What are the security issues with NFTs?
The misguided guidance to trust an NFT simply because of the white paper
When I was in College, there was a homeless man, Albert, who frequently stood outside a building on our block. Albert was an elderly gentleman who was a bit shorter than me, slender, and often wore dark, ragged clothes. He also had a kind face and smiled at everyone.
I had to pass him multiple times a day because that building was just past mine on my way to class. When I first encountered him, I am sure I was wary of him. I probably even crossed the street to avoid him. Philly was a pretty dangerous place.
Eventually, I got to the point that I would smile, wave and say hello to Albert, even multiple times a day. Sometimes, I would offer him some change or a dollar. I was a poor college student and naturally stingy because of it. I certainly did not want to be giving Albert money if he was going to use it to buy drugs. I knew the scams.
But I had observed Albert and he would open the door for people who were entering and exiting the building. I even saw him at the local Wawa kick out another guy who was stealing. I learned to trust Albert.
And I grew fond of him.
When we graduated, my roommates and I took a picture with Albert. It sits in my home office. For me, it’s one-of-a-kind and priceless.
If given the chance, I would turn that picture into an NFT (non-fungible tokens). What’s an NFT you ask? Well I am so glad you did. Often referred to as digital art or digital collectibles, an NFT is a hypertext link to a static url of an image. If you are part of Web3 and the Metaverse, you likely smirked at that novice description.
It is more complicated than that, for sure. But, for me, it is helpful to think of an NFT as a box that contains a bunch of code.
They have been around for a while. I believe they were created around 2015 as part of a hackathon. But some claim that the “gold rush” in NFTs started in early 2021 when Beeple sold a collection of NFTS at Christie’s for $69 million. That event put NFTs on the map as a digital collectible, but it also drew bad actors who were attracted to the idea of “get rich, quick.”
Sort of ironic if you know what the artist Beeple does.
When there is a new way to make money, the scammers come out to play. That is certainly what has happened with NFTs and it can be difficult to trust. In fact, just this past weekend, OpenSea suffered a security incident that certainly created more doubters who deem the risk too high.
But what is fascinating is that the security issues with NFTs are really no different than regular, run-of-the-mill security issues that we have known about, and mitigated, for decades.
Let me briefly explain.
First, there is malware. Now, don’t start calling NFT scams malware. You will probably be laughed at. In the NFT community, these are called “rug pulls.” Getting its name from having the rug pulled out from under you, it describes an NFT project that is quickly hyped to drive up value so the founders can make a quick buck, either running away with all the NFTs or leaving them worthless. It is executed by inserting some malicious code into that NFT box i.e. malware.
Second, there is third party risk. Have you tried to buy an NFT? If so, then you probably went to a marketplace, like OpenSea. As evidenced by their most recent security incident and the fact that they announced forming a security group this January. These young, immature companies literally hold the keys to the kingdom. Your private cryptocurrency key that is. Where do malicious hackers like to play? You got it, in the sandbox where they can take everyone’s toys at the same time.
Third, there is good old fashioned phishing. I mean, honestly people, are we still trusting emails that say “click here and enter your password?”
Apparently, when it comes to NFTs, yes, yes they are.
So how do we protect ourselves?
You know what I am about to say.
Exactly the same way we do now with non NFT situations. We do our due diligence. Some of this stuff is actually funny. NFTs are so popular that a project can be spun up on Discord or Telegram and immediately con people into buying NFTs. A lot of these founders uses aliases, or don’t go on camera and build websites that don’t even have legible content. When I joined Discord, the first warning I got was “don’t trust anyone trying to DM you. We will never DM you.”
WTF
Okay, okay so having run a research company for the last 4 years, I can tell you with certainty that due diligence is not hard. It just takes time (psst, special announcement for NFT buyers that saves time!). Look at the website, does it support email encryption, what version of TLS, do they even have a privacy policy? How much time and effort did they put into building trust with you?
At the end of the day, if the NFT is a scam, then it will be pretty apparent that this isn’t the same smiling, hard-working, there every day homeless man opening the door for people.
You’re the best,
Caroline
P.S. If you are curious about the subtitle to this blog post, I want explain in this post script. In reading mitigation techniques to NFT scams, I read that in order to make sure the founders are real people, you need to read their white papers (one article literally says the white paper should be professional and more than 20 pages long) as part of your critical due diligence. I have started to read several white papers and, in the middle of one of the multiple times I dozed off, I fought through the slumber to brilliantly exclaim that these white papers are like the developers way of getting back at lawyers for privacy policies.
About the author: Caroline McCaffery is a co-founder at ClearOPS, an A.I. privacy tech company managing privacy and security operations data to make mundane tasks, simple. She is a frequent blogger and speaker with over 20 years of experience as a lawyer working with tech startups. You can connect with her on Linkedin.
Security Expert Marketplace is the only exclusive community for vCISOs. Providing vCISOs with community, private events and public speaking opportunities, the Security Expert Marketplace is on a mission to facilitate better security. We are trying to grow this newsletter subscriber base so please share and subscribe!