FUTURE FRAUD REVIEW IN BLOCKCHAIN?

Just a note to the wise, be careful what you wish for you just may get it.

http://www.fraud-magazine.com/article.aspx?id=4295002445&Site=ACFEWEB

Future of fraud in a blockchain world
You can’t escape blockchain. The topic’s in the media daily. It’s at the forefront of digital disruption and innovation discussions among leading businesses. We’ve seen blockchain technology applications in banking, currencies, supply chain, contracts and dozens of other areas.

Maybe you totally comprehend blockchain. Or, possibly, you’re thoroughly confused.

Regardless, as anti-fraud, legal and compliance professionals, we must understand this technology and have a seat at the table when our organizations consider blockchain’s fraud risks. In fact, in EY’s recent Global Forensic Data Analytics Survey 2018, 32 percent of legal, compliance and anti-fraud professionals plan to adopt blockchain and distributed ledger technologies in 2018.

As this technology becomes more prevalent in business, anti-fraud professionals will need to ask: How can fraudsters exploit blockchain when we use it in business transactions, contracts, money exchanges or data interchanges?

In this column, I interview Paul Brody, a principal with EY and the global innovation leader of blockchain technology for the firm, to explore why and how this powerful encryption technology that brought us bitcoin and “smart contracts” could create new security risks and challenges, even as the technology closes off other avenues for theft and fraud.

Understanding blockchains: a quick primer
According to Gartner’s online IT Glossary, “A blockchain is a type of distributed ledger in which value exchange transactions (in bitcoin or other token) are sequentially grouped into blocks. Each block is chained to the previous block and immutably recorded across a peer-to-peer network, using cryptographic trust and assurance mechanisms. Depending on the implementation, transactions can include programmable behavior.”

Blockchain technologies allow for a large number of interactions to be codified and carried out in a way that greatly increases reliability, removes business and political risks associated when a central entity (such as a bank) manages the process, and shifts the focus of trust from individuals or institutions toward algorithms and software code.

They create a platform on which applications from different companies and even different technologies can run together. This allows efficient and seamless interaction and leaves an audit trail that an authorized user can check to make certain that transactions were processed correctly.

“To use conventional banking as an analogy, the blockchain is like a full history of banking transactions,” says Alex Perry, an executive director in Ernst & Young LLP’s Fraud Investigation and Dispute Services practice. “Transactions are entered sequentially in a blockchain just the way bank transactions are entered into a central bank. Meanwhile, blocks are like individual bank statements. The full copy of the blockchain has records of every transaction ever executed. In a public blockchain such as bitcoin or Ethereum, this transaction ledger can be quite extensive and require significant computing power.” (According to its website, Ethereum is “a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third-party interference.”)

Paul Brody lends his experience
I recently interviewed Paul Brody, principal and global innovation leader of blockchain technology at Ernst & Young LLP, about the finer points of blockchain and how fraudsters can illegally use it.

Brody has held several leadership positions in the internet of things (IoT), supply chain and operations, and business strategy.

Walden: What are some of the most practical uses of blockchain technologies?
Brody: We see blockchain technology as the best opportunity to enable execution of complex business-to-business transactions. Blockchains allow for collaboration among multiple parties, keep critical information in sync among the parties and use smart contracts so that many organizations can all work off the same process.

Combine the collaboration capabilities of a blockchain with its inherently robust security and tamper-proof transaction ledger and you have the foundation for a very secure, reliable method for cross-company collaboration that doesn’t depend on a single centralized entity seeing (and potentially capturing value from) all the transactional data.

Walden: In a blockchain world, how will fraudsters commit financial crimes?
Brody: Blockchains are, in many respects, exceptionally secure. Transaction records are effectively tamper-proof if a network is properly designed. It’s nearly impossible to counterfeit or duplicate the value tokens that move across the network in these transactions. Additionally, the consensus algorithm inherent in a blockchain makes it very difficult to attack the underlying decision-making process for transaction approval.

These blockchain security features close off a number of historical approaches to fraud and theft, such as tampering with records or colluding with someone to approve an improper transaction. Unfortunately, con artists and criminals are far too often creative and inventive. Since some elements of the network look extremely secure, attacks are moving to those areas that are still vulnerable, including the edges of the network (e.g., electronic wallets and network endpoints) and web interfaces from the “real world.”

For example, while you can’t easily counterfeit or duplicate blockchain tokens like bitcoin, you can still steal them from the authorized holder. And because there’s no centralized authority controlling the network, once a token is stolen, there’s no easy way to get it back. Just getting ahold of someone’s private account key (e.g., username and password) is all it takes, and both individuals and companies often fail to take proper care of those keys.

Another vector of attack is the real-world interfaces into the blockchain, including IoT devices that report information between the network and data sources, which can also confirm authenticity of products or digital tokens. If you depend on an IoT connection to, for example, report on the usage of an asset, hacking the IoT device might be easier than hacking the blockchain. The same is true for external reporting interfaces. If a contract says, “payable upon receipt,” and a criminal can spoof the proof of delivery from a transportation company, that person could get paid without delivery.

