords to apply their blockchain private keys. Here there is no problem. Their identities are never in doubt.

Now consider the situation where one of the friends wants to sell the house to a complete stranger in Eastern Europe. Both parties use the same blockchain real estate product. There is no trust since they do not have conventional human intermediaries to represent them (in keeping with the idea of blockchains eliminating middlemen). The identity of each person involved in the transaction is represented in physical space by flesh, blood, and bone. Their blockchain identities in cyber-space are represented by the private key. As long these respective identities remain disconnected, blockchain fraud will always be possible.

[ RELATED: Is the blockchain good for security? ]

While I used a real estate transaction involving individuals in this example, the same reasoning applies to corporations. At some point in a corporation-to-corporation blockchain transaction, the identities of human beings in physical space must align with cyber-space blockchain identities represented by private keys.

Solutions will answer this question:

How can each of the two parties in a complex, high dollar value transaction know with absolute certainty that the physical space and cyber-space identities of the other party are legally equivalent?

Any comprehensive solution must include a biometric measure that forms a bridge across the physical-cyber-space boundary. For complex, high value blockchain transactions, this legally reliable biometric connector will require a third party to confirm that the biometric measure is indeed the one belonging to the physical-space identity. Additionally, the blockchain application must incorporate a digital representation of a person's fingerprint, iris or retina pattern, or a photograph into the blockchain transaction. This means that the person's biometric information will not only exist permanently in cyber-space, it will be stored on hundreds or thousands of blockchain nodes, all beyond the control of the physical-space human being to which it belongs.

Clearly, this introduces a serious privacy problem. Many people resist biometric authentication because they fear their biometric reference data will be lost to identity thieves.

The hype surrounding proposed applications for blockchain technology must be tempered with the understanding that human biometric information will eventually find its way onto thousands of blockchain servers. As a consequence, before adopting any blockchain application involving complex transactions, companies should first consider how company employees will feel about placing their biometric data beyond their control - forever.


Jim Thackston is a computer security and engineering consultant based in Tampa Bay, Florida with more than 25 years of experience in software architecture, software engineering, network security, and cybercrime detection and mitigation.

In 2005, Jim set out to understand one of the most difficult problems facing the internet economy: online identity verification. Over the past 11 years, he has studied the problem from every perspective, focusing initially on the problem of knowing who is really ‘sitting’ at an online poker table.

To prove the weaknesses in poker identity verification, he built a full-featured system demonstrating how internet poker could be used to launder money in a way that is virtually undetectable. A briefing to senior FBI officials in May 2013 led to a July 2013 US Senate hearing on the money laundering threat posed by internet gambling. In December, 2013, Jim submitted testimony to the US House of Representatives Energy and Commerce Committee, Subcommittee on Commerce, Manufacturing, and Trade.

Jim took the insights gained from the intensive online gambling study and applied them to the much more expansive problem of online identity verification in all internet and intranet activity. He has studied the problem as it relates to corporate and government intranets, online banking, and cryptocurrencies and other blockchain applications.

Jim is the inventor of record for a number of patents important to cloud computing, manufacturing, renewable energy, and computer security. Most notable are 2 patents that anticipated aspects of cloud computing by 10 years.

His computer security expertise is reinforced by academic and career achievements.

In 1989, Jim graduated from the University of South Florida with a Bachelor of Science degree in mechanical engineering. After college, he served in the 101st Airborne Division and served in Saudi Arabia and Iraq during operations Desert Shield and Desert Storm.

After leaving active duty, Jim earned a Master of Science degree in aerospace engineering from the Georgia Institute of Technology. While attending Georgia Tech, Jim interned as a turbomachinery engineer in the Propulsion Laboratory at NASA’s Marshall Space Flight Center. He continued as a full-time engineer after his studies at Georgia Tech concluded in 1994. While at Marshall, he designed turbine components for both experimental and non-experimental liquid oxygen and kerosene fuel turbopumps.

It was during his NASA service that Jim became a skilled software engineer. He applied these skills at Eglin Air Force Base helping build a combat mission planning system used by the US Air Force and other US military services.

Jim has worked as a consultant ever since designing and building software systems in the manufacturing, energy, telecommunications, financial, and government sectors.

The opinions expressed in this blog are those of Jim Thackston and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.