Digital Collectables are shaking up the way we create value and interact with people online, at a time when there is already more art being created than ever before.
A wave of the future shaping our economy, culture, and society, NFTs are taking us into a world where anything under the sun can be turned into digital assets that you can buy or sell online.
The Digital Collectables space continues to grow and flourish as hundreds of NFT projects, new NFT games, NFT marketplaces and NFT-powered virtual worlds are launched every day, each one bringing more users, investors, creators, and entrepreneurs into a world they may not be ready for or aware of its inherent risks.
As Digital Collectables grow in popularity and become more mainstream, it is increasingly important that NFT creators, collectors, and enthusiasts pay attention to cybersecurity as a core component of their work and strategy.
The Digital Collectables Cybersecurity Playbook is intended as a best practice guide to keeping you safe from cybercriminals and other potential threats in the NFT space that may compromise your security, jeopardize your work and undermine your investments.
Why an Digital Collectables Cybersecurity Playbook?
Cybersecurity is an issue for everyone online; however, because of the hyper-growth of the NFT market and the many ways blockchain-based platforms differ from existing online platforms, NFT creators, and collectors should take a more proactive role in educating themselves about keeping themselves safe while using these platforms.
There are no silver bullets for cybersecurity, but we can always do better by implementing some of the best practices outlined in this playbook for creating a safer, more secure NFT ecosystem.
We created this playbook with recommendations from industry experts. Whether you are an artist, musician, athlete, influencer, creator, collector, or enthusiast, this playbook will:
- Help make NFTs a safer, less vulnerable, and more enjoyable space for everyone
- Enable NFT creators and collectors to better protect themselves from cybercriminals
- Make better decisions to protect yourself and your NFTs from potential threats
- Help NFT creators launch NFT projects more safely and securely
What to expect from this playbook?
In order to keep this playbook accessible and actionable, each section is short, giving you quick and easy strategies for protecting yourself online.
- focuses on a set of preliminary baseline security controls
- is aligned with cybersecurity standards and best practices
- addresses the different responsibilities of everyone involved in the industry
Who Should Use This Playbook?
This NFT Cybersecurity Playbook is for NFT creators, collectors and enthusiasts who take the safety and security of their data and assets seriously and want to keep them safe from cybercriminals and other potential threats in the space.
The NFT industry is growing quickly and while it matters most that early adopters of new tech are protected against attacks from malicious actors, those that do not know what they are doing can cause harm to others.
Everyone has a role to play in protecting themselves and this growing community against cybercriminals.
This playbook is for people who are involved in an NFT drop whatever their role, from design to production, from project management to development, and from creation to collection and investment.
About the Authors:
Founder and CEO of Next Decentrum, a blockchain company building Momentable, an NFT e-commerce platform focused on helping museums, art collectors, and cultural institutions create, manage, and promote NFT-based digital products and collections on the Flow blockchain.
In 2006, Hussein launched CreativeArab, the world’s first and largest marketplace for Middle Eastern art focused on connecting artists across the Arab world with a global audience (acquired). Then he launched The Content People in 2010, an award-winning content marketing agency with clients that included Virgin Mobile, Pfizer, and Starbucks.
In 2016 Hussein joined Launch as General Manager. Launch is one of North America’s top tech hubs and startup incubators incubating over 6500+ founders and 500+ startups that raised over $1 billion. In 2019 he joined 3 tier logic as VP of Products & Strategy, he worked with some of the world’s most valuable brands including Universal Studios, P&G, and Kimberly Clark.
Hussein writes and speaks about startups, blockchain and NFTs, and advises several tech and blockchain startups including Mobile Art School, Fintrux, Majik Bus, Traction Health, AmiPro, Cloud Nine, and Peace Geeks.
Recognized in 2019 as one of 30 Vancouver tech thought-leaders and influencers to follow. Featured in Forbes, BBC, BetaKit, Entrepreneur, DailyHive, Notable, and CBC.
When not building products, Hussein enjoys writing, reading, and engaging in meaningful conversations over good coffee.
Dominic has an established track record as a cyber security leader. He has a wide range of experience overseeing numerous projects, including security strategy development, policy development, endpoint security, and threat management in a multitude of industries (financial services, logistics, transportation, government, telecommunications, and critical infrastructure).