Bitcoin and blockchains have made fraud more difficult, but we still need to look out for new challenges.” — Valery Vavilov, CEO of Bitfury

While blockchain technology is relatively new, the most reliable mechanism for conducting financial fraud “on the blockchain” is entirely old-fashioned: social engineering. Many of the initial coin offerings (ICO) that go bad have used falsified documents, fake business plans and paid celebrity endorsements on unsophisticated buyers. The result is a business that looks legitimate and accepts investment money, but once the ICO is funded, the founders and the website disappear. [Read more about ICOs in Initial coin offerings: Fraudsters use new technology to perpetrate old schemes, by Jordan Underhill, J.D., CFE, in the March/April 2018 issue of Fraud Magazine. — ed.]

Walden: What does “anonymous by design” mean in a blockchain context, and will it help or hinder fraud examiners?
Brody: There are currently two types of blockchains: public and private. Public blockchains, such as bitcoin and Ethereum, are permissionless, which means that anyone can join the network and participate in the process of block verification, plus all the accompanying transactional data is accessible to the public. Conversely, private blockchains are permission-based, which means that only a restricted set of users have the rights to validate the block transactions (among other rights), and companies and governments run most of them.

Contrary to a lot of what is being said about both public and private blockchains, they are not, in fact, anonymous. All transactions are recorded, but under an address (i.e., a unique identifier) rather than a name. Similar to internet IP addresses, which many people thought were anonymous, it’s quite possible to attach names to addresses on public blockchains.

For those engaged in theft and fraud, this is a disaster. Combined with the non-erasable, tamper-proof nature of blockchain transactions, if a fraudster uses bitcoin or Ethereum to launder money and their name ever gets attached to their wallet address, they’re as good as convicted. Sooner or later, they’re likely to get caught.

When we audit blockchain transactions, we can look at the tamper-proof public records and match them to data coming from our clients. If you say you purchased 100 bitcoins for a hedge fund, we should be able to match that to a public blockchain transaction to validate.

However, this nice state of affairs as it relates to transparency isn’t going to last. “Zero-knowledge proofs” are a major mathematical innovation that will allow for secure, private blockchain transactions that are provably untraceable.

In the field of cryptography, a zero-knowledge proof (or protocol) is a method by which one party (the prover) can prove to another party (the verifier) that they know the value of a transaction, without actually conveying any information apart from the fact that the prover knows the value. In a zero-knowledge proof, for example, no passwords are exchanged, which means they can’t be stolen. This, in turn, makes communications more secure and protected since nobody else can find out what you’re communicating about or what files you’re sharing. This technology is still in the early stages of commercial deployment, but it will fundamentally alter how we can manage and secure blockchains.

On the plus side, zero-knowledge proofs will make it safe for companies to conduct private business transactions with each other. On the downside, it will be impossible to trace transactions on a public blockchain simply by examining the blockchain itself. Instead, investigators or auditors will need to link accounts directly to identities and apply controls at access points to the network similar to cryptocurrency exchanges.

I anticipate that it will be two or three years before this technology is widely deployed and, by then, it’s highly likely that other tools will be in place to prevent misuse of blockchains.

Walden: How do you see blockchains and IoT working together to improve security?
Brody: IoT devices are going to be a critical gateway for information into, and access control around, assets that are managed and owned on a blockchain. In Australia, for example, local groups of farmers have implemented a sharing program for expensive farm equipment linking assets that are shared with ownership and usage recorded on a blockchain. The smart contracts on the blockchain manage payments, repay the bank loan and grant (or refuse) access to the equipment to the part owners. Access and usage are all controlled by the connected smart devices built into the farm machinery.

From recording product locations to storage temperatures to access controls, IoT devices are going to be one of the major interfaces between the physical world and different blockchains. And unfortunately, IoT devices often have terrible security track records, so I expect this will be one of the biggest risks facing not just blockchains but all industrial infrastructure systems.

Walden: How can anti-fraud professionals help companies embrace blockchain technologies?
Brody: Anti-fraud professionals can help by understanding how this technology works and being able to anticipate the new vectors of attack while also responding to new information about how the network is behaving. While each component of a business network in a blockchain is well understood and not too complex, the aggregate is a true, complex and dynamic ecosystem. We often observe novel effects and high-risk patterns of behavior in this complex network ecosystem.

Anti-fraud and business professionals also need to be smart about how to regulate and manage these systems. Blockchains are an amazing tool for accountability and shared business processes. They also address a large number of security weaknesses in older architectures. They are indeed not perfect, and a knee-jerk reaction to one problem can lead to new and perhaps unforeseen bigger problems. For example, a decision to ban bitcoin in some countries might well be leading people to use newer systems that are much less traceable, such as Zcash, which is based on zero-knowledge proofs.

Handling the blockchain disrupter
“Bitcoin and blockchains have made fraud more difficult, but we still need to look out for new challenges,” says Valery Vavilov, CEO of Bitfury, a leading, full-service blockchain technology company. “The great strengths of blockchain security should not be reason for us to become complacent.”

No doubt, blockchain technology will be a disrupter across many industries. As fraud, legal and compliance professionals, we should be familiar with the technology and its great potential, but also consider the evolving fraud risk elements that might accompany it.

Vincent M. Walden, CFE, CPA, is a partner at Ernst & Young LLP. Contact him at [email protected]. Contact Paul Brody at [email protected].

*EY Executive Director Alex Perry ( [email protected]), Senior Manager Matt McCartney ( [email protected]) and Staff Associate Jon Campbell ( [email protected]) contributed to this article.