NFT thefts make headlines. Indrė Viltrakytė is the co-founder of The Rebels and explains how you can protect yourself.
Phishing attacks are nothing new and sometimes even easy to detect. For example, when a prince from a distant country asks you to send him your bank details. But sometimes such scams are also more difficult to detect. For example, when a seemingly trustworthy source asks you to approve the release of your crypto and NFT assets.
This happened recently in a phishing theft from NFTs. A Premint platform was affected, on which users agreed to a request to hand over control of their assets to an unknown company.
On July 17, 2022, the popular NFT platform Premint NFT was hacked. The perpetrators managed to implement a code on the official website of Premint, which asked users to connect their wallets “Permits for all” adjust. In this way, the attackers were able to access the crypto assets and steal 314 NFTs worth $ 430,000.
The world of NFTs is still in its infancy and could be vulnerable to further phishing attacks.
NFT thefts: what is stolen?
When we think of the word NFT, we usually think of a unique, digital image that is connected to the blockchain. However, the whole thing is a little more complicated. When talking about NFTs, the traceability of property and uniqueness are always emphasized. But nowhere in the NFT standard is it stated what the unique tokens represent. Basically, the tokens are nothing more than unique numbers, only the authors of an NFT collection define what these tokens stand for.
In addition, the images themselves are usually not stored in the crypto wallet, since the tied one is not part of the NFT contract. Only a hash of the image could be in the contract to establish a connection to the thing that represents the NFT. In addition, the NFT standard does not care about the value or the purchase and sale operations of a token, but only about the methods of transferring the NFTs as property. Only the marketplaces and the community build on this and treat the NFTs as tradable assets.
Thus, NFTs are mostly bought as collectibles and often used for investment purposes. Practical applications have only been around for a short time. An example of this are digital fashion wearables in the Metaverse.
What can we do about thefts in the future?
Who is to blame? Is it the users? Or is it the platform that allowed the attacker to suggest a fraudulent transaction?
In this particular case, the attackers were able to view content in order to entice the user to sign such a transaction.
A vague, plausible-sounding reason for the transaction in combination with confidence in the site was already enough to deceive many users. Nevertheless, it would not be right to expect that the average Web3 user knows how to circumvent such meshes. In this case, most did not have enough technical background knowledge to realize that the transaction actually gave someone access to their NFTs.
If a transaction is proposed by a reputable website, people obviously trust the security of the platform. The assets in the wallets are only as secure as the sum of ALL decentralized applications (dApps) with which the user interacts. Similar cases are likely to recur in the future.
How Dapps could Improve Security:
- Wallets could display more people-oriented information for various known contract interactions. For example, a big red message that says: “Hey, you’re just handing over control of all your NFTs to someone!” That would be much better than the current uppercase “SET APPROVAL FOR ALL” in gray in the transaction confirmation window of the MetaMask.
- Websites could list and publish all of the contract interactions they could. The providers like MetaMask would then reject all atypical transactions.
So users could better protect themselves
- Check the transaction details before signing. This will not protect you 100%, but it is still important to check which method is used for which contract.
- Split NFTs (and other cryptocurrencies) to multiple wallets. If you are tempted to give someone control over your own assets in one wallet, at least the assets in other wallets are safe. Of course, this only applies as long as you do not pass on your private key or the seed phrase.
- Use different wallets for different dapps. This may be a bit inconvenient if the dapp is to interact with assets that are not already in the corresponding wallet, but the security effort is worth it.
About the author;
Indrė Viltrakytė is co-founder of the Web3 fashion company The Rebels. The project has 10101 unique NFT characters based on the controversial advertising campaign “Jesus, Mary”. The campaign was initially banned, but later won the case before the European Court of Human Rights and is now considered a precedent for disputes related to freedom of expression in the EU. Indrė Viltrakytė has more than 10 years of experience in the fashion industry.
The article NFT thefts: is this just the beginning? first appeared on BeInCrypto.