This article is the third in a four-part series exploring the differences between traditional IT security and blockchain security. Check out the first two articles in the series exploring the differences for node operators and application developers.
This article explores how user security differs between traditional IT and blockchain environments. While identical products and services may be hosted in traditional IT and blockchain environments, the differences between these ecosystems can have significant security implications for their users.
IT vs. Blockchain Security for Users
Traditional IT and the blockchain operate under very different philosophies. Many traditional IT systems are centralized and try to control every aspect of the user experience. In contrast, the ethos of blockchain technology focuses on decentralization and self-custody.
These different philosophies have resulted in very different infrastructures and ways of doing things. These differences have significant impacts on the user experience and user security. Some of the biggest differences between IT and blockchain security for users include the following.
Traditionally, access to user accounts has been managed based on passwords. Ideally, a user will have a unique, strong, and random password for each account, but this is not always true. As a result, biometrics, multi-factor authentication (MFA), and other techniques have emerged to improve account security.
On the blockchain, control over an account is managed via private keys. Creating an account requires generating a private key from which a public key and account address can be derived. Every blockchain transaction made using that account must be digitally signed with the appropriate private key.
While a private key is more secure than a password, it is also more difficult for users to remember and manage. A lost private key is a significant threat for users. If a key is lost, then access to the account is lost forever without the option to reset it like there is with a password.
Like with passwords, private key security is also a significant risk on the blockchain. Attackers have developed numerous means for stealing keys, including phishing, malware, and other threats. Also, the structure of private keys and mnemonic phrases makes them easier for an attacker to search for them in a computer’s memory.
In traditional IT systems, users have two main options for credential management. One is to use weak credentials that they can easily remember and input into their accounts. The other is to rely upon password managers, single sign-on, and similar tools that make the use of strong credentials possible and scalable. In general, many of the leading solutions are well-established and have undergone thorough security audits.
One of the main selling points of blockchain technology is self-custody or the fact that a user has full control over their account and the value that it contains. However, private keys are random, which makes them difficult to recall. As a result, many blockchain users rely on various tools — software wallets, hardware wallets, third-party key management services, etc. — to store and manage their private keys.
These key management solutions introduce new risks for blockchain users. If the solution is compromised, malicious, or goes out of business, then an attacker may perform transactions on the user’s behalf or access to their account may be lost forever. Also, the security of these various platforms and tools can vary greatly, and users may struggle to determine which ones are legitimate and secure.
Security incidents can happen to any organization, and after a breach happens companies take action to remediate the incident. In traditional IT environments, organizations can often restore systems from backups, apply updates, reset passwords, and take other actions to reverse the effects of a security incident.
On the blockchain, the immutability of the blockchain’s digital ledger makes this more difficult. Once a security incident occurs, no means exists for reversing it. Additionally, fully decentralized blockchain platforms lack the ability to freeze transactions to block further exploitation of identified vulnerabilities.
As a result, a hack against a blockchain-based project can have a much larger impact on users than a similar incident for a traditional organization. Any funds stolen by the attacker are lost forever, and the project may lack the resources necessary to compensate users. Additionally, the design of the blockchain makes recovery actions such as password resets infeasible as private keys are irrevocably tied to a particular blockchain account.
User privacy and data security have become a growing concern for organizations in recent years. Data protection laws such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have placed strict limits on how companies can collect and use data and laid out requirements on how that data must be protected.
On the blockchain, all actions taken by a user are recorded on a public, immutable digital ledger. While blockchain accounts are pseudonymous, it is possible to determine the identity of the person behind an account via analysis of blockchain transactions.
As a result, users of blockchain-based platforms have limited privacy unless they actively take actions to protect that privacy, such as the use of single-use accounts and addresses. On a public blockchain, anyone can determine the balance in a particular account and every action taken by that account to date.
Additionally, blockchain immutability and decentralization mean that this data can never be deleted. This contributes to the risk that an attacker could collect and correlate multiple pieces of non-sensitive data to derive more sensitive information. For example, the combination of age, birthday, and zip code is enough to uniquely identify 87.1% of US citizens. Preserving privacy requires being very careful about what information is posted to public blockchains.
Encryption and Data Privacy
Encryption is one of the most effective means of ensuring data privacy and security. Modern encryption algorithms are designed to be secure against known attacks and can’t be broken with currently available technology.
However, this will not always be true. Encryption algorithms commonly used in the past have been broken, and modern algorithms will be breakable in the future. For example, common public key encryption algorithms such as RSA will be broken as soon as a sufficiently large quantum computer is created. Even without quantum computers, the length of RSA keys needed for security continues to grow as computers become faster.
Data stored by traditional IT systems can be updated as needed if an encryption algorithm is broken. However, the same is not true of data stored on the blockchain’s digital ledger. Blockchain ledgers are immutable and distributed, meaning that data can’t be deleted from them. As a result, any data stored encrypted on the ledger will most likely become public at some point. If this includes a user’s personal data, their privacy may be at risk depending on how soon the encryption algorithm is broken.
Corporate Anonymity and Authenticity
In traditional IT environments, the people behind a product or service are publicly known. For example, the leadership team of Microsoft, Google, Meta, and other companies is well known. While companies may use shell corporations and similar tools to obfuscate their paper trails, these may not hold up to in-depth investigation.
The design of blockchain environments makes it possible and not uncommon for the team behind a project to be anonymous. A project team can write and launch code and public marketing materials with most or all of the team anonymous or operating under a pseudonym.
This anonymity makes it much more difficult for a user to determine if a particular project is authentic or a fraud. While scams are common in traditional IT as well, large rug pulls have become a common occurrence in the crypto space.
Using Blockchain Solutions Securely
Blockchain technology offers users unique solutions and the opportunity for greater ownership and control over their accounts and data. However, this ownership and the design of the blockchain also create new security challenges. Blockchain users must also take ownership of their security and intentionally take steps to protect it, such as the use of hardware wallets to protect high-value blockchain accounts and performing their own research before investing in a DeFi project.
This article is the third in a four-part series discussing the differences in security between IT and blockchain environments. If you haven’t already, check out the first two instalments in the series discussing the differences in security for node operators and application developers. Also, watch for an upcoming article discussing how blockchain security and IT security differ for Security Operations Centers (SOCs).
For over 30 years, Marin Ivezic has been protecting financial services and critical infrastructure against financial crime, cyber, and regulatory risks. He previously held multiple interim CRO, CISO and technology leadership roles in Global 2000 companies. Since 2013 he has been advising institutions and regulators around the world on safe, secure and compliant adoption of crypto assets and other decentralized technologies.