NFT-mania, pronounced nifty, is upon us with little time to prepare. From news of a collage selling for almost $70 million at Christie’s auction house to a portrayal of Janet Yellen and Morpheus rapping about cryptocurrency on SNL, the current craze is all about non-fungible tokens (NFTs).
But what are NFTs, how do they work, and what security precautions should we take? We answer all of these questions in our look at the exciting, speculative world of NFTs.
What is a non-fungible token (NFT)?
A non-fungible token (NFT) is a digital certificate of ownership that contains metadata unique to the token. Like cryptocurrency, NFTs are bought and sold through a blockchain that permanently records the transaction, but no one NFT is identical to another, unlike most crypto coins. These tokens are virtual representations of any actual or intangible asset, including artwork, music, video clips, digital trading cards, tokenized real-world assets, and virtual land.
Also Read: Could Blockchain Improve Security?
How do NFTs work?
Much like cryptocurrency, NFTs use blockchain technology for advanced certification of transactions and are tradable on global platforms. NFTs break from traditional crypto is their unique attachment to a digital asset generated by a user and the subsequent auction-based sale of the NFT.
If a user wanted to buy a Litecoin, all they’d need is a wallet, platform, and initial funds to purchase either a whole coin or, more likely, a fraction of the coin for a round dollar amount (e.g., $100 today in exchange for .38 LTC). For NFTs, the process is similar, but NFTs are rarely purchased in fractions and sold auction-style where the highest bidder wins the lot. With a winning bid, the buyer’s purchase timestamps the transaction in a coin-specific blockchain, and the token has a new owner.
There is a separate blockchain for each cryptocurrency where coin activity is actively logged on the chain of blocks. Ethereum is currently the blockchain of choice for NFT issuance; however, several other blockchains are gaining steam, including Binance Smart Chain, Flow by Dapper Labs, Tron, EOS, Polkadot, Tezos, Cosmos, and WAX.
Also Read: Application Security Vendor List for 2021
While blockchains offer an ironclad record of token transactions, the applications facilitating this activity and working with the user can’t say the same. From poor password management to not enabling 2FA or actively threat hunting, users must be vigilant when protecting their digital assets. Access to an owner’s NFT is as simple as obtaining the private key to their wallet. Without the key, there’s little to no existing recourse in retrieving stolen or misplaced NFTs.
As a developing market split between a list of platforms, there are still a few kinks to work out. Two particular concerns relate to the ability of users to post NFTs that they do not own and the practice of posting duplicate, identical NFTs.
Some artists just learning about NFTs are also learning their work was posted by strangers without their knowledge. This predicament means unknowing fans could be buying and selling the NFT under the guise of legitimacy when the owner never sanctioned its production. Similarly, there are minimal standards to stop internet users from copying objects that could be NFTs and posting them without the owner’s consent. In both cases, fraudulent posts can lead to separate existing chains of ownership for the supposed same NFT.
No surprise here–phishing campaigns have moved to target the NFT marketplace. Hardware wallet vendor Ledger has an ongoing list of phishing attack examples thrown at their customers. Examples of these phishing attempts include requests to update your device for crypto security, update your seed phrase, or reset the device, as well as platform representatives reaching out with egregious requests or anonymous parties making blackmail threats.
Top tips to prevent scamming include only validating transactions you are a party to and only interacting on the official platform channels. In Ledger’s case, they also note that they are unable to deactivate your device or contact you via SMS or call.
Decentralized and Unregulated
Decentralization is one of the benefits of blockchain technology. However, it’s also a reason to be cautious. In a global economy where central banks and governments can manage and enforce regulations, reverse fraudulent transactions, or return stolen items, NFTs sadly cannot offer the exact extent of real-world security. Getting back stolen or fraudulently transferred NFTs is a challenge the industry segment has yet to reconcile.
A rule of thumb in cybersecurity is that the more popular or valuable a technology or application is, the more likely it will be the target of online scams. With the fast and furious adoption of NFT as a digital asset, threat actors are already trying to get a piece of the pie.
