DeFi defense and better blockchain security
A recent survey by Feedzai, the world’s leading cloud-based financial crime management platform, has released its most recent Quarterly Financial Crime Report. The report analyses financial crime and consumer spending trends from more than 1.5 billion global transactions from April to July this year.
According to the data, eighteen months after the pandemic first hit, there has been a 146% increase in P2P payments, a 44% decrease in cash transactions, and a 109% increase in online transactions, to nearly double the number of card-present or in-person transactions. As a result, financial criminals have also shifted their targets online. The number of online card fraud attempts increased by 23% in this time period.
It's more imperative than ever that secure solutions can be found. Blockchain technology seems to offer the much-lauded light at the end of the tunnel. But even so, it's not unbreakable. We spoke to Vadim Kulik, CTO of VTB Bank and Russia’s second-largest retail bank, to find out more.
Blockchain is becoming the go-to solution for digital payments. How will this affect centralised, mainstream providers?
Blockchain has several undeniable advantages. Tokens on the distributed platform, for example, are an excellent technology for storing and instantly transferring digital value. Without exception, all centralised, mainstream providers are studying or already using blockchain platforms in their innovative solutions. On the other hand, the distributed registries technology allows you to take a close look at current business processes, increasing their efficiency, speed, and the security of transactions. We cannot ignore the opportunities that this modern technology opens up, if we do we’ll simply be left behind by emerging players.
How safe is blockchain, and what are its vulnerabilities?
Here, it’s better to compare classical information systems and decentralised systems based on a distributed registry platform. The security of blockchain solutions is embedded in its architecture. For example, to hack the classic centralised information system of an organisation, it’s enough to gain access to the server. For a decentralised system, access must be obtained across 30% - 50% of the nodes of the system, at least, depending on which consensus the blockchain uses.
An attacker who has gained access to the node, or the owner of the node themselves, can adjust the information in their favour – for example, canceling the transaction, but thanks to the consensus mechanism, these changes will be ignored and will not get into the blockchain. The more decentralised the system, the safer it is.
The second factor of blockchain security is that all transactions are only made using the digital signature of an account holder. In this case, the owner’s signature is verified directly within the blockchain. On the other hand, insecure storage or use of a private key may be a vulnerability, not for the entire system, but for the individual. If your private key is compromised, the account owner may lose their digital assets. In most known cases, vulnerability is the smart contract code and cause of asset losses. One of the most famous attacks in Ethereum in 2016 used a vulnerability in the DAO smart contract; several million dollars was withdrawn from the smart contract that managed the assets.
What guarantees are there right now that customer assets can be protected when they use blockchain?
The client may lose their assets if they lose access to their private account key, or their key is compromised, and the assets are withdrawn. In the case of cryptocurrencies, this loss will usually be irreplaceable if the blockchain community does not agree to cancel withdrawal transactions, as was the case with the DAO project in Ethereum, but this was an exceptional case.
Most banks are interested in a specialist type of digital assets; regulated assets that meet the regulatory requirements and are stored on the bank’s balance sheet. In this case, the bank will be able to return assets to their owner while blocking the account to which the owner lost access or following the chain of funds withdrawal to block the attacker’s account. This is the approach that our bank uses in its solutions on the distributed ledger platform. The bank's client will not lose his digital assets that he has entrusted to the digital platform of the bank and its partners.
How can blockchain provide better security?
Security in blockchain technology does not differ from approaches to ensuring the security of information systems, and they always require an integrated approach, starting with the network architecture. Unlike public blockchains, Enterprise-level platforms use an approach with access restricted to trusted nodes, and these trusted parties will be responsible for transmitting new verified transactions to the rest of the network. The responsibility for providing access to these nodes through secure channels, as well as for determining when and for whom to expand the set of trusted persons, lies with the operator of the blockchain system.
An important security issue is secure storage and the use of private keys. The best and time-tested solution is to use HSM, the gold standard for the payments industry.
An audit of smart contracts’ source codes should play a special role in security measures. To increase security, it’s possible to store cryptographic proof of ownership, rather than information about the assets themselves in the blockchain, so one does not disclose the essence of the asset.
Are there better, decentralised alternatives to blockchain?
Thanks to its various useful properties, including immutability, reliability, programmability, and instant P2P transfer of value, blockchain allows you to create a new trusted environment for storing, transferring, and exchanging assets. Transaction records can be stored in one system, rather than in the organisation’s each individual system, and all participants can trust this information. New protocols are emerging, for example, avalanche, which promises to achieve the performance of the classical systems, and interoperable protocols, which combine individual blockchains with their value into a single global network. There is no decentralised alternative to DLT technology.
What trends will we see emerging in this area in 2022?
Dozens of central banks are currently studying CDBCs, and the Central Bank of Russia plans to launch a pilot project ‘Digital Rouble’ in 2021-22. VTB Bank is among the banks that will begin testing the digital rouble platform. We expect that the digital rouble will help businesses to introduce innovations and reduce the costs of making payments, and citizens will have easier access to financial services. In 2022, we expect the launch of digital asset platforms into industrial mode.
About Vadim Kulik: As CTO and deputy president and chairman of the Management Board (approved by the Central Bank of the Russian Federation on 29 October 2019), JSC VTB Bank, Kulik's responsibilities include management of the Bank's current operations and structural subdivisions within the limits of his authority.