Tryst’s 2FA Options and Answers

Tryst has been pushing a 2-step login for the past year. They’re clearly quite tired of dealing with hacked accounts. Accounts get hacked to due easily-cracked passwords or someone clicks on a link from a non-Tryst email that’s made to mimic a Tryst email.

How Not to Get Hacked (or reduce your chances)

The first key is having a strong password, which Tryst also recommends.

I always recommend using a strong password generator even though it normally means you’ll never be able to remember it and need to copy the password somewhere.
https://passwords-generator.org/
https://delinea.com/resources/password-generator-it-tool
https://www.calculator.net/password-generator.html

And if you don’t trust an online password generator, make sure to add an extra place or two to any password they give you, so you can add your own number, letter, or symbol to keep it completely unique.

While a lot of people also recommend password apps, I do not. Passwords on a piece of paper is not hackable. A document on your computer with a list of your passwords is not 100% secure if your whole computer gets hacked, but is more secure than any password app. You also won’t have to rely on a third-party server’s being up all the time. If all you use is your phone, a text note with your passwords is very easy to maintain. Whatever non-app method you use, make sure you have copies backed up somewhere safe, especially if you keep an electronic list.

If you decide to use a password app, you will have to rely on their backups, which are usually frequent and in multiple locations as their own failsafe.

Update: Johanna Potente suggested downloading a password vault that stays local, on your own machine. These could be spreadsheets, or a small program that manages the info you enter into it. For extra security, you can download these vaults to an encrypted USB drive, you only need to remember the encryption password to open the vault and access all of your passwords. There are several free options if you search, or you can create your own with your own spreadsheet program.

The second key is not clicking on any email that purports to be from Tryst. I have a Tryst ad and constantly get those emails too. Fortunately, the email address on my Tryst ad leads to an auto-response and I never look at the emails received unless I’m hunting down someone who didn’t pass screening.

If you think you can afford to ignore the email messages coming directly from your ad, create an email address just for that ad (e.g. YourName.Tryst@domain.com), set it to an auto-response that sends readers to your website, and you cut your risk of being hacked from a phishing email down to 0%.

It’s also a really easy way of doing your stats at the end of the month if you can see the exact amount of legit inquiries vs time-wasters, or if there was a common question or whatever. Creating a separate email address for every advertising platform is a great way of gathering hard numbers for your marketing efforts. And again, never answering any email captured by that address means not being phished.

I’m not sure why Tryst doesn’t offer this as a solution but it is a safety measure that you can do if you think you can afford to. Personally, I feel the serious clients will go to your website first before contacting you, but everyone’s business is different. (The auto-response is always a great way to weed out the stupid. In 2023, many men still do not know what an auto-response is and if you’re that dumb, I really won’t be able to help you.)

Tryst’s 2FA Options

Tryst has offered a number of options, which they sometimes also refer to as Multi-Factor Authentication/MFA. Tryst explains the general terms and a general overview of how the various methods work. They offer a little more detail buried in their FAQ, none of which addresses any privacy concerns.

Several of these options means that Tryst has paid to partner with the technology to offer it. That’s how serious they are about locking down your account. It becomes cumbersome just to access a sex work advertising platform. These apps can also raise serious privacy concerns, which is a big deal for sex workers in the US. Tryst hasn’t addressed any privacy concerns whatsoever, in fact, they recommend providers utilizing more than one type of 2FA key. (I think that’s overkill.)

I admit to resenting this being forced on us as of September 1, 2023. I also understand that one hacked account can put the whole site at risk if the hacker knows what they’re doing (though so far, the interest seems to be on scamming clients out of money). I understand perfectly well that creating a digital trail linking your online activity and/or personal information just to log into a sex work site is a risk some will not want to take. I’m curious to see how many paying advertisers Tryst loses on Sep. 1. (My only hope is that horny straight guys stop using it as a dating site if it gets more annoying to log into.)

For an unregulated business, we endure quite a bit of ad-hoc regulation to be able to work. Of course, the ability to work without needing to rely on an advertising platform is the ideal: whether you’ve SEOd your site, have fully utilized social media, or found another mix of methods; freedom from ad platforms is a great goal to have.

I have signed up for one option and have successfully used it. I’ll discuss my choice when we get to it. This doesn’t mean I like it, because I don’t. I picked the least evil and simplest option.