In March, a popular NFT marketplace, Nifty Gateway, was victim to an attack where malicious actors tried to access legitimate accounts. In response to users reporting unauthorized activity on their accounts, Nifty noted their analysis is ongoing, the impact was limited, and all devices with 2FA were untouched. One account owner broke down the hackers TTPs as:
- Accessed wallet with valid account credentials
- Transferred the owner’s NFTs to another account
- Purchased more than $10,000 worth of NFTs
- Sold the stolen NFT on a social media platform (Discord)
In a first for the NFT market, Coindesk reported on a representative of Hacker House who posted a zero-day exploit for sale. Before the OpenSea NFT marketplace took the posting down, it was advertised as a post-authentication memory corruption vulnerability for the ioquake3 gaming engine. With the NFT in hand, a user can review the previously unknown vulnerability and execute it on network game servers. While remote code execution is unlikely, the issue can cause DDoS.
Best practices for NFT security
Hot Wallets vs. Cold Wallets
Within cryptocurrency, hot wallets or software wallets are web, mobile, or desktop-based accounts connected to the internet. For passive crypto traders, hot wallets are the most convenient and user-friendly option; however, they are not the most secure storage method. Top hot wallets include BlockFi, Exodus, Electrum, Mycelium, Coinbase, and Gemini.
Cold wallets, often hardware wallets, are typically disconnected from the internet, making their use inherently more secure from online attacks. As physical devices, hardware wallets store the private keys and metadata needed to access digital tokens. The prospect of stealing a cold wallet for malicious actors is quite tricky, considering it requires physically possessing or accessing the wallet. Popular cold wallet vendors include Cobo Vault, ColdCard, KeepKey, Ledger, SafePal, SatoChip, Shift Crypto, and Trezor.
Just as a financial advisor diversifies their portfolio to mitigate the risk of poor performance of a single stock, bond, or fund, wallet owners can diversify their holdings into multiple wallet accounts to avoid compromising the owner’s collective holdings. Not every wallet or NFT platform offers the same features, so some strategy is involved in picking the most secure and convenient locations to place and keep NFTs.
2FA Enabled Everywhere
While not a requirement on some NFT platforms, enabling 2FA for your wallets is a necessary layer of security. The most notable theft in this short period remains the Nifty Gateway breach, where only accounts without 2FA were vulnerable. Because all keys to NFT ownership live in a centralized repository, RubiX CTO Chakradhar Kommera notes, “identity compromise will result in loss of keys and the digital assets tied to them.” While platforms develop more robust security features to protect users, enabling 2FA is a must.
When running through the transaction checklist, it’s imperative users analyze the URL addresses at play. As noted, hackers are more than capable of hijacking your browser and convoluting the transaction, but even scarier is the prospect of your NTF link failing. Using traditional URLs by web hosts and NFT marketplaces when conducting a transaction creates a critical vulnerability to NFT ownership. If either domain were to shut down, recovery of the NFT is unlikely. Many analysts have pointed to this potential for link failure as the most expensive 404 error you’ll ever see.
In response to this problem, a growing number of NFT owners are using or considering the InterPlanetary File System (IPFS) for preserving their objects. While IPFS has its kinks to work out, it does give NFT owners more agency in maintaining their NFT’s digital presence.
NFTs: Cautious optimism
In crypto, possession is everything. The blockchain chronologically records crypto coins and NFTs as unique, virtual possessions for our digital age. Beyond just a market of digital collectibles, NFTs present a future where real-world assets could be widely tokenized. The NFT industry segment is still a developing market, and we look forward to seeing how more robust security features fit into the marketplace. Solutions like a method for identifying duplicate NFT posts of the same object and ensuring creators can restore ownership rights are critical hurdles in building a fair and secure NFT marketplace.
For now, we quietly wait to see how threat actors approach this new market and what all users and organizations can do to safeguard their digital assets.
Disclosure: This article is not financial advice. We strongly encourage any readers interested in the NFT market to learn more and talk with your financial advisor for more information.