Right-clicking and saving an NFT is still a popular — and incredibly simple — way of stealing somebody’s profile picture (PFP). And with no solution to this simple attack vector in sight, the world’s largest NFT marketplace, OpenSea has enacted a new, police-enforced theft policy.
The company is threatening legal action against crooks and will make centralized delisting decisions for problematic NFT collections. Ironically, it seems this decentralized industry built on distrust of government needs centralized policy-making enforced by police and the courts of government.
OpenSea posted the overhaul to its stolen item policy on Twitter, citing US law which forbids knowingly facilitating the sale or transfer of stolen items. It also says that it hopes the policy will deter burglars from stealing collections listed on its website.
The 13-tweet thread also threatened heightened police reporting and swifter responses to suspicious activity. Previously, the company only used police reports for escalated disputes but it will now use police reports for most theft reports.
To encourage identity verification, OpenSea will also simplify its Know-Your-Customer (KYC) system and, in addition, it’s escalating IP-, DNS-, and cookie-based fraud detection systems.
Victims of OpenSea theft want even more oversight and legal recourse
Even the new stolen items policy wouldn’t prevent all thefts, for example, the stealing of a number of Bored Ape Yacht Club NFTs that happened outside of OpenSea.
Twitter users like Adam Hollander suggested even stricter policies from OpenSea, such as a waiting period to sell NFTs after they transfer between wallets. This would give victims more time to file a police report. Others suggested granting a longer grace period of six to eight weeks to produce a police report.
Skeptics also asked if OpenSea planned to make the changes retroactive. One user asked if a “suspicious” tag would be removed pending a police report. Another questioned whether OpenSea planned to leave reports made before the policy changes in limbo.
Others complained that OpenSea previously did not care about victims of theft or buyers who unwittingly bought stolen NFTs, while some commenters suspected that the company only made the changes due to pressure from thousands of NFT owners.
Still no defense from the most elementary attack
Even with its new overhaul, OpenSea’s stolen item policy still provides no defense against “right click and save” attacks. On many websites, someone could right-click and save an image, then immediately use that picture to mint a new NFT.
Some websites disable right-clicking on elements like images and links, but OpenSea doesn’t. Even if it did, it’s trivially easy to work around these website blockers.
Although blockchain developers can verify whether an NFT is genuine, a “right click and save” attacker could easily fool less technically savvy buyers. There are thousands of newcomers to the digital asset industry every day.
A recent MetaMask update will ask users to confirm a request for access to all NFTs in a certain collection. OpenSea called it an improvement that could make users more aware of what they are signing.
OpenSea’s past indifference toward theft and buyers who unwittingly bought a stolen NFT may justify the current skepticism about its new stolen item policy. The new policy could also fail to address the root of the NFT theft problem. Whatever the outcome, for almost two years, OpenSea has developed a poor reputation for keeping stolen NFTs from being dumped onto unsuspecting victims through its marketplace.