The strongest security you can get is by compartmentalizing your electronic trail. Choose one of the methods offered and use it solely for your work accounts. Do not use these apps on whatever accounts you access for your personal life. Log out each and every time you’re finished with an app or Tryst, clear your cache and cookies before logging into your personal accounts.

If you advertise with Eros, it’s highly likely they’re going to follow in Tryst’s footsteps, as they’ve been warning about scammers for a while. Currently, they require an email verification code to sign in, which is a common and simple 2FA option Tryst does not offer for reasons they never address.

How Does It Actually Work?

Most of these options offer both a desktop/laptop and phone version. Once again, you have to consider what else is one your device and how you use that device. The different apps offer mildly different ways of authentication, but it works based on QR codes. Tryst will create a QR code, your app reads it, communicates with Tryst, and you enter a numerical code the app gives you (and Tryst), and Tryst confirms the code. You’re logged in. I highly recommend reading each website thoroughly for details on how the app works after you’ve decided which one you want to try. Tryst answers a little more detail in their FAQ.

I have not signed up to every option to test them because I do not want to do that.

The first time you log in via the app, Tryst will give you an emergency recovery code. In case your account gets hacked anyway, this code will let Tryst know it really is you logging in. You are to keep the code somewhere safe. Tryst suggests on a piece of paper.

Yes, all this high-tech bullshit for a sex work advertising platform is ultimately secured with words written on a piece of paper.

It really reminds me of this scene from The Simpsons.

Tryst warns you that if you lose the code, you probably will not be able to recover your account. This is the same type of backup security that electronic crypto wallets use, though Tryst’s code is much shorter.

Reading QR codes is easy with a phone: you point the phone at the code. Reading QR codes on a desktop is a little more complicated and involves more apps. Tryst’s FAQ says it can offer a URL to copy and paste if you can’t read the QR code.

This obviously points to using your phone for the app, but consider if you mix work and personal on your phone or not. Same with your computer. What you do really depends on how you have your work set up. This is something that requires consideration.

Once you’ve signed up and used it to log into Tryst, records are created that you will not be able to destroy, even if you delete your account with Tryst or the app. Having a dedicated work phone is always the best answer but I’m aware not everyone can do that.

Not to mention the obvious but…your phone isn’t actually surgically-grafted to your hand. What happens if you lose it and the authentication app on it? Other than a random person being able to easily access your account; you’re just as easily shut out even if that doesn’t happen. (Hence, the emergency passcode written on a piece of paper, which really begs the question of: why bother with the app at all?)

The Options

1Password

1Password is an app that acts both as a password manager and authenticator for sites that require 2FA. They offer a business option and personal-use option. If you were to use this app, choose the personal option, not business. It’s cheaper as a personal option at $36/yr. Yes, you have to pay for an app to access your escort advertising. I know.

1Password is quite happy to install itself in every single factor of your life, from personal information to bank account info to your medical records to authenticating you with Tryst. You pay for the privilege of having a random company gather NSA-level information about you.

I avoid things like this like the plague they are, but if you think it’s convenience personified, go for it. It is a Canadian company.

Google Authenticator

If you already utilize Google Analytics or Gmail (or other Google properties) in your work, this might be an easy fit. If you avoid Google, you’ll also want to avoid this app.

It is a simple app to use, whether on phone or desktop/laptop. There’s even an Authenticator Chrome extension that will read the QR code for you.

It collects a fair amount of data.

It’s very straightforward to understand the benefits and drawbacks of this app. Using it depends on your comfort level with Google. Because it’s Google, you can be assured it will snoop and connect as much information about you as possible, including that you’re using it to log into Tryst. Google is a US-based company.

Microsoft Authenticator

What can be said for Google can be said for Microsoft Authenticator. Microsoft is a US-based company that respects your privacy every bit as much as Google does. (Or Apple, for that matter.) Personal data is gold to companies like these. Using their apps is giving them your gold for free in order to sign into a hooker site.

Authy

Authy is an app powered by the US-based customer management company Twilio. Though the parent company itself is all about gathering and managing customer data for companies, the app seems to be a straightforward version of a 2FA app.

