A client asked me recently what happens to attempted transactions that are unsuccessful and do not go through. Does a blockchain implementation capture that data anywhere? The answer, barring the potential of some apps I’m not aware of, is no. Blockchains record completed transactions but attempted transactions that get rejected just go back out into the ether.
From a technology and business operations perspective, this isn’t a big deal. The system works just like it’s supposed to work. But if you’re interested in capturing data on failed transactions so you can monitor for fraud threats or do a forensic investigation if someone manages to execute a fraudulent transaction, then you’ll need a way to capture, store, and analyze the failed attempts.
Also, we need to distinguish a couple of points about blockchain security: 1) In this blog we’re writing about failed transaction attempts, not hacking attempts. Managed security services provider SecureWorks told me, “Hacking attempts are not the same as failed transaction attempts. Security systems don’t often monitor failed transactions in blockchain just as they don’t track failed attempts to use credit cards. The credit card systems capture that data about failed attempts.” 2) We’re writing about individual failed transactions that one particular company would care about. For example, Ethereum has penalties for trying to load bad blocks onto the network that dissuades bad behavior by participants. Also, at the network level, there isn’t a need for a system to capture failed attempts across all the participants, only the ones that pertain to one participant. Because a company wants to track how many times another party has attempted a fraudulent transaction specifically with it, not with all participants.
In essence, a failed transaction in this context is when someone uses stolen or fake credentials to try and create a transaction. This is the same as, for example, someone who uses stolen credit cards – sometimes successfully and sometimes unsuccessfully. It’s not a hacking attempt in the way security professionals think of them. But for those transactions that fail, companies might want to keep track and determine if any further action is needed, depending on the nature and criticality of the process. Actions could include suing the person or company attempting the fraudulent transaction(s) or changing some of the smart contract business logic to prevent such attempts in the future.
This leads us to the crux of the matter: you can’t expect your security team to protect you from threats they’re not able to detect. Instead, detection and monitoring of failed attempts need to be built into the application or integrated at the application level. Then your action plan should follow similar action plans that you follow with other applications regarding attempted transactions.
Bottom Line: As you experiment with blockchain and do some proofs of concept, make sure to ask your application vendor AND your blockchain services provider about blockchain security around failed attempts.
Here are some questions you can ask:
- What’s your perspective on security considerations regarding failed transaction attempts?
- Do you have any capability to detect and analyze failed transaction attempts? If not, why not?
- What recommendations do you have to reduce fraud in your blockchain-based implementations and how are they different from recommendations for other kinds of applications?