How To Transact Safely In The Metaverse
The Metaverse gives users control of their identity and any value they create in it through crypto-wallets. But with every new technology, there are risks. NGRAVE created this guide to transacting safely in the Metaverse.
- Article Quick Links:
- The two versions of the Metaverse
- Understanding how a crypto wallet works
- Protecting Your Wallet Seed
- The risks of Social Engineering
- Mitigating the threat
- Man In the Middle Attacks
- Mitigating the threat
- Safely Transacting with NFTs
- How to have convenience & offline security
Though Facebook's rebranding to Meta in October 2021 generated a huge spike in Google searches from people curious to know what the term ‘Metaverse’ means, it’s actually been a key theme within the decentralised world of crypto for much longer. The decentralised version of the Metaverse gives users full control of their identity and any value they create in the Metaverse, through crypto wallets. But with every new technology there are risks, so NGRAVE have created this guide to transacting safely in the Metaverse.
The two versions of the Metaverse
If you want to really explore what the Metaverse can offer, you’ll need more than a VR Headset. Most of the existing Virtual Reality (via headsets/haptic gloves), Augmented Reality (mobile overlays) and immersive experiences (Roblox or Fortnite) are actually just a different experience within the same broader framework for how web-based services currently work - aka web 2.0.
The defining characteristic of web 2.0 is centralised control by the platform provider.
- Your identity & data is controlled by the platform
- Transactions are facilitated by traditional centralised means - cards, Paypal, Apple Pay
- Value is locked in the platform & not portable
- You have no say in how the platform functions
The Metaverse within Web 3.0, utilises decentralised technologies to reverse all these relationships, putting power in your hands:
- You control your identity
- Transactions are facilitated by decentralised payment layers - blockchains & cryptocurrencies
- Value is portable & exchangeable relying on token standards e.g NFTs
- You can have a direct say in how the platform functions, relative to your stake in the platform, through structures called DAOs - Decentralised Autonomous Organisations
A crypto wallet is central to enjoying all the opportunities the web 3.0 version of the Metaverse offers. They are software applications that share some similarities to traditional payment apps, allowing you to send and receive cryptocurrencies that function as money - such as Bitcoin and Ethereum - but also crypto that functions as tokens within the Metaverse called NFTs - non fungible tokens.
NFTs are records of ownership of the things you create or purchase in the Metaverse, like a parcel of land, a character or an in-game item. They are recorded on blockchains like Ethereum, and can be traded for real world value.
Your crypto wallet will allow you to transact these items within marketplaces, both with the Metaverse platform or on external exchanges such as OpenSea. This is the game-changer for unlocking value that you create within the Metaverse and exchanging it.
Imagine if all the hours you’ve ever spent gaming, the achievements reached and things you’ve created, had a real world monetary value that you could extract and exchange?
FUN FACT - OG rapper, Snoop Dogg, built a mansion in Decentraland, an Ethereum based Metaverse, then sold a parcel of land next door for $450,000.
Understanding how a crypto wallet works
There are several different flavours of crypto wallet - the NGRAVE Academy goes into this in detail - but the biggest Metaverse providers within crypto, such as Decentraland and Sandbox, recommend the use of Hot Wallets, with MetaMask the most popular, so that’s where our focus will be.
A Hot Wallet is a software based application, usually a mobile App or browser extension, that allows you to manage your crypto assets. They are described as hot, because they are online by default - convenient for transacting but with associated risks will get to below.
You can download a crypto hot wallet like MetaMask from the places you’d normally download an App - GooglePlay or the AppStore - but in order to enable the decentralised version of the Metaverse, you don’t register your information with MetaMask, or any other central authority, like a bank; your crypto wallet allows you to be your own bank. This concept is called custody.
When you hold full custody of your crypto assets there is no safety net of password reset or chat support. You’ll access MetaMask on a day-to-day basis through the normal security features of your browser/device, such as a password and/or biometrics, but the ultimate failsafe is a single piece of information, called a Seed.
Protecting Your Wallet Seed
Your MetaMask Recovery Seed is a collection of 12 mnemonics, memorable phrases, that when recorded in a specific order, are a convenient way to represent a much longer random string of numbers and letters called a Private Key.
In the event of losing regular access to either the app or your device, your Seed is your only fallback. Learning to manage your Seed is, therefore, a fundamental element of transacting safely in the Metaverse, so we recommend reading our separate article about how to safely store your Seed.
This is the target of scammers; with your Seed they can drain your wallet, so the most important security step is to store your Seed offline somewhere safe.
By doing this, you immediately make transacting in the Metaverse - or in crypto in general - more secure, but scammers will still attempt to trick you into revealing your Seed through Social Engineering.
The risks of Social Engineering
Finding your way around the Metaverse and understanding how to transact can be confusing for a beginner, and scammers will try and exploit this by looking for requests for help - whether within the platform, its Discord or external Social Media - and pretending to be part of official support in order to help. They may go as far as creating fake Discord servers, and using what look like legitimate accounts, before eventually asking for your Seed to help resolve your issue.
With access to your Seed a scammer can drain all the funds already in your wallet, but if there is little of value, they might combine your Seed with a malicious script to intercept transactions. If they can successfully infect your wallet with the so-called Sweeper Script they will divert funds to their address, rather than the genuine recipient.
