Imagine you login to Metamask one morning, expecting to see the collection of NFT grails you’ve amassed over the last year. Maybe you were clever enough to join the Doodles whitelist last fall, or better yet, you were one of the early degens of the Bored Ape Yacht Club who YOLO’d into what has turned out to be the premiere PFP thus far. But instead of seeing your collection of prized possessions displayed on OpenSea, you’re staring at an empty wallet.
You panic, I would imagine a scene similar to what we saw from rapper Waka Flocka Flame when $19K of NFTs were stolen from his wallet. Your heart drops, fingers numb, and your mind racing at the brink of dizziness. How could this have happened? The truth is, just like dying, the possibilities are endless.
Over the last year, we’ve seen a ton of hacks with a myriad of attack vectors. Some of the notable hacks involved targeting artists with malware (see below), executing phishing attacks (as with last month’s fraudulent OpenSea emails), or with compromised login credentials that were either purchased or leaked elsewhere (as with the Nifty Gateway hack in spring of 2021).
(The aftermath of the Fvckrender hack and his acknowledgement of MFA’s effectiveness.)
As you can see, even the most prominent in the space have been affected. In the scenario above involving Fvckrender, he was attacked with a relatively cheap malware by the name of RedLine Stealer, which is embedded in an SCR file and collects things like saved login credentials, auto-complete data, and credit card information from your browser. Unfortunately for Fvckrender, he also stored his seed phrases on his desktop, putting him in an even more vulnerable position. He talks about his experience on the NFT Now podcast.
“They took every fucking thing. Everything in my Metamask, they literally swooped everything.” - Fvckrender
Sometimes collectors can be unknowingly complicit in the theft themselves. Unless you were somewhere in space with Elon, you saw the gradient banners on OpenSea in early February advising users to migrate their listings to avoid expiration. These types of mass migrations are a prime event for hackers.
Unsurprisingly, hackers sent phishing emails to OpenSea users, disguising malicious links within emails that appeared to be legitimate. The users, thinking they were getting support migrating their listings, actually enabled the hackers to transfer their NFTs just by clicking the link.
The unfortunate reality is, not all attacks need your direct participation. In the case of the Nifty Gateway hack in March of 2021, the belief is that these were reused login credentials from other sites. Before I proceed, let me say that if the only barrier between your NFTs and a hacker is the same password you’re using for your OnlyFans account, you’re taking serious chances. Elton John “Candle in the Wind” chances.
Anyway, hackers were able to use these compromised credentials to swipe some pretty expensive JPEGs away from their owners. As you can see below, again, these attacks have made victims out of some notable names in the space.
(The aftermath of the Keyboard Monkey hack on Nifty Gateway in March 2021)
What is Multi-factor Authentication and How Can it Help?
In each scenario, multi-factor authentication (MFA) would have been a major deterrent to cybercriminals. But what is MFA? In a nutshell, MFA is an electronic verification process in which two or more forms of evidence are needed to authenticate you, and therefore grant access to websites and applications. Two-factor authentication (or 2FA) is essentially the same concept but only requires exactly two methods of authentication.
“None of the impacted accounts had 2FA enabled, and access was obtained via valid account credentials...We encourage our users to enable 2FA that we provide on the platform and never reuse passwords.” – Nifty Gateway
Authentication factors can include something you know (like a password or a pin), something you have (like a hardware wallet or USB stick), somewhere you are (GPS verified location), or biometric features (physical characteristics like fingerprints or voice). So for example, with MFA enabled on your hypothetical Nifty Gateway account, you would enter your password to the platform and then be prompted to enter a verification code from the likes of Authy or Google Authenticator. Both inputs would need to be accurate before accessing your account.
As you can see, unless the hacker was either right next to you or had access to your phone in real-time, there would be no way for someone with just your password to compromise your account. This is essentially the solution for when you keep your NFTs in custodial wallets, also known as hosted wallets.
Nifty Gateway, Coinbase (and soon Coinbase NFT), Gemini, and other crypto exchanges fit into this category of third-party hot wallets. To put it frankly, the private keys don’t belong to you. Which I must say honestly sometimes is best for those new to crypto. But what happens when your NFTs are stored on a non-custodial hot wallet like Metamask? What do you do then?
Why Hardware Wallets are Vital for NFT Storage
In the scenario that you’re using Metamask, MFA isn’t immediately available to you. Reason being is that you’re using a non-custodial wallet, which means only you have access to your private keys. Which is a good thing if you know what you’re doing. Hardware wallets like Ledger and Trezor have been around in the crypto space for quite some time, and thankfully so.
These physical devices are a method of cold storage, or storing tokens offline, and leverage Universal 2nd Factor (U2F) to simplify and strengthen the two-factor authentication process. The idea here is that the hardware wallets themselves act as the conduit to sign contracts and approve transactions. So let's say you wanted to transfer crypto or an NFT stored on a hardware wallet to someone else or to another wallet you own. You would initiate the transaction from Metamask but would then need to also confirm the transaction on the physical device.
The devices themselves are protected by a pin that you establish when you open the product, so even if someone obtained possession of it, all hope is not immediately lost. However, even with the pin and hardware wallet secured somewhere safe, you aren’t completely out of the woods.
Additional Tips for Securing Your NFTs
Though I encourage everyone to enable MFA and purchase hardware wallets, it's not the end of your security journey. Being careless with your private keys, despite owning a hardware wallet, is a recipe for disaster. Like your Metamask wallet, your hardware wallet also comes with a seed phrase that you must keep secure.
As if Fvckrender’s story wasn’t a declaration of clear and present danger, don’t be stupid and store your private keys on a computer or mobile device that can be remotely accessed by someone else. Write them down on a piece of paper (I know, barbaric isn’t it), and store them somewhere safe. P.S. - don’t be dumb and flex your NFTs on the internet. You’re asking for the hackers to find an exploit.
