SaferMints.orgLast updated: 2021-12-29

Learn Basic Web Security for Safer NFT Minting, Buying and Selling


First things first

Please kindly keep in mind these 3 things while using this website:

  • We will never post links to any NFT mints here
  • The content here is evolving and we'll update it based on latest news and feedback
  • The information provided on SaferMints.org is for general informational purposes only. Please ensure you read and understand our disclaimer section

Getting Started

The NFT world is unregulated, non-standardized, and checks and balances are still evolving. It's the wild west out there with risks, so stay vigilant. To kick things off, understand that there are largely 2 common ways you can own an NFT:

  • Participate in an NFT mint where you invest crypto to the creation of a particular NFT on a blockchain. These are often facilitated by the NFT project owners at a website they develop or configure through a third party service. People often get involved as minters to become a part of the early stages of a project.
  • Purchase an NFT from a secondary NFT marketplace. NFT marketplaces are built and managed by third party organizations. NFT project owners or sellers can list their NFT for sale on these marketplaces. People can then obviously purchase them. Very often people that are not involved in the initial mint will monitor marketplaces and purchase them as the price fluctuates.

What is SaferMints.org

If you're new to Non-fungible token (NFT) minting, buying and selling, some of this information might be helpful to you before you start. The information here is not restricted to just NFTs, but general web safety that you should practice when you visit any website on the internet. The NFT space right now is still young, unregulated and filled with risks. Time and time again, fraudsters are employing attacks within the NFT space that have been around since the creation of the internet.


Our Background

We've seen multiple scams happening across various NFT projects and a lot of it can be prevented by practicing basic hygiene. Being from the Banking industry, we have seen these techniques being employed successfully by fraudsters all the time to steal personal information and money from victims. From our experience, one of the key solutions has always been a constant stream of customer education to ensure people stay vigilant and alert when using any web application or website. If you feel this helps, share the information that you learn to friends and family around you. Don't just share a link, sit them down and talk to them.

Read on to understand some key tips in order to stay safe out there.

Check if a Website is Genuine

You've probably used the internet since you were a baby, but you would be surprised to learn how often fake websites are able to lure people into thinking they are real. Once fallen victim, people would treat fake websites as genuine and perhaps do things like enter in their credit card details and passcodes. In the NFT world, people might connect their wallet and authorize a fraudster to transfer crypto out of their wallet. Here are a few ways to validate if a website is genuine.

Check the web address

First actually look at the web address. Does it look the same as the one advertised by multiple trusted sources from before? Does it have less or more words? Is it spelled correctly? Does it have extra symbols in it like hyphens or dots? If you aren't sure if a web address is genuine, look for multiple sources to validate it. If it's a business, contact the business' customer service. If it's an NFT project, contact the project owners via trusted channels and ask them. If you still have any doubt, just close the website and move on.

Don't trust the content

You might be thinking, the website looks real. It has a logo, it has images and text that look legit. The website looks pretty, it must be real. This means nothing. Any fraudster can easily copy and paste the content from a genuine website.

Check that the website has a certificate

Do you ever notice that "lock" icon by the web address on your browser? Remember this, never enter in any information on a website that does not have this icon. From an NFT perspective, never connect your wallet. A website that does not have a certificate means the communication between your device and the website is not encrypted and could be intercepted through other attack methods. Close the website and move on. This certificate is sometimes known as an SSL certificate or TLS certificate.

Inspect the website's certificate

Usually, if you've gone through the steps above, you have some confidence that the website is genuine. There is one more extra thing you can check to be absolutely sure and that is to inspect the website certificate and validate that the website's address is embedded in the certificate.

If you are using Google Chrome on your computer:

  • Look for the "lock" icon in your web browser by the address and click on it.
  • You should see the "Connection is secure" button. Click on it.
  • You should see the "Certificate is valid" button. Click on it.
  • You should see a certificate with a bolded name. The name should match the website address. You may see a *. in front of the address such as "*.google.com", this is fine as it basically is a wildcard so that the certificate can also apply to sub-domains of the main domain such as maps.google.com or images.google.com.
  • What happens if you don't see the address on the bolded name? In these cases, if you still see the "lock" icon without any browser warnings you're still fine. Click on the "Details" button and you'll see a long list of information. Scroll down to the section where you start seeing "DNS Name" and you should find the address there. In these cases, you might find a long list of other web addresses, this is not necessarily suspicious but it means that the website owner likely used a free certificate service instead of making the effort and paying for a dedicated certificate.