Dominic actively participates in the local Vancouver security community and is a regular cyber security expert for Global BC (TV), CKNW (radio), News1130 (radio), and the Vancouver Sun (newspaper). He has even appeared internationally on BBC News World TV.
Dominic is a firm believer in delivering sustainable security that supports and protects business goals. Having worked within large and globally diverse organizations he has extensive security experience that has been forged over the past decade as an information security professional.
Currently, in his role as Chief Security Strategist at Cyber.SC, Dominic focuses much of his energy on helping start-ups and small/midsize businesses solve their cyber security challenges. He strives to provide practical cyber security advisory services to his clients.
Dominic is actively seeking board of director roles for companies seeking cyber security leadership.
Joel Mark Harris is an author, ghostwriter and marketer. After he graduated from the Langara School of Journalism in 2007, he worked as a newspaper reporter, PR specialist before diving headfirst into marketing. He founded several marketing companies to help businesses grow and scale their business before he started a ghostwriting company. Ghostwriters & Co, is a premier content agency designed to help people tell their stories.
Joel is also an award-winning journalist, novelist, screenwriter and producer. His feature-length film Neutral Territory won ten awards and played in festivals across the world. He has ghostwritten numerous books in all types of genres including true-life crime, business, memoirs, and self-help. He has helped hundreds of business owners scale their businesses and increase their visibility.
Chapter 1: A New NFT World
NFTs are digitally native, collectible assets similar to physical objects in many ways but fundamentally different in at least one or two others: NFTs live on the internet, they are globally accessible, and they can be tracked.
An NFT could represent something like a virtual instrument or item in an online game, real estate property rights (like shares of stock), a viral video, a meme, or a one-of-a-kind work of art.
Much like physical items NTFs derive their value from the idea that they are unique and special - for example, limited edition NFTs, much like limited edition prints, can be more valuable than widely available NFTs.
NTFs separate possession from ownership. They represent digital items that a few own but everyone has access to. This is different from the day-to-day assets owned and accessible only to a few.
This new paradigm in addition to having virtually no cost and no barrier to making additional NTFs of the same item results in difficulty determining the market value of NFTs when compared to traditional assets.
How Do NFTs Work?
In reality, NFTs are pieces of code that live on a blockchain network. Together the Blockchain network and NFT code fulfill a few key functions;
- Keeping track of who owns the NFT
- Transferring the ownership when an agreed price has been paid
- Pointing to any digital or physical assets associated with the NFT
Furthermore, the NFT code can include instructions to pay the original creator a royalty, every time the NFT is bought and sold.
So even if an NFT is worth very little today it can generate continuous income to the original creator in the future as it gains more popularity and demand for it increases.
NFT is a new, fast-growing programmable digital asset class, and there is much to learn about their capabilities and potential in the future. However, even the most basic properties of NFTs make them very valuable which is why there should be great emphasis on how to keep them safe from the threats posed by cybercriminals especially since there have been a growing number of incidents in the NFT space.
Where can you buy Digital Collectables?
NFTs can be bought and sold on NFT marketplaces similar to how you would buy a stamp or share of stock online. New NFT marketplaces are popping up all the time and many NFTs exist in multiple places around the internet, so it's important that NFT collectors take appropriate steps to protect themselves when engaging with any marketplace they plan to use for NFT transactions.
Some of the most popular and interesting NFT marketplaces include:
The first and largest peer-to-peer marketplace for all types of crypto goods including NFTs.
A platform that allows digital artists and creators to sell custom-made NFTs. Raible is both a marketplace and a distribution network built on Ethereum.
A marketplace to collect and trade NFTs. Each NFT is authentically created by an artist in the network and tokenized as a crypto-collectible digital item that you can own and trade.
A popular online digital art auction platform founded by Duncan and Griffin Cock Foster, who sold the platform to the Winklevoss twins.
A platform that aims to build a new creative economy—a world where creators can use the Ethereum blockchain to value their online expression in entirely new ways, and build stronger connections with their supporters.
NBA Top Shot
A marketplace for NFT NBA collectibles called moments, which are more interactive digital trading cards than a traditional trading card.