This is the one I put on my phone, but it also has a desktop/laptop version. It asked me for a phone number and email address. I verified both to install the app. Logging into Tryst was exactly as Tryst described: they created a QR code, the app read it and gave me a number, which I entered into Tryst. That was it.

I’m not pretending this app isn’t collecting data that I’m not aware of, but the app only requested permission to use my camera in order to view the QR code. Tryst the website appears as a little square on the app. Presumably, if I used this app for other sites, they would also have a little square with their name on it. Just click the square and the 2FA process begins. There’s not much else to the app.

Security Keys/Passkeys

Basically, these are souped-up USB devices — actual, physical objects that contain electronic code. But of course you have to buy a special one; a plain old USB drive with your passcode info on it won’t suffice.

Tryst recommends the cheapest Yubico key on offer, which is $25 (most of the keys start at $50). This is affordable enough, but that’s not the end. The key works with only with the built-in security methods on your devices, which is where the multi-factor authentication comes into play. (Key + device + authenticator app + Tryst’s own protocols)

By built-in security, Tryst makes it clear that means biometrics. Your face scan, your fingerprint. Not your passcode. Logging in this way activates your special key and reassures it that only you are accessing the codes stored in it, then it can work with authentication apps and Tryst.

Your biometrics. To log onto a hooker website.

I hope to god you don’t already use your biometrics to unlock any of your devices but if you do, be aware that in the US, your biometrics are not protected information. Police can collect your biometrics all day long (i.e. mugshots, fingerprints, DNA). They cannot compel you to unlock your phone or computer if it’s locked with a passcode.

You can Google all day on these issues, and the answer doesn’t vary much, even in different states.

Let’s put aside the biometrics horror show, and look at the keys a little more.

These keys can also work with cryptocurrency, though I do not believe they function as wallets. It’s simply that they offer a higher level of security for the wallet you already have. You can check compatibility with various apps on their website.

The downside is now you have a thing to lose. If you lose tiny things (like USB drives), on the regular, this may not be the best option for you. Because if you go the multi-factor route and lose the key, you’re almost certainly going to be shut out of your account permanently.

The upside is what I’ve mentioned: you can use this key for multiple work-related accounts. It’s probably partitioned enough that you could use it for work and personal, but this is just a guess. I’m not certain.

The key can work with your phone or desktop/lap. It uses a specific connector, not a plain old USB connection. Tryst recommends using only the latest devices for security purposes but they also do not offer to pay for you to upgrade your devices, so take that with a big shaker of salt.

If you aren’t sure what connections your device offers, feel free to Google the make/model of your device and check. Or contact the key company and request assistance if it’s not in their FAQs.

The keys are an excellent idea in theory, but that theory falls apart because they require biometrics to access their functions.

If you already use your biometrics to unlock your devices, and don’t wish to roll them back (or can’t), then the key might be a good option. You buy it once and use it forever. You’re already fucked by the biometrics requirement, might as well have fun with it.

Remember that Tryst will give you an emergency passcode to write on a piece of paper.

Because paper is hacker-proof and Tryst knows it.

Final Thoughts

Really didn’t even have to tighten my tinfoil hat on this one. Some states now require ID verification just to access porn sites. How much longer before escort sites are wiped off the Internet? Or access to them? Tryst is worried about Tryst being stable and secure. They aren’t looking further down the road in a country where they aren’t based (a country whose idiotic laws are the whole reason they came into being in the first place).

Requiring elaborate, invasive, and potentially self-incriminating methods just to run an escort ad is going to cause unintended consequences for US users. Or, I guess the consequences will be very intentional, from the perspective of law-makers and police. It’s only a matter of time.

We already know that Eros is compromised. We know that sex workers from other countries are regularly detained and sent back to their country of origin for the crime of showing their face online in connection with their sex work. We are forced to use cryptocurrency to pay for ads because banks will shut us down and credit card companies have already shut down these payment avenues.

How to protect against hackers? Education instead of apps. Make sure everyone knows app-free ways of not falling for phishing emails, or how to create very strong passwords and where to keep them (piece of paper!).

Tryst has long used an unnamed service to automatically check our passwords against a list of known passwords from other data breaches (it’s from one of the authenticator services they signed up with, but forgot which one offered that). I have always found that a little disturbing, and it’s something they’ve never addressed, but it’s far less invasive than their new requirements.