Other forms of Social Engineering may try and convince you to transfer NFTs as part of some promised exchange, before disappearing, or offering a wallet recovery service for anyone who loses their Seed.
Unfortunately there is a steady flow of people who don’t store their Seed offline, who go on to lose access to wallets. Scammers will monitor via social media for targets, using multiple stooge accounts to create an air of credibility, then request upfront payment, and disappear without delivering any service.
Mitigating the threat
There is no legitimate reason why any person, or service, should ever ask you to reveal your Seed. Knowing this should make it easy to detect scams, but here are some things to be aware of:
- Only ever use official support channels - double check account details
- Be very suspicious of anyone approaching you out of the blue especially via DM
- Unprofessional language is another red flag
- Scammers may create dApps that look harmless enough but will ask for your Seed
Man In the Middle Attacks
By keeping your Seed offline, and understanding that no one should ever ask you to reveal it, you can mitigate a lot of threats to transacting in the Metaverse, but there are other risks, more specific to the way Hot Wallets like MetaMask work.
One of the vulnerabilities of using a Hot Wallet is what is known as the Man In the Middle Attack.
In order to send or receive transactions you need to share address details, often using chat services and/or your device clipboard. The Man In the Middle attack relies on compromising the clipboard module - on laptop or smartphone - and using the remote access to intercept/replace the shared address details with details of their own choosing. A Trojan called Cryptoshuffler was doing the rounds in 2017, to achieve precisely this.
Mitigating the threat
Always double check the recipient address to ensure it is correct by scanning the first/last few characters.
If your Hot Wallet allows it, use address Whitelisting, which puts a 24hr restriction on using newly added withdrawal addresses; note MetaMask doesn’t enable this feature.
Use a good anti-virus service and keep it automatically updated, then follow best practice with your internet habits. If you can, use a specific device just for crypto activities and nothing else.
Safely Transacting with NFTs
Once you’ve become familiar with how a Hot Wallet like MetaMask works, along with the basic measures to stay safe, you’ll likely want to buy and trade NFTs that represent items within the Metaverse. Again, there are a number of risks that you should be aware of.
Wash Trading
One of the biggest scams within NFT trading is where the Buyer and Seller are the same person. This so-called ‘Wash Trading’ enables the creation of a false sense of the value of an NFT, and is hard to detect given marketplace users don’t have to identify themselves.
Uncancelled Listings
One of the biggest controversies that OpenSea has had to address is the consequence of charging users for many of the marketplace functions, such as cancelling an NFT listing.
Given all transactions happen on the blockchain, the most popular being Ethereum, they come with an associated cost, including for cancelling a listing, which some users didn’t want to pay.
This ended up being a very expensive mistake where the value of the NFT greatly increased, because savvy users were able to hunt down uncancelled listings and snap up a bargain.
OpenSea acknowledged this issue by enabling a bulk cancellation feature, and changing how listing works going forward.
Plagiarism
Though a key attraction of NFTs is how they provide an immutable record without trust, this attribute isn’t 100% watertight because of the issue of plagiarism - in simple terms, copying.
The hype around NFTs has led to scammers simply minting existing digital images - the rights for which belong to someone else - and listing them for sale on NFT marketplaces. This is extremely hard to police, the same is true of NFTs which are minted on multiple, separate blockchains.
Exchanges are clearly aware of the issue, and trying to find ways to minimise the risks, but OpenSea has been open about the scale of the problem. It had to reverse an attempt in early 2022 to limit how many NFTs can be minted due to this issue and the problem of spam.
With no easy fix to the problem of buying a pirate NFT you should do your own due diligence before buying something which the seller has no right to list, and will therefore have no resale value.
Fake Provenance
Provenance is a big element of NFT trading, the ability to see a trade history, and whether the account holders are verified. Unfortunately, this can be easily manipulated. A scammer can transfer an NFT to a verified account without request, using that as proof they are legit, enabling them to rip off users.
How to have convenience & offline security
If all the threats posed to Hot Wallets leave you in a cold sweat, this is the unfortunate reality of the internet, and in particular, the allure that crypto has for hackers.
You have to balance the convenience offered by Hot Walles like MetaMask, against the risks we’ve highlighted. No Hot Wallet service can ever be 100% safe, because being online automatically means you are vulnerable. You can mitigate the risk through due diligence, security best practices and simply being vigilant, but the simple truth is that nothing is safer than cold storage.
Article Quick Links:
- The two versions of the Metaverse
- Understanding how a crypto wallet works
- Protecting Your Wallet Seed
- The risks of Social Engineering
- Mitigating the threat
- Man In the Middle Attacks
- Mitigating the threat
- Safely Transacting with NFTs
- How to have convenience & offline security
Ruben is a repeat tech entrepreneur. His focus is on digital asset security and financial empowerment. He is co-founder and CEO of NGRAVE, the creator of “ZERO” - the world’s most secure hardware wallet for crypto storage. In 2021, he was selected for Belgium’s 40 under 40. Before that, he was a finalist in scale-ups.eu’s Disruptive Innovator of the Year 2020 Award, and nominated in Google/PWC/Trends’ Digital Pioneer 2020.