Tip

Many website owners may not use a dedicated certificate service to save on costs. It does not necessarily mean the website is fake. However, if you have additional doubts based on other factors listed above, again close the website and move on. To website owners, it is highly recommended that you invest in a dedicated SSL/TLS certificate.

View Certificate

If you are not on your computer or your browser doesn't allow you to check:

  • Use a certificate checking tool such as https://www.digicert.com/help
  • Copy and paste the web address into the tool
  • Review the tool's report
  • Again you shouldn't see any warnings and should validate the address as being shown in the certificate similar to above

For People Minting

So you're ready to join an NFT mint. It's the wild west out there. Many NFT project owners are creating their own websites to facilitate a mint. Some leverage services provided by NFT marketplaces. Whatever it is, just be aware that the channels to mint NFTs are still young, non-standardized and have potential risks.

Basic Hygiene

Re-read the "Check if a Website is Genuine" section

When joining an NFT mint, you will be provided a web address in order to connect your wallet. This web address can come from any channel or source. It could be provided to you in an email, a WhatsApp chat, on a Twitter account, on an Instagram account, on a Discord group chat, on a Discord announcement, on a Discord direct message. Hell, maybe your best buddy who is also really into NFTs sent it to you via an SMS from his or her phone.

It does not matter what channel or source you received a web address. Always practice basic hygiene and check if the website is genuine. Even your friend's phone and SIM card could have been stolen and now an attacker is trying to lure you in with a message. Always be suspicious of links suddenly sent to you or published especially close to mint time.

Burner Wallet

Always connect a Burner Wallet to an NFT mint website. Using your favourite wallet app such as MetaMask or Phantom, create an empty wallet and name it something easy to recall such as "burner-nftproject". Ensure it literally has nothing inside, no crypto and no NFTs. Look at the mint instructions of the NFT project and transfer the minimum amount of crypto that you need to do the mint.

Once you're ready to mint, connect the website to your Burner Wallet and proceed to mint. Once you've gotten the NFT you can then transfer it to your main wallet for safekeeping. Ensure that you name your main wallet with a distinct name so that you do not mix up the two wallets.

Burner Wallet

Housekeep Trusted Apps

When you're done with a mint, go into the settings of your wallet and remove any trusted websites or apps from the wallet. It's a good habit to keep this list clean.

Trusted Apps

Never Auto Approve

Some wallets give you an option to auto approve transactions from trusted websites or apps. This is a terrible idea in the NFT world. It's equivalent to giving a business access to transfer money out of your bank account without your consent. Except in the NFT world you really have no way to consistently verify the legitimacy of a website or app. Again, it's the wild west out there.

For People Buying NFTs

So you're done with a mint or skipping it and prefer to purchase an NFT from a marketplace. Keep in mind these points.

Use Trusted Marketplaces

Research commonly used marketplaces

We are not going to list all the marketplaces here for every crypto platform. The important thing is that you do your research. Check with NFT project owners to validate which marketplaces they are listing their projects on. Talk to friends to understand which ones they have used. Understand the difference between an Ethereum NFT marketplace, a Solana NFT marketplace and a Binance NFT marketplace. You should not see a Solana NFT on an Ethereum NFT marketplace.

How marketplaces are managed

Understand that some marketplaces have an approval process where the marketplace owner reviews the project before any listing takes place. This effectively puts a control in place to review a project before it is listed to buyers. Some marketplaces are open and allow any registered user to post NFTs real or fake. These marketplaces enable openness and flexibility but they have their risks.

Finally, understand that buying and selling NFTs on marketplaces may incur additional royalties or fees set by the NFT project owner and the blockchain. If you're ever in doubt, contact the NFT project owner and ask questions.

We have seen various instances where fake NFT copies of large projects had been sold on open marketplaces. Again always verify which marketplaces are listing the project you are interested in.