Artblocks took the world of NFTs by storm when it turned up at the end of 2020. It is widely regarded as innovating a new way to publish and experience generative art which feels native to both the medium of creative coding as well as the blockchain.
Web3 platform and circular economy where digital artists inspire creators and creators express their style as blockchain art, deterministically generated from blocks on Ethereum.
A platform to create, collect, and trade #ProgrammableArt; digital paintings split into "Layers" which creators can use to affect the overall image.
The premier market to discover, collect and invest in truly rare and authentic digital artworks, by the world's leading artists and creators.
Chapter 2: The Dark Side of Digital Collectables
Why it's important to protect NFTs
In principle, NFTs are stored on a blockchain and so they are difficult to steal since the NFT is protected behind layers of encryption that require access to both the private key needed for controlling the ownership of the NFT, in addition to physical control over any device with NFT wallets in order to break through all these encryption barriers.
However, the NFT industry is still in its infancy so there is still so much to learn, and NFT projects are typically led by startups that may or may not be up to the task of securing their platforms.
NFT creators, investors and collectors rely on the security measures of the NFT marketplace where they get and trade their NFTs, and crypto-wallets where they hold their NFTs. They are trusting the developers of those marketplaces to create secure code and avoid vulnerabilities.
The Dark Side of NFTs
The NFT space is like the Wild West. NFTs are a relatively new technology and with their sudden popularity, owners don't fully understand how to best protect NFTs from malicious actors. Unfortunately, as the platforms grow, so do the number of people looking to steal and make an easy buck.
There have been incidents where NTFs have been stolen because of human error or neglect rather than because someone found a way to break encryption. In one instance, a digital marketer named Micahel Miraflor had NFTs worth tens of thousands of dollars stolen from his account on Nifty Gateway.
Miraflor noticed something wrong when he got an email notification from the NFT marketplace telling him that he had made a sale. When he logged in, he found his account had been emptied. Even though Miraflor found the accounts responsible for the theft, he wasn’t able to recover the NFTs!
NFT Cybersecurity Concerns
As with any emerging technology, there are security concerns with hackers and bad actors (someone who is interested or intends to attack any online asset or system) trying to take advantage of an industry that’s new and unregulated, and therefore security measures haven’t completely caught up.
If a person isn’t careful, it’s fairly easy for hackers to gain access to NFT marketplaces and accounts, compromising them and clearing them out in a matter of minutes. The attacker then gains access to the credit card on file and uses it to purchase more NFTs or use it for other nefarious means.
NFTs can be remotely hijacked through a malicious malware attack. NFT owners have mistakenly transferred NFT ownership to the wrong NFT wallet (resulting in the NFT being inaccessible). NFT owners might also be tricked into sending NFTs to the wrong NFT address or they make a mistake when entering NFT wallet addresses.
The main threats are: NFTs getting lost due to human error, NFT theft through malware, theft from the NFT marketplace, and NFT cloning.
Many people using NFT wallets are unaware of common risks and threats posed by malicious actors because they aren't educated about how best to protect themselves from cybercriminals and there is not enough information available for them to keep their NFTs safe.
This has resulted in stolen NFTs, hacked NFT wallets, Lost NFTs due to forgotten access, NFTs sent to the wrong address.
All these scenarios took place because there was no information available for NFT owners on how best to protect themselves against cyberthreats. This lack of knowledge has allowed malicious actors to steal millions of dollars worth of crypto assets from unsuspecting NFT owners through socially engineering NFT owners into handing NTFs to the wrong NFT wallets.
In most cases, NFTs can be traced, but because of the immutable nature of blockchain transactions, NFTs can’t be returned to the original owner.
There are numerous ways that bad actors and hackers can steal your NFTs so to best understand how to protect yourself, we’re going to explain the different types of cyberattacks which can be used to compromise your NFT
Chapter 3: What is Cybersecurity
Cybersecurity is the collection of technologies, processes and practices designed to protect networks, systems, hardware, software, and data from unauthorized access, use, disclosure or disruption.
Cybersecurity begins with the understanding that cybersecurity will need to be built into every stage of any supply chain involving NFT technology.
