A brief introduction to NFTs and security

By now, you’ve probably heard of NFTs. You may still be wondering what they are — and as with any emerging technology, there are security considerations to know about as well. Read on for a brief introduction to the issues.

What is an NFT?

Let’s start with the basics. NFT stands for “non-fungible token”. An NFT is a token in the software sense: it’s just a bit of data that stands in for something else. It’s non-fungible in that it is unique. You can’t simply swap out one NFT for another.

The idea of non-fungibility can sound complex. But if you want an easy example of something that is fungible, just think of mass-produced physical goods. Let’s say you go online and buy a Klockis alarm clock from Ikea. Your local Ikea store probably has thousands in their inventory. But you’re not expecting them to ship you a specific clock (“Yes, I’ll have the Klockis in the fourth shipping crate, third row, second from the top, please…”). As long as they send you a Klockis — any Klockis — then you have what you paid for. 

In the digital realm, bitcoins are fungible. One bitcoin is the same as another. If someone sends you a bitcoin (lucky you!), it doesn’t matter which bitcoin they send you: a bitcoin is a bitcoin is a bitcoin. 

NFTs don’t work this way, which is precisely why they are so interesting.

OK, but … what is an NFT?

There’s a reason that we started out with a general explanation of NFTs, rather than jumping right into the various use cases: NFTs have come to be associated almost exclusively with the buying and selling of digital artwork, even though they have many other potential uses.

In very broad terms, however, an NFT is just a bit of data that represents ownership of a digital or physical asset. It proves that something belongs to you. NFTs are stored on a blockchain — typically the Ethereum blockchain, although there are other blockchains that support NFTs too.

As with cryptocurrency, ownership of an NFT is established using cryptographic protocols and a system of public and private cryptographic keys. The blockchain is public, and stores the NFTs themselves along with a complete record of transactions. This is how everyone knows that one NFT belongs to a particular public key (or “address”) and not another, and how you can see when someone has transferred their NFT to someone else.

So what does that little piece of data actually do? Well, that’s where the multiple use cases of NFTs come into play.

What can NFTs be used for?

An NFT can establish ownership or usage rights to a work of digital art, and this is by far the most high-profile use of NFTs at the moment. It’s also why some people have been so dismissive of NFTs (somewhat understandable when you read that the rapper Eminem just spent $462,000 on a drawing of a monkey). The valuation of art, however, is really a separate issue, and one that certainly goes beyond NFTs.

Aside from the buying and selling of digital artwork, NFTs have the following uses:

Virtual assets: NFTs can be used to establish ownership of in-game items in video games, as well as avatars and virtual “real estate” in the metaverse. 

Logistics and manufacturing: NFTs can help track and trace shipments through the supply chain, mitigating delays and providing greater visibility for all parties.

Product authentication: Because NFTs can be linked to physical products, they can be used to combat fraud and counterfeiting. In fact, some luxury brands have already started using NFTs in this way.

Healthcare: NFTs have a number of possible uses in healthcare. They can be used to track and authenticate batches of pharmaceuticals, route blood donations to where they are needed most, and help patients regain control of their medical data.

Ticketing: NFTs could solve common problems related to ticketing for in-person or virtual events. Proponents of NFT ticketing say that it can help to eliminate scalping and ticket fraud.

In short, NFT technology has the potential to be the de facto standard for demonstrating ownership of any asset, digital or physical.

What are the security issues around NFTs?

Although the uses of NFTs go beyond digital art, the majority of people who say they want to get into NFTs are interested in buying art or collectibles. If you’re considering this, there are some best practices for security that you need to keep in mind.

NFT ownership is similar to cryptocurrency ownership, and many of the same security issues apply. The most important thing to remember is that you must maintain control of your private keys. If you don’t, the bad guys can steal your NFTs … and you probably won’t ever get them back. 

An excellent summary of NFT security best practices can be found on this Twitter thread; an explanation of the underlying logic behind them can be found on this one. They’re both well worth reading in full, but here are the TL;DR highlights:

Best practices for NFT security

1. Keep your private keys, your seed phrase, and your wallet password absolutely secret. Never share them with anyone for any reason. Don’t store them on your computer, in the cloud, or on any Internet-connected device.

2. Buy a hardware wallet in order to keep your NFTs more secure (Trezor or Ledger are recommended).

3. If you’re going to swap an NFT with someone else, don’t just send them your NFT on a promise and hope that they do what they say they’ll do. Use a reputable NFT swapping platform instead.

4. If you’re going to use an NFT platform, be on guard for fraudulent “lookalike” websites. Don’t click on Twitter or Discord links that purport to take you to an NFT website. Instead, navigate to the site on your own in your browser.

5. Be aware that social engineering attacks are common in the crypto and NFT space. Don’t automatically assume the person talking to you on Discord is who they say they are. Be extremely wary of clicking on links that people send you, or of offers to “help” that require you to hand over sensitive data or begin a screen sharing or remote desktop session.

6. Lastly, be absolutely sure that your computer is free of keyloggers and other malware. If you use a compromised system to manage your NFTs, all of your other security precautions are meaningless.

What about NFT scams?

You should also give some thought to the outright scams in the NFT world. NFTs are hot, and some scammers are taking advantage of the excitement. Here are some things to watch out for:

1. NFT rug pulls: This refers to NFT projects where unscrupulous developers raise funds for a product that never materializes and then take off with the investors’ money. If an NFT project is being pitched by an unknown artist or developer, beware. You have no guarantee that the developers are going to make good on their promises. Do your due diligence, and don’t invest more than you’re willing to lose.

2. Fake or unauthorized NFTs: Some scammers offer imitation products that they try to pass off as the work of a well-known artist. Others will try to impersonate an artist in order to fraudulently sell NFTs associated with their artwork — artwork they don’t own! It’s basically the 21st century version of selling the Brooklyn Bridge.

3. NFT Airdrop scams: Project creators sometimes send NFTs to a large number of wallet addresses, either for free or in exchange for some small action. This is called an airdrop, and it’s a common marketing tactic in the world of NFTs. But scammers can set up malicious airdrops as well. These are essentially just phishing attacks. Be wary of airdrops from unknown developers, and stay away from airdrops that take you to a website asking you to enter sensitive information.