With the continuous increase in the number of NFT users, transaction volume and market value, phishers, hackers and other criminals have also begun to target this market, further threatening the security of the NFT ecosystem.
A table compiled by blockchain security and data analysis firm PeckShield shows that in a phishing attack, 254 NFTs with a total value of about $1.7 million were stolen; Jay Chou’s NFT BAYC#3738 was stolen on April Fool’s Day, the incident It is a typical case where mint is induced by a phishing website to obtain the user’s NFT operation right; a project called MoonManNFT stole nearly 400 NFTs under the name of free mint…
Generally speaking, hackers will lock collectors through Discord and Telegram, and steal users’ NFT assets by inducing mint, phishing attacks, etc. With the current technological development, NFT investors and collectors must keep abreast of the latest ways to protect their assets.
NFT Secure Storage Basics
Please keep in mind:
- Your NFT is not stored on a computer or mobile device, but in a decentralized space like IPFS or Arweave.
- With the private key, you have full access to the blockchain/your assets.
- Shamir’s private key splitting scheme can provide secondary protection for mnemonics.
Where are your NFTs stored?
NFTs are not stored in cold wallets, PC terminals or hot wallets. NFTs are tokens that reside on the Ethereum blockchain and are hosted by more than 2,400 network nodes in operation around the world. NFT is supported by a fully decentralized system, which ensures the normal operation of the NFT ecosystem and can also verify online transactions. When you trade an NFT, what actually happens is the database makes a change to the address of that NFT.
Where are your pictures, gifs and music?
The URI (Uniform Resource Identifier) of the NFT marks the location of the image. NFTs are generally located in decentralized storage spaces like IPFS or Arweave. In Web2, there is also a centralized storage such as AWS.
A wallet is a piece of software that stores private keys and can support transaction activities. There are two types of wallets: hot wallets (software wallets) and cold wallets (hardware wallets).
Hot wallet (software wallet): Software that can run on a general-purpose device, can connect to Web3, and can receive assets with just a click of a mouse.
Cold Wallet (Hardware Wallet): It is dedicated to hardware devices that can connect with Web3 and receive assets. The main difference between it and a hot wallet is that the mnemonic phrase for a cold wallet is never connected to the Internet and must be approved by physical means (such as a touch screen) in order to conduct a transaction.
After choosing the right wallet, you need to understand its features:
First, a hot/cold wallet will ask you to create a password, which is unique on a specific device. The wallet can only be accessed if the password is known.
You can freely share your wallet’s public address, which is no different from Web3’s email address, anyone who knows your address can send you NFTs. This has also spawned a new vector of hacking attacks. Hackers send NFTs to people, and when people interact with that NFT (such as sending it to another wallet, or selling it), the hackers steal the assets in that person’s wallet. Please remember, do not click on unfamiliar NFTs! Also, people use rogue signatures or approvals to get your IP address.
Phishing emails are also common scams. The purpose of the email is to lure you into connecting your wallet to a fake website so hackers can steal your assets. So, don’t click on unfamiliar links! Be sure to check the website name from time to time. At present, the methods of hacking are relatively simple. You can only start from public addresses and emails, as long as you ignore them.
You need to keep the private key, which is the password to access your public address. The functions of the private key are:
- Move your NFT out of the address.
- Sign a contract to prove that you own the private key for the address (similar to verifying that you own the public address).
The biggest difference between a public address and a private key is that you can never reveal your private key to anyone. Otherwise, they can import your private key into their wallet and steal all your assets.
After clarifying the concepts of private key and public address, let’s look at the mnemonic again. The mnemonic is generally composed of 12, 18 or 24 words and is used to retrieve the wallet. If you lose your private key, you can create a new one using the mnemonic. Like private keys, mnemonics can never be known to a second person, nor can they be stored in electronic storage devices or service providers (such as google drive, icloud, photo albums, phone notes and copies). The most ideal way is physical storage, such as writing on paper. Some people also use iron to store the mnemonic because it is more fireproof. Other means, such as passwords, can also increase wallet security. A password is a string of symbols or words that can be combined with a mnemonic to create a new wallet based on the original wallet. For example, to create a new wallet based on the original wallet, just enter:
- Mnemonic + “NFTGo”
- Mnemonic + any number
- Mnemonic + any letter
- Mnemonic + any phrase
Either of the above methods can create a new wallet with a different private key public address, but the password function is only available for cold wallets.