Tryst is offering everyone 20 credits to “upgrade” to 2FA before Sept. 1. They should offer a free Platinum month to everyone, at the very least (150 credits).

For those who don’t know, Tryst offers a free plan to everyone; and the next step up is 35 credits/month. This 20 credit bonus is not much bonus. They give out 25 credits every Christmas.

Even the least offensive app is a step I’ve not taken before and absolutely did not want to take. I don’t make much money from Tryst but I get appointments from there and would like more (I always want more). They’re holding our income hostage to create a tighter electronic trail (or leash) between our personal and professional lives. Those whose income completely depends upon Tryst are the ones who most likely don’t have the economic freedom to pay for the necessary electronic compartmentalization to neutralize the effects of using any of these methods.

Tryst has tried very hard to listen to sex worker concerns, and to support sex workers worldwide. Tryst stuck their necks out to create Switter, which had to close after two years due to legal issues, and the potential for even more issues (which always cost money).

All of which makes the 2FA requirement feel ugly. They may not intend to do anything but keep the site and users secure (and maybe lower their IT bills by not having to pay to fix emergency hacking situations). The unintended consequence is holding potential income hostage, for nothing valuable in exchange. The unintended consequence is being able to tie the personal and professional together much more easily for random companies and law enforcement. It makes Tryst feel one step closer to every other ad platform without our best interests in mind.

Additional thought: I forgot to mention that all these companies that Tryst has partnered with (except 1Password) are US-based. Which means they’re subject to US laws and anti-trafficking hysteria. Which means that at any time they could decide to end the partnership with Tryst, or turn user logs over to the police. Then what? Not good for Tryst, not good for any Tryst user in the US.

The Yubio key requires an application to interact with, as far as I can tell, which means one of the apps Tryst has partnered with. If those companies stop allowing use with Tryst, the key is also rendered useless for logging into Tryst. (This is my understand of how it functions, I could be wrong.)

It’s my opinion that in attempting to heighten security, Tryst has instead made their site, and users, less secure due to the dependence on US-based companies. I assume it’s because their largest user-base is in the US, and these companies like to make apps for everything. It’s a decision that solves one problem while creating the opportunity for a much bigger problem.

Important Update

Turns out that Twilio, who owns and operates the Authy app, is also involved with OneReach. OneReach is described in the PDF linked in the Tweet below as a “demand-deterrence” platform, dedicated to the service of police in anti-prostitution efforts.

On page 80 of 2019 PDF, you can read about One Reach/Twilio:

OneReach / Twilio — A front-end and application programming interface for integrating voice call and text messaging into 3rd-party applications. The back-end that is used for some demand deterrence platforms.

I’m not claiming this is deliberate on Tryst’s part, I doubt it. Nor do I have any idea how connected Authy, Twilio, and OneReach actually are. But the connection is there, and has been there for years. The companies themselves don’t have a lot of public overlap, at least not what I found with a little searching.

OneReach openly works with the LAPD, and refers to human trafficking on its website. Twilio doesn’t seem to mention OneReach in any recent news. That doesn’t mean they don’t sell data or services from any of their products (Authy being one of them) to OneReach or law enforcement.

More research needs to be done because I have a lot of questions about the companies’ involvement with each other. Law enforcement and anti-trafficking efforts seem to feel they’re all very cozy together, though.

Goddamnit.

moving past the backpage shutdown

Welp, that was inevitable.

When I was touring a few months ago, and Carl Ferrer, the CEO of Backpage, was arrested, I had about $800 of credit in my account. I started spending and not replenishing because I knew BP wouldn’t last much longer. As of today, I have less than $200 in my account. I have no way of getting that money back, that I know of, but at least it’s still there and it’s not very much, really.

Read more

reactions

Since I often read things and want to comment but don’t, here are my comments. A lot of these links came from Tits and Sass since I no longer bother with my Google Alerts.

escort photo documentary

While the story is somewhat unique, the pictures of Eden working are completely recognizable to any touring hourly escort. Locales may differ, there may be a lack of cigarettes and wigs, but everything else is very, very true. Escort work really can be this boring and mundane. Just like stripping. Just like data entry. Just like anything.