Cyber attacks can be carried out in many different ways. Cybercriminals utilize everything from technical cyber-attacks including ransomware to social engineering cyber-attacks - for example, phishing scams that appear to come from a legitimate source but actually infect the machine with malware.
Cybersecurity starts with three key factors Cyber Risk Management, Cyber Education and Cyber Breaches.
- Cyber Risk Management
Cyber risk management is a process that helps identify and prioritize cyber risks. Cyber risks are an aspect of the larger cyber security picture and they include cyber attacks by cybercriminals, cyber threats from cyber-terrorists, cyber privacy concerns due to poor information security policies.
- Cyber Education
Cyber education is the teaching of cyber awareness; it includes educating employees on how to protect themselves, their privacy and company data online. It also helps employees learn what to do when they detect suspicious activity relating to something like phishing attacks or malware infections. Educating customers and end-users about security threats is as important and helps protect them from attack, but education must be ongoing as risks change daily and new threats emerge frequently.
- Cyber Breaches
A cyber breach occurs when someone gains unauthorized access to a network or system. Cyber breaches can occur at the cyber security level, cyber privacy level, cyber reputation and cybercrime levels as well as other technical levels. Cyber breaches have ranged from government institutions being hacked to corporate emails being hacked, even up to state-level actors working with terrorists targeting critical infrastructures such as energy supply stations in real-time.
Types of Cyber Attacks
A cyber attack is a deliberate and malicious attempt to capture or modify or erase private data usually for the goal of stealing money. There are several main cyber threats that you need to be aware of if you are trading NFTs.
This is by no means an extensive list so if you want to know more please talk to a cyber security expert.
Brute force attack
As the name suggests, this type of attack is fairly straightforward and involves a password guessing attack where an attacker continually attempts to guess a username or password. This seems like a very rudimentary way of gaining access but is surprisingly successful because people use weak passwords or the same password between different systems. For example, when your email password is the same as your website password.
Malware is a catchphrase for a variety of different types of malicious software designed to harm or exploit a network, service, or device. Attackers generally use this to extract data from a personal computer which they can then leverage over the victims for financial gain. The data they obtain can range from financial data to healthcare records, personal emails, and other passwords. The type of information that can be compromised is endless.
A phishing attack is when a hacker tries to trick people into doing something such as revealing sensitive information to the attacker. An example of this is an email sent out looking like it is from Netflix alerting you that there might be a problem with your account. Naturally, the receiver will click on the link to discover what the problem is. The unsuspecting victim is then taken to a website designed to impersonate a Netflix login page. When the person attempts to log in, the website collects the login information which the hacker then can use to access your real Netflix account where your credit card is stored.
Cryptojacking is where cybercriminals compromise a computer or device and use it to mine cryptocurrencies. Cryptojacking is not as well-known as other cyber attacks, however, it shouldn’t be dismissed as it can be very damaging.
Most companies don’t have great visibility or knowledge when it comes to this type of attack, which means that a hacker could be using valuable network resources to mine a crypto token without the organization knowing about it.
In addition to using valuable resources, the hacker may use the access to steal information and access.
Digital Name Server Tunnelling
Domain Name Servers are like the phonebook of the internet. They categorize all the information through domain names. Domain Name Servers (DNS) tunnelling is a sophisticated cyber attack that is designed to provide attackers with access to a given target.
Since many organizations fail to monitor DNS traffic for malicious activity, attackers are able to insert malware into DNS queries sent from the client to the server.
The malware is used to create a communication channel that most firewalls are unfortunately unable to detect. This can be used to gain access to your sensitive information, including your NFT wallet or your crypto accounts.
Similar to DNS tunnelling, SQL injection is a type of attack used to manipulate data on that server. SQL databases use SQL statements to query the data, and these statements are typically executed in an HTML form on a website.
If the database permissions have not been set properly, the attacker may be able to exploit the website to execute queries that will create, read, modify or delete critical data stored in the database.
While this is mainly to gain access to a webpage, it can be used to gain access to your NFT wallet, account, or even an NFT marketplace.
Chapter 4: Taking Action
How To Protect Your NFTs from Cyberattacks
For people new to the NFT space, it’s important to start slowly and cautiously. NFT creators and buyers should do their research about NFTs, the different markets and visit forums to ask any questions they might have.