Add a second layer of protection
Buying a cold wallet is an effective way to increase security. Trezor, Ledger, and Keystone are several of the most popular hardware wallets, but each has advantages and disadvantages. Each cold wallet has its own characteristics. For example, Keystone uses QR code for data transmission, which avoids the risk of Trojan virus being transmitted to the hardware wallet through USB interface or Bluetooth. It is also the first hardware wallet to support ENS (Ethereum Name Service), eliminating the trouble of checking the original address. . Additionally, users can customize their 4-inch screen with NFTs.
Let’s take Keystone as an example to set up.
- Buy Keystone wallet from the official website.
- Install the Keystone kit.
- Start Keystone.
- Set up your wallet’s PIN – a password specific to this device.
- If it is used by an enterprise, it is recommended to use the Shamir private key splitting scheme. Divide the 2 groups of mnemonics into 3 groups, or divide the 3 groups of mnemonics into 5 groups. You can save these 3 groups of private keys in different places. If you have 3 of the 5 Shamir backups and lose 2 of them, you can still restore your wallet using the remaining 3 backups.
Let’s take the transfer of a BAYC as an example to specifically look at the use of NFT hardware wallets. In Keystone, users can use the ABI data file uploaded in the microSD card to quickly confirm the authenticity of the address, “Board Ape Yacht club” in blue font will appear next to the address, and also need to confirm whether the transaction involves any malicious behavior, so as not to Sign your NFT to a scammer or hacker.
Ways to Avoid NFT Scams
Be sure to download the Web3 app or wallet from the official website
The main cause of crypto/NFT hacking is user visits to unofficial websites. The vast majority of these sites are built for scams and look very similar to official sites. Do not download Web3 apps from Google Play, they may not be obtained from the original source. You can refer to the following suggestions to identify the official website:
- Follow the URL bar. Only click on URLs that start with https:// (don’t click http:// !), “s” stands for “secure”, which means that the data of this website is encrypted and transmitted, which can prevent hacker attacks.
- Check the domain name. The hacker’s favorite tactic is to create knock-off sites, whose domain names are so similar to the original site, that only a double-click can tell the difference. For example, a knockoff version of the website https://wobble.com could be https://w0oble.com. Remember to double-click all letters of the domain name from time to time.
- Watch out for spelling mistakes. Most fake websites are crudely built, with errors in spelling, pronunciation, capitalization, and grammar.
Only browse official channels, official twitter and official links
As mentioned earlier, you can only trust the official website, twitter account and discord. You can refer to the following suggestions to verify:
- Check account activity.
- Check the number of followers.
- Check account history.
- Check comments and engagement.
Do not share login credentials or private keys with anyone
There is a saying that is very popular in the encryption circle: “Without the key, there is no coin, and the coin and the key are one.” Once your private key or mnemonic is shared, the account no longer belongs to you. The best thing to do is to keep the private key from anyone else.
Verify NFT before buying
Due diligence is always very important in the NFT ecosystem. Before buying or minting NFTs, it is important to check the reputation of the teams involved in the project, the organic interactions in their communities, and what people think about the project.
Minting NFTs using multiple wallets
For example, the Burner wallet is a secondary wallet created specifically for NFT minting. These wallets are created and funded with the gas amount required to mint coins. After minting is completed, the minted NFT is sent to another wallet, and its role is to store the NFT. This reduces the risk of the main wallet interacting with vulnerable websites. You can create multiple burner wallets, and as soon as a vulnerability is discovered, it will be discarded.
Be wary of clicking links to unfamiliar accounts
A common trick used by hackers is to send giveaways or whitelist links via unfamiliar Discord accounts or cold emails. Be sure to set Telegram, Discord, and mail to not receive messages from unfamiliar accounts or unofficial addresses, and beware of users pretending to be group owners or official DMs.
Check token approval & revoke unused tokens
People interact with different protocols and links every day, giving them access and permissions based on information on smart contracts. It is important to review and revoke access from time to time. The https://revoke.cash/ website can revoke access for you.
Before proceeding to the next step, carefully read and verify the transaction terms of the smart contract
Before confirming the transaction, make sure you read every detail in the smart contract carefully. Many hackers use smart contracts to defraud permission to access funds in your wallet at will. You need to read it carefully to make sure that the details in the contract do not pose a threat or a vulnerability.
Keep up with the news and learn about new vulnerabilities
There is increasing interest in the NFT market, and criminals are lurking in it, using tricks to steal works and funds from collectors and investors, please ensure that your valuable assets, wallets and funds do not fall into the hands of hackers.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/nft-anti-theft-guide-how-to-keep-assets-safe/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.