Hong Kong escorts and review board exploitation

I remember Sex141.com when I went to HK. I was never on the site because it wasn’t a good fit for me. I was: too old, Western, English-speaker, outcall-only, had much higher rates than the local girls. I had no idea it developed into the terror it has. (TER is probably kicking itself for not figuring out the bad review scam Sex141 pulls.)

HK girls work in limbo. Sex work is partially decriminalized and partially illegal, depending on what, where and how. While the laws seem clearly defined on the surface, sex workers face almost as much police harassment as US sex workers. My firm belief is that anytime there is an illegal aspect to sex work, the workers will suffer. The public and police will exploit the illegal aspects as far as they can, nullifying any legality. This is why sex work has to be completely decriminalized across the board. No exceptions.

Because of this half-and-half system, they have no recourse against Sex141. Because of the market and the laws, the girls are regularly ripped off: unlike sex workers in the rest of the world, they’re afraid of getting the money upfront because the client will run away or call them a ripoff (I did not have that problem with the clients I had in HK — different market). They’re stuck with abusive clients and there is no legal recourse for them. After the murders in 2008, all the one-woman brothels had CCTVs installed and the images of bad clients are regularly printed out and circulated but there is no way to make sure every sex worker has that info. They have problems with clients every day, just like US sex workers.

This is not to say that the girls don’t want to work there because they do. It’s far safer than China and the money is better. The problem, as always, is illegality. The only solution, as always, is full decriminalization.

Read more

private activities that i enjoy

…but for which no money is exchanged

I’m sure many of you have seen this wording on advertising malls and personal websites of escorts. Continuing my recent satirical bent, here are some private activities that I enjoy for which no money is ever exchanged:

  • sleeping (my #1 enjoyable private activity)
  • eating
  • running
  • reading (especially in bed)
  • reading while eating
  • watching stupid YouTube videos
  • using my honey/sugar scrub in the shower
  • getting fresh toenail polish (though I do this a salon so it’s not private and I pay for this service)
  • watching mindless movies
  • napping
  • looking at my collection of Breyer horses
  • dreaming about the day when I finally have all my stuff out of storage
  • dreaming up blog posts that I never write
  • dreaming up books that I never write
  • flossing
  • dozing
  • counting and wrapping the coins in my coin jar
  • having a really good rant about someone/something deserving
  • bird-watching
  • adding to my to-do list and sometimes crossing something off
  • catching some Zs
  • admiring my hair after I leave the salon
  • dreaming about what I’d do if I won the lotto
  • endlessly checking my email but not actually answering any of them (then become guilt-racked)
  • surfing escort websites
  • slumbering

Oddly, none of these options are available for me to check off on advertising malls. I think I’ll just link to this post, just to be helpful to any potential clients. Apparently my private activities are something they’re intensely curious about for some reason.

making escorts do…[whatever]

I need to get back to writing again, so I’m doing a couple posts about online escorts issues.

getting what you really want at a lower rate

I received advertising spam from a combination info-blog/advertising mall except they don’t seem to actually have any escorts signed up with them (they also seem geared toward agencies, not indies). I’m not sure why I got spammed, but the site was entertaining nonetheless. Their stated purpose is to teach clients “learn how to negotiate with escorts the right way to get what you really want. Don’t risk getting ripped off or going to jail.”

Escorts have an adverse reaction to the word negotiate. It’s a business. You pay what the businessperson is charging or seek to engage another businessperson. If you can’t afford Escort A, then there is probably the very-affordable Escort B advertising in Escort A’s city — all you have to do is reach out and email. Don’t haggle with Escort A because that won’t get you anywhere except possibly a complaint on a ladies’ board; just email Escort B and arrange a booking with the escort you can afford.

As for teaching male clients how to “get what they really want” I would highly suggest finding an escort whose personality turns you on, go in without heavy expectations and let the experienced professional do her job without getting in her way (she’s going to try to make you very happy). See her again and again and pretty soon you have exactly the experience you want — quite possibly surpassing your original expectations. (I touch on this subject a bit more here.)

Or…you could send an escort a detailed letter of every little thing you expect from her and every little thing you want her to do — and never see her. She may post this letter on a national ladies’ board for the laughs (or you could live in infamy online as a time-waster), which could mean you don’t see any escort in her city. Or you send copies of this letter to every escort in a single city, effectively screwing yourself out of seeing any escort in that city.

That’s how “getting what you really want” really works in really real life.

Read more