Publication | Open Access
When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies
27
Citations
36
References
2018
Year
EngineeringInformation SecurityDistributed LedgerCryptocurrencyFintechUser PurchasesNetwork PrivacyThird-party Web TrackersBlockchain Anonymity TechniquesPrivacy ComplianceBlockchain SecurityData PrivacyFinanceData SecurityCryptographyBlockchain PrivacyPrivacy RisksBusinessWeb PaymentsBlockchainBlockchain Protocol
Third‑party trackers on shopping sites collect purchase data for advertising and analytics, and while mitigations exist, none are fully effective. The study demonstrates that third‑party web trackers can deanonymize cryptocurrency users through two complementary attacks. Both attacks are passive, allowing retroactive application to past purchases. Trackers can uniquely identify cryptocurrency transactions, link them to users’ cookies and real identities, and even reveal clusters of addresses and transactions when users employ anonymity techniques such as CoinJoin.
Abstract We show how third-party web trackers can deanonymize users of cryptocurrencies. We present two distinct but complementary attacks. On most shopping websites, third party trackers receive information about user purchases for purposes of advertising and analytics. We show that, if the user pays using a cryptocurrency, trackers typically possess enough information about the purchase to uniquely identify the transaction on the blockchain, link it to the user’s cookie, and further to the user’s real identity. Our second attack shows that if the tracker is able to link two purchases of the same user to the blockchain in this manner, it can identify the user’s cluster of addresses and transactions on the blockchain, even if the user employs blockchain anonymity techniques such as CoinJoin. The attacks are passive and hence can be retroactively applied to past purchases. We discuss several mitigations, but none are perfect.
| Year | Citations | |
|---|---|---|
Page 1
Page 1