Posted on by Amanda Brooks

Tryst’s 2FA Options and Answers

Tryst has been pushing a 2-step login for the past year. They’re clearly quite tired of dealing with hacked accounts. Accounts get hacked to due easily-cracked passwords or someone clicks on a link from a non-Tryst email that’s made to mimic a Tryst email.

How Not to Get Hacked (or reduce your chances)

The first key is having a strong password, which Tryst also recommends.

I always recommend using a strong password generator even though it normally means you’ll never be able to remember it and need to copy the password somewhere.
https://passwords-generator.org/
https://delinea.com/resources/password-generator-it-tool
https://www.calculator.net/password-generator.html

And if you don’t trust an online password generator, make sure to add an extra place or two to any password they give you, so you can add your own number, letter, or symbol to keep it completely unique.

While a lot of people also recommend password apps, I do not. Passwords on a piece of paper is not hackable. A document on your computer with a list of your passwords is not 100% secure if your whole computer gets hacked, but is more secure than any password app. You also won’t have to rely on a third-party server’s being up all the time. If all you use is your phone, a text note with your passwords is very easy to maintain. Whatever non-app method you use, make sure you have copies backed up somewhere safe, especially if you keep an electronic list.

If you decide to use a password app, you will have to rely on their backups, which are usually frequent and in multiple locations as their own failsafe.

Update: Johanna Potente suggested downloading a password vault that stays local, on your own machine. These could be spreadsheets, or a small program that manages the info you enter into it. For extra security, you can download these vaults to an encrypted USB drive, you only need to remember the encryption password to open the vault and access all of your passwords. There are several free options if you search, or you can create your own with your own spreadsheet program.

The second key is not clicking on any email that purports to be from Tryst. I have a Tryst ad and constantly get those emails too. Fortunately, the email address on my Tryst ad leads to an auto-response and I never look at the emails received unless I’m hunting down someone who didn’t pass screening.

If you think you can afford to ignore the email messages coming directly from your ad, create an email address just for that ad (e.g. YourName.Tryst@domain.com), set it to an auto-response that sends readers to your website, and you cut your risk of being hacked from a phishing email down to 0%.

It’s also a really easy way of doing your stats at the end of the month if you can see the exact amount of legit inquiries vs time-wasters, or if there was a common question or whatever. Creating a separate email address for every advertising platform is a great way of gathering hard numbers for your marketing efforts. And again, never answering any email captured by that address means not being phished.

I’m not sure why Tryst doesn’t offer this as a solution but it is a safety measure that you can do if you think you can afford to. Personally, I feel the serious clients will go to your website first before contacting you, but everyone’s business is different. (The auto-response is always a great way to weed out the stupid. In 2023, many men still do not know what an auto-response is and if you’re that dumb, I really won’t be able to help you.)

Tryst’s 2FA Options

Tryst has offered a number of options, which they sometimes also refer to as Multi-Factor Authentication/MFA. Tryst explains the general terms and a general overview of how the various methods work. They offer a little more detail buried in their FAQ, none of which addresses any privacy concerns.

Several of these options means that Tryst has paid to partner with the technology to offer it. That’s how serious they are about locking down your account. It becomes cumbersome just to access a sex work advertising platform. These apps can also raise serious privacy concerns, which is a big deal for sex workers in the US. Tryst hasn’t addressed any privacy concerns whatsoever, in fact, they recommend providers utilizing more than one type of 2FA key. (I think that’s overkill.)

I admit to resenting this being forced on us as of September 1, 2023. I also understand that one hacked account can put the whole site at risk if the hacker knows what they’re doing (though so far, the interest seems to be on scamming clients out of money). I understand perfectly well that creating a digital trail linking your online activity and/or personal information just to log into a sex work site is a risk some will not want to take. I’m curious to see how many paying advertisers Tryst loses on Sep. 1. (My only hope is that horny straight guys stop using it as a dating site if it gets more annoying to log into.)

For an unregulated business, we endure quite a bit of ad-hoc regulation to be able to work. Of course, the ability to work without needing to rely on an advertising platform is the ideal: whether you’ve SEOd your site, have fully utilized social media, or found another mix of methods; freedom from ad platforms is a great goal to have.

I have signed up for one option and have successfully used it. I’ll discuss my choice when we get to it. This doesn’t mean I like it, because I don’t. I picked the least evil and simplest option.

The strongest security you can get is by compartmentalizing your electronic trail. Choose one of the methods offered and use it solely for your work accounts. Do not use these apps on whatever accounts you access for your personal life. Log out each and every time you’re finished with an app or Tryst, clear your cache and cookies before logging into your personal accounts.

If you advertise with Eros, it’s highly likely they’re going to follow in Tryst’s footsteps, as they’ve been warning about scammers for a while. Currently, they require an email verification code to sign in, which is a common and simple 2FA option Tryst does not offer for reasons they never address.

How Does It Actually Work?

Most of these options offer both a desktop/laptop and phone version. Once again, you have to consider what else is one your device and how you use that device. The different apps offer mildly different ways of authentication, but it works based on QR codes. Tryst will create a QR code, your app reads it, communicates with Tryst, and you enter a numerical code the app gives you (and Tryst), and Tryst confirms the code. You’re logged in. I highly recommend reading each website thoroughly for details on how the app works after you’ve decided which one you want to try. Tryst answers a little more detail in their FAQ.

