NFTs, or non-fungible tokens, have captured the attention (and wallets) of consumers and businesses around the world. This is largely in part to the big price-tag sales, such as the digital artwork by Beeple that sold for over $69M on Christie’s Auction House.
While discovering new and inventive ways to exchange currency is par for the course in the digital age we live in, being aware of the security risks associated and taking actions necessary to mitigate those risks will be imperative both in the short and long term.
What are NFTs?
NFTs are pieces of digital content that are stored on a blockchain, which is the same foundation for other cryptocurrencies, such as Bitcoin or Ethereum. The difference between NFTs and other cryptocurrencies like bitcoin is that NFTs are unique tokens, they cannot be replicated or traded with another equal NFT.
How secure are NFTs?
The short answer to this is not very secure. It’s no secret threat actors are motivated opportunists who will attempt to pilfer any asset, physical or digital, that holds value; and even though NFTs are still in their infancy from a market perspective, the rapid growth in popularity has opened a brand-new avenue for hackers. This isn’t just a forward-looking concern, but something that is already in motion.
In March, attackers compromised multiple Nifty Gateway NFT user accounts and were able to both transfer the previously purchased NFTs from their account and purchase new ones to transfer with their payment cards on file. While the users’ cash was recovered, the NFTs were lost to the attackers who promptly sold them to another NFT purchaser located on a different platform since the platform itself, like Nifty Gateway, holds the private keys associated with the NFT and they weren’t recoverable after being transferred.
Cryptocurrency scams via email are a popular threat vector. A higher volume email scam is currently being sent masquerading as Coinbase notifying the user their account has suspicious logins. The user is told they must open the (credential-stealing) attachment and provide their password to login and verify their account. If they proceed, the attacker will have compromised their Coinbase login credentials and will be able to access the account if the user hasn’t enabled multi-factor authentication with Coinbase.
Likewise, NFT platforms can also be spoofed by malicious actors to steal users’ credentials and/or implant malware. Remote access trojans are extremely popular attacks that allow the attacker to gain full remote control over the compromised machine. This also provides them with the ability to intercept passwords and keystrokes among many other capabilities.
Will regulations save the day?
Maybe in the future, but not yet. NFTs are a burgeoning industry with a lack of regulations and oversight by design as it is blockchain-based, like cryptocurrencies. Therefore, there are legal loopholes that exist in the industry that will allow some to operate with impunity in certain scenarios.
Areas where regulations may be expanded to cryptocurrency exchanges are most likely the tracking of historical transactions associated with digital wallets linked to a customer. This is synonymous with what is already required by traditional banks to report suspicious activities. For example, in the United States, the Department of Justice and the Financial Crimes Enforcement Network have recently been working to reduce fraudulent activity in decentralized exchanges. So far, they have primarily focused on the thresholds where companies are required to store customer and transaction data.
How do you take protection into your own hands?
The most important thing users can do to protect their NFTs is enabling multi-factor authentication (MFA). As a proof point, none of the users impacted in the Nifty Gateway hack had MFA enabled, according to the official statement from March 15.
Coupled with MFA, the power of a strong password should also not be underestimated, meaning you should have a password that’s of a sufficient length and complexity, and isn’t used on other accounts. While nothing is infallible, just those simple steps go a long way to prevent fraudulent activity.
For companies and/or platforms specifically, typical security hardening steps such as employee background checks, drive encryption, securing sensitive communication, employee user awareness training, vulnerability testing, bug bounty programs, and third-party penetration testing services are just a few of the steps to take.
For both users and companies, when applicable and done properly, cold (offline) storage of digital assets offers the best security from internet-connected thieves. But even then, cold storage solutions, whether it be hardware, paper, or desktop wallets, still must be physically secured to protect against loss, damage, or theft.