There is a lot to consider, not just from a security standpoint but whether this is the right investment for you.
No matter if you’re an investor, an enthusiast, or a creator, you should only deal with verified sources such as official NFT marketplaces. Only use your own secure wallets for storing NFTs values which should have two-factor authentication.
We often get complacent when it comes to security as it can be a hassle, but when you take it for granted, that’s when hackers and cybercriminals can take advantage of you.
Remember when it comes to protecting your NFTs or your online identity, the fact that NFT technology is fairly new and keeps changing makes it a challenge to keep on top of it.
Even the marketplaces which are supposedly secure have had data breaches that have resulted in NFTs being stolen. You cannot trust that a marketplace or anyone else is going to protect you and so you have to do it yourself. Unfortunately due to the decentralized nature of blockchain technology and NFTs protecting yourself requires extra effort.
Thankfully more tools are becoming available designed to help you protect your digital assets like multi-signature encrypted wallets which help protect NFTs. At this stage of early market adoption, it’s highly recommended that you always keep learning and discovering the new tools that can enhance your protection and keep connected and learning from cybersecurity experts who share suggestions on how to best protect yourself.
Practical Steps to NFT Cybersecurity
While it is impossible to protect NFTs 100% from all types of cyberthreat, there are best practices that can make them significantly more secure.
Below is a collection of current security best practices. These practices are continually evolving and changing. It is important to update these best practices at least annually to make sure they sufficiently address the current threat landscape.
Use strong passwords
As simple as using strong passwords is, it is one of the most overlooked aspects of keeping you and your NFTs safe. A large majority of accounts are hacked because of weak passwords. Try to use a password that is hard to guess i.e. one with multiple uppercase and symbols.
Don't use a single word in any language. Hackers have a dictionary-based system to crack these types of passwords.
It can be difficult to remember all these different passwords and therefore it might be a good idea to use a password manager system like Dashlane or Lastpass.
Use Two Factor Authentication
Two-factor authentication is an extremely secure method of protecting your accounts and is generally pretty difficult to crack.
In two-factor authentication, the user provides a password as the first factor, and for the second different factor, the user has to input either a security token (a pin number sent to a phone, for example) or a biometric factor such as a fingerprint or a facial scan.
Whenever possible use two-factor authentication as it adds another layer of security to an account you may be logged into.
Use a hardware wallet
Wallets hold your private keys which allow you to control your NFTs, crypto assets and cryptocurrency located on the blockchain.
The most secure way to keep your NFTs, crypto assets and cryptocurrency safe is using a hardware wallet. A hard wallet holds your private keys offline so it is less susceptible to hackers, cybercriminals, and bad actors.
Hardware wallets look similar to a small USB device and they are stripped-down of anything except a small screen and a couple of buttons. The simplicity of this wallet actually makes it practically impossible to hack or infect with anything.
Iman Sharafaldin of Forward Security says: “Always use hardware wallets and 2FA when you want to trade NFTs. Look out for counterfeits. Watch out for fake private messages from big NFT names. Buy those NFT assets where their metadata is stored on-chain.”
By keeping your wallet off-line if someone does take control of your computer through malware then your keys remain safe. It's like the equivalent of storing your keys in a safe or having them on your person.
Use antivirus software
Install an antivirus software program on your computer that provides real-time protection against existing and emerging malware including ransomware and viruses, and helps protect your private and financial information when you go online.
Keep your computer and software updated
A lot of people are annoyed by those pesky updates, but it is crucial to update your operating system and software on a regular basis arise or else they become prone to cyber-attacks.
Cybercriminals frequently use flaws or errors in software to gain access to your computer and account. Patching these flaws can make it less likely that you will become a target for cybercrime.
Software updates usually include security patches along with new features, which is why you should always update your operating system and software.
Manage your social media
A lot of cybercriminals figure out your password based on the information you share on social media. For instance, if you post your pet's name or your mother’s maiden name you have now just given cybercriminals the answer to the most common security questions.
It is best to share as little private information on your social media as possible and ensure your social media settings are at maximum privacy.
