Visualize: Insights that power innovation

Blockchain security scrutinized

By Lucian McMahon June 19, 2018

Blockchain security scrutinizedBlockchain technology has been getting a lot of attention recently, beyond just its role as the technology underlying “virtual currencies” like Bitcoin. Some have enthusiastically claimed that blockchains have the potential to help streamline insurer operations and improve data security—but, as with many new technologies, it’s also being met with skepticism.

Distributed ledger technology

Blockchain is a distributed ledger technology. Like a traditional accounting ledger, blockchains are logs that record transactions. Each entry in the ledger—called a “block”—is connected to past blocks with a cryptographic signature, creating a transaction history for each piece of data. String these blocks together and you get the blockchain.

Two fundamental features of blockchains are consensus-based transaction validation and the immutability of the chain of historical data transactions. If a party wants to execute a data transaction—add a block to the chain—the distributed network will run algorithms to make sure the transaction is valid. If it is, the transaction is executed, thereby adding a new block to the chain, recording the transaction and linking it to previous transactions with a unique signature. The new block then becomes another entry in the distributed ledger, with a time stamp visible to all participants.

This time stamp is said to be “immutable” because no single participant can execute a change on the chain. Theoretically, no one entity can influence the validation of transactions along the blockchain, and the transactions cannot be altered once they’ve been validated. This has led some to argue that blockchains are exceedingly difficult—if not impossible—to hack.

However, real-world examples of major cybersecurity breaches, several reportedly involving virtual currencies and resulting in hundreds of millions of dollars in losses, have raised doubts about blockchain’s impregnability. Most recently, South Korean cryptocurrency exchange Coinrail reportedly was hit by a “cyber intrusion” that caused a loss of about 30 percent of the coins traded on the exchange.

When data is 'off the chain'

But is blockchain at fault?

As an MIT Technology Review article on the subject noted, many hacking events have occurred “where blockchain systems connect with the real world—for example, in software clients and third-party applications.” Since blockchains typically maintain records—but not the actual data the transactions may connect with—this “off chain” data could be compromised and the blockchain “fooled” into executing false transactions. In other words, the blockchain’s record of the transaction is tamper-proof, but the actual transaction may not be.

As the Financial Times Alphaville blog put it, “the integrity of data on a public blockchain can be trusted not to change, but that says nothing about whether the data is right in the first place.”

The MIT Technology Review article gave the example of virtual currency “wallets,” in which many owners of virtual currencies will store the private cryptographic keys needed to verify their ownership of a given amount of currency. According to the article, these wallets reside in online virtual currency exchanges to facilitate transactions. The wallets—especially if they’re connected to the Internet applications—are particularly vulnerable to cyberattacks, the Review says.

Recently, a virtual currency exchange reportedly was hacked and, according to Fortune, $500 million worth of cryptographic tokens were stolen from user wallets. The blockchain undergirding the virtual currency may not have been hacked—in fact, users reportedly could “see” where the stolen funds resided due to the public nature of transactions. But the touchpoint between the blockchain and the “real world” was.

Considerations for insurers

Blockchains have also garnered a lot of attention for their use with so-called “smart” contracts, in which contract provisions can be verified and executed automatically. For example, from an insurance perspective, smart contracts are reportedly being considered for use in automated claims processing.

Imagine a personal insurance policy that has been coded as a smart contract—that is, a contract that can automatically verify or trigger contract provisions based on various data input to a blockchain. The policy’s coded provisions would reside on a blockchain ledger (“on chain”). The ledger’s participants, in addition to the insured and insurer, are various third-party data sources (“off chain”) that can be used to verify actions by or related to the “smart” policy.

Depending on the policy, these sources might provide police reports, hospital admission records, and so on. If the policyholder were involved in a covered loss, the policy could verify the submission of a claim and initiate, without human interaction, the claims-resolution process based on validations from off-chain sources. If the claim were deemed valid, it could be settled expeditiously and transparently to all parties to the smart policy.

Many industries, including insurance, hope smart contracts and blockchains can reduce fraud. Often overlooked, however, is the potential for a malicious actor to compromise one or more of the off-chain data sources to trigger a claim and payment—absent an actual covered loss. The actor could thus hack the smart contract and engage in fraudulent activity. But the blockchain wouldn’t necessarily have been hacked. Rather, the data sources it relied on to verify and timestamp transactions were. The blockchain did exactly what it was designed to do: verify transactions based on input data and specific execution criteria.

Fraud considerations

Something like this has already happened. According to the MIT Technology Review article cited above, “in 2016, hackers exploited an unforeseen quirk in a smart contract written on Ethereum’s blockchain to steal 3.6 million ether [virtual currency], worth about $80 million at the time, from the Decentralized Autonomous Organization (DAO), a new kind of blockchain-based investment fund.”

As the article put it, “the security of even the best-designed blockchain systems can fail in places where the fancy math and software rules come into contact with humans who are skilled cheaters in the real world, where things can get messy.”

In this sense, it would seem the risks associated with blockchain technology when used to create smart contracts are not much different from those of any other automated administration system. Blockchain may help streamline policy and claims administration—but it may not deliver on the promise of security or removing human beings from the process. Wherever human involvement or external data sourcing is required, opportunities for errors and abuse exist.


Lucian McMahon, CPCU, ARM-E, AU-M, is a product development specialist with the ISO Emerging Issues team. You can contact Lucian at lucian.mcmahon@verisk.com.