Peer-to-Peer Trade With Caution

So a person messages you on Discord or chat to trade an NFT for crypto. Sounds great right, you get to skip royalties and get a great deal on an NFT you wanted. This is basically the same as buying or selling a Rolex watch in a dark back alley in the middle of the night to a random person you met on the internet. There are serious risks and be prepared to be completely robbed. Only deal with reputable people that you trust or those that friends have referred. Check discord name and IDs clearly.

For NFT Project Owners

There are NFT project owners and devs a billion times more experienced than us. If you have more tips please let us know and we'll be happy to add on. Few points though that we wanted to iterate if you happen to be building your own minting website.

Consider Managed Services

Instead of building and hosting your own mint site, you may want to consider using a managed service to mint your NFT which provides it as a paid service. It not only saves you headache on building and maintaining a site, but a lot of the security aspects will also be already thought out for you. 2 recent services being used include MagicEden Launchpad (https://twitter.com/MagicEden_NFT) and Nova Launch (https://twitter.com/nova_launch).

Purchase Variations of your Domain

So you secured your domain name at yourdomain[dot]com. Consider also purchasing other variations if they are available for registration. This effectively creates another barrier for fraudsters from registering those domain variations to create a fake clone of your website.

Use a Dedicated SSL/TLS Certificate

It's tempting to go with a free certificate provided by various providers or open source projects. Invest a bit of money and time and use a dedicated certificate so that your domain name on the certificate is not shared with a list of other websites. This makes it easier for your customers to validate that your website is genuine. It literally takes minutes to do this on cloud providers such as AWS.

Announce Permanent Mint Links Early

Via your trusted channels, announce your mint links early and do not change them at the time of mint. Communicating the links early give your customers a chance to save, bookmark or memorize the link. Try not to change the link and send a new one at the time of mint as that is a common tactic of fraudsters to lure people into a fake website.

Spend Time on Security

There are a plethora of tools and resources on the internet about building safe websites. Use managed services or proven cloud providers such as AWS, Google Cloud and Microsoft Azure. Spend some time on reading security recommendations. Follow cybersecurity best practice recommendations on platforms you're building on. Use tools to scan your website for vulnerabilities and fix them. Use 2-factor authentication for all your admin accounts. Practice privileged access management and provision admin accounts for your team with just the necessary permissions. Remove access when team members leave. Practice the same things on your Discord servers and social media accounts.

Closing

So we put this little website together hoping that it'll provide a central place where people can learn a bit and have a safer NFT experience. We know it is really word heavy and will hopefully add some more images to help people digest. This information is definitely evolving and just a point of view. Give us a bit of feedback if you have some time, we'd love to hear from you.

Give Feedback

Give us feedback on Twitter by either a direct message or a mention: https://twitter.com/safermints

There are a couple things we can do to continue improving this resource:

  • Translations to other languages
  • Illustrations and infographics
  • Quizzes for people to test their knowledge
  • Obviously continuous content updates

Donate

If you'd like to donate to the ongoing maintenance of this website, thank you for your generosity, feel free to send Solana to the following wallet:

SaferMints Solana Wallet: AySQgeVZhLtH6brZcP2UeqfAnN54DnxrHxqfy8gfG5uC

Disclaimer

The information provided on SaferMints.org (the “Site”) is for general informational purposes only. All information on the Site is provided in good faith, however we make no representation or warranty of any kind, express or implied, regarding the accuracy, adequacy, validity, reliability, availability or completeness of any information on the Site.

Under no circumstance shall we have any liability to you for any loss or damage of any kind incurred as a result of the use of the site or reliance on any information provided on the site. Your use of the site and your reliance on any information on the site is solely at your own risk.

The Site may contain (or you may be sent through the Site links to other websites or content belonging to or originating from third parties or links to websites and features in banners or other advertising. Such external links are not investigated, monitored, or checked for accuracy, adequacy, validity, reliability, availability or completeness by us.

We do not warrant, endorse, guarantee, or assume responsibility for the accuracy or reliability of any information offered by third-party websites linked through the site or any website or feature linked in any banner or other advertising. We will not be a party to or in any way be responsible for monitoring any transaction between you and third-party providers of products or services.

The Site cannot and does not contain financial advice. The information is provided for general informational and educational purposes only and is not a substitute for professional advice.

Accordingly, before taking any actions based upon such information, we encourage you to consult with the appropriate professionals. We do not provide any kind of financial advice. The use or reliance of any information contained on this site is solely at your own risk.