Use a VPN
It’s a good idea to use a virtual private network (VPN) whenever possible. A VPN gives you online privacy and anonymity by creating a private network from a public network connection.
A VPN masks your Internet protocol (IP) address so your online activities are virtually untraceable. This prevents identity theft from occurring and so it is less likely that a cybercriminal can steal your information and gain access to your and NFTs.
Limit the use of public Wi-Fi
Public Wi-Fi hotspots are just that, public. They do not have a password protecting them and therefore anybody can access them. These types of networks can be found in coffee shops, airports, or restaurants. Information you transmit over these types of hotspots such as passwords, credit cards, and other personal details can be intercepted by hackers on the same network.
Another trick hackers use is to imitate a legitimate access point so it's always smart to confirm you have the correct network name before you use it. For example, if you are at a Starbucks, a hacker can rename their personal network ‘Starbucks’ and create a login page that resembles the real Starbucks page so you don't know you are actually logging into a different network. The hacker can then steal all sorts of information.
Know where and how your NFTs are stored
NFTs are supposed to last forever on secure servers but like any data, the storage methodology isn’t necessarily foolproof. You want to make sure that your NFTs are secured on secure servers that you can trust and not some fly-by-night operation that might go bankrupt, stop paying its storage fees, and then you’re at risk of your NFTs conceivably disappearing.
Farshad Abasi, the Chief Security Officer at Forward Security says: “When buying an NFT, make sure you check to see where they store the actual media you are buying, e.g. the image, the video, or audio. Many NFT publishers do not store the media on a reliable and highly available source, so in the future, all you may be left with is a token with a pointer to something you bought that no longer exists.”
The Way Forward
NFTs are a new industry with a lack of regulations and oversight by design as it is blockchain-based and therefore decentralized. This means, of course, there are legal and security loopholes that exist in the industry that will allow some to operate with impunity in certain scenarios.
Whether some people want more regulations or not, it’s most likely coming as there are too many grey lines, and as the industry grows larger and becomes more mature, more people will be demanding government protection from scams and theft– especially if the industry doesn’t regulate itself.
At this early stage, here are some practical things to consider:
Blockchain analytics companies should begin monitoring wallets involved in the theft of NFTs in the same way that they monitor for wallet addresses associated with sanctioned persons or suspicious behaviour.
Just like there are databases of criminals kept by the FBI and Interpol, there could be an NFT equivalent to register stolen or fraudulently purchased NFTS. This would allow people to check to see if they are possibly buying stolen goods before making an NFT purchase.
Cybersecurity insurance providers should evaluate their policies in regard to stolen digital artwork outside of the traditional property or art-specific coverage that may already apply to the theft or damage of physical works of art.
There is no doubt NFTs represent an exciting and innovative opportunity to store value, own art, and capitalize on the technological revolution brought forth by blockchain innovation, but they come with potential cybersecurity risks we need to be aware of and learn how to protect ourselves and investments in NFTs.
Next Decentrum, a blockchain company building Momentable, an NFT e-commerce platform focused on helping museums, art collectors, and cultural institutions create, manage, and promote NFT-based digital products and collections on the Flow blockchain.
Next Decentrum is working with some of the top museums in North America and the world. Museums, galleries, and artists can use Momentable to publish digital versions of iconic artworks and artifacts, making them more accessible than ever before and as a result, protect their valuable assets, generate new revenue streams, and reach collectors around the world. For more information, NextDecentrum.com
Cyber SC understands how complicated it is to run a business in the crazy world. Keeping a fast-growing business safe from cyberattacks can keep an informed business leader up at night.
The founders Dominic and Christian have created a business model that gives companies the best cyber security capabilities and strategies for protecting against cyber threats without having the costly overhead of a full cybersecurity team.
- What Do the Latest NSA Leaks Mean for Bitcoin?
- Treadwell Stanton DuPont today announced its researchers quietly broke the SHA-256 hashing algorithm over a year ago
- Crypto prof asked to remove NSA-related blog post
- SHA-256 is designed by the NSA - do they have a backdoor?
- The NSA Worked to “Track Down” Bitcoin Users
- SHA-256 is designed by the NSA - do they have a backdoor?.