NFT marketplace account takeover
The digital marketplace for NFTs grew to an estimated $22bn last year, but companies face new frauds challenges every day. Recently fraudsters are able to perform a successful fraud using the account takeover in the NFT marketplace.
There are different methods that fraudsters can use to hijack an account. For example, credentials stuffing, phishing, social engineering, and SIM swap for high-profile accounts are the key account takeover methods. Fraudsters use stolen usernames and passwords on login forms to steal the NFT non-fungible token or NFT arts by employing credential stuffing. The NFT marketplace login forms are constantly hit by bots and automated scripts which involves very less cost to initiate the attack for the fraudster.
NFT account takeover becomes a nightmare for the victim and also destroys the marketplace reputation, customer trust, strain on operations teams, customer loyalty and retention, financial impact, and the future of the marketplace becomes dark.
Some of the recent attacks on the NFT marketplaces are given below. You can find the list of stolen NFT arts in the example. Victims are rushing to review and revoke your token approvals for dApp using ETH token approval checker.
Account takeover fraud prevention for NFT marketplace
Before applying any prevention measure, ensure the customer is not facing high frictions on the login. Below are the some actionable implementations that can be done. However, it does adds the friction when logging in.
- Rate Limiting on the Authentication
- Identifying the high risk IP addresses such as TOR, VPN and proxies
- Identifying the Bots authentication.
- Learning user behavior based on the historical non-PII data
- Usual authentication fail or successful spikes
- Send users notifications for account suspicious behavior
To learn more about how account takeover works, check our insights page here.