NFTs, or non-fungible tokens, have captured the attention of consumers and businesses around the world. This is largely in part to the big price-tag sales, such as the digital artwork by Beeple that sold for over $69M. NFTs are pieces of digital content that are stored on a blockchain, which is the same foundation for other cryptocurrencies, such as Bitcoin or Ethereum. The difference between NFTs and other cryptocurrencies like bitcoin is that NFTs are unique tokens, they cannot be replicated or traded with another equal NFT.
So with the core information out of the way, how secure are NFTs? Well to make a long story short it's not very secure. Even though NFTs are still in their infancy from a market perspective, the rapid growth in popularity has opened a brand-new avenue for hackers. This is far from just a forward-looking concern, but something that is already in motion. In March, attackers compromised multiple Nifty Gateway NFT user accounts and were able to both transfer the previously purchased NFTs from their account and purchase new ones to transfer with their payment cards on file. While the users’ cash was recovered, the NFTs were lost to the attackers who promptly sold them to another NFT purchaser located on a different platform since the platform itself, like Nifty Gateway, holds the private keys associated with the NFT and they weren’t recoverable after being transferred.
NFT platforms can also be spoofed by malicious actors to steal users’ credentials and/or implant malware. Remote access trojans are extremely popular attacks that allow the attacker to gain full remote control over the compromised machine. This also provides them with the ability to intercept passwords and keystrokes among many other capabilities. The most important thing users can do to protect their NFTs is enabling multi-factor authentication (MFA).
As a proof point, none of the users impacted in the Nifty Gateway hack had MFA enabled, according to the official statement from March 15. Coupled with MFA, the power of a strong password should also not be underestimated, meaning you should have a password that’s of a sufficient length and complexity, and isn’t used on other accounts. While nothing is infallible, just those simple steps go a long way to prevent fraudulent activity.