I have not signed up to every option to test them because I do not want to do that.

The first time you log in via the app, Tryst will give you an emergency recovery code. In case your account gets hacked anyway, this code will let Tryst know it really is you logging in. You are to keep the code somewhere safe. Tryst suggests on a piece of paper.

Yes, all this high-tech bullshit for a sex work advertising platform is ultimately secured with words written on a piece of paper.

It really reminds me of this scene from The Simpsons.

Tryst warns you that if you lose the code, you probably will not be able to recover your account. This is the same type of backup security that electronic crypto wallets use, though Tryst’s code is much shorter.

Reading QR codes is easy with a phone: you point the phone at the code. Reading QR codes on a desktop is a little more complicated and involves more apps. Tryst’s FAQ says it can offer a URL to copy and paste if you can’t read the QR code.

This obviously points to using your phone for the app, but consider if you mix work and personal on your phone or not. Same with your computer. What you do really depends on how you have your work set up. This is something that requires consideration.

Once you’ve signed up and used it to log into Tryst, records are created that you will not be able to destroy, even if you delete your account with Tryst or the app. Having a dedicated work phone is always the best answer but I’m aware not everyone can do that.

Not to mention the obvious but…your phone isn’t actually surgically-grafted to your hand. What happens if you lose it and the authentication app on it? Other than a random person being able to easily access your account; you’re just as easily shut out even if that doesn’t happen. (Hence, the emergency passcode written on a piece of paper, which really begs the question of: why bother with the app at all?)

The Options

1Password

1Password is an app that acts both as a password manager and authenticator for sites that require 2FA. They offer a business option and personal-use option. If you were to use this app, choose the personal option, not business. It’s cheaper as a personal option at $36/yr. Yes, you have to pay for an app to access your escort advertising. I know.

1Password is quite happy to install itself in every single factor of your life, from personal information to bank account info to your medical records to authenticating you with Tryst. You pay for the privilege of having a random company gather NSA-level information about you.

I avoid things like this like the plague they are, but if you think it’s convenience personified, go for it. It is a Canadian company.

Google Authenticator

If you already utilize Google Analytics or Gmail (or other Google properties) in your work, this might be an easy fit. If you avoid Google, you’ll also want to avoid this app.

It is a simple app to use, whether on phone or desktop/laptop. There’s even an Authenticator Chrome extension that will read the QR code for you.

It collects a fair amount of data.

It’s very straightforward to understand the benefits and drawbacks of this app. Using it depends on your comfort level with Google. Because it’s Google, you can be assured it will snoop and connect as much information about you as possible, including that you’re using it to log into Tryst. Google is a US-based company.

Microsoft Authenticator

What can be said for Google can be said for Microsoft Authenticator. Microsoft is a US-based company that respects your privacy every bit as much as Google does. (Or Apple, for that matter.) Personal data is gold to companies like these. Using their apps is giving them your gold for free in order to sign into a hooker site.

Authy

Authy is an app powered by the US-based customer management company Twilio. Though the parent company itself is all about gathering and managing customer data for companies, the app seems to be a straightforward version of a 2FA app.

This is the one I put on my phone, but it also has a desktop/laptop version. It asked me for a phone number and email address. I verified both to install the app. Logging into Tryst was exactly as Tryst described: they created a QR code, the app read it and gave me a number, which I entered into Tryst. That was it.

I’m not pretending this app isn’t collecting data that I’m not aware of, but the app only requested permission to use my camera in order to view the QR code. Tryst the website appears as a little square on the app. Presumably, if I used this app for other sites, they would also have a little square with their name on it. Just click the square and the 2FA process begins. There’s not much else to the app.

Security Keys/Passkeys

Basically, these are souped-up USB devices — actual, physical objects that contain electronic code. But of course you have to buy a special one; a plain old USB drive with your passcode info on it won’t suffice.

Tryst recommends the cheapest Yubico key on offer, which is $25 (most of the keys start at $50). This is affordable enough, but that’s not the end. The key works with only with the built-in security methods on your devices, which is where the multi-factor authentication comes into play. (Key + device + authenticator app + Tryst’s own protocols)

By built-in security, Tryst makes it clear that means biometrics. Your face scan, your fingerprint. Not your passcode. Logging in this way activates your special key and reassures it that only you are accessing the codes stored in it, then it can work with authentication apps and Tryst.

Your biometrics. To log onto a hooker website.

I hope to god you don’t already use your biometrics to unlock any of your devices but if you do, be aware that in the US, your biometrics are not protected information. Police can collect your biometrics all day long (i.e. mugshots, fingerprints, DNA). They cannot compel you to unlock your phone or computer if it’s locked with a passcode.

You can Google all day on these issues, and the answer doesn’t vary much, even in different states.

Let’s put aside the biometrics horror show, and look at the keys a little more.

These keys can also work with cryptocurrency, though I do not believe they function as wallets. It’s simply that they offer a higher level of security for the wallet you already have. You can check compatibility with various apps on their website.

The downside is now you have a thing to lose. If you lose tiny things (like USB drives), on the regular, this may not be the best option for you. Because if you go the multi-factor route and lose the key, you’re almost certainly going to be shut out of your account permanently.

The upside is what I’ve mentioned: you can use this key for multiple work-related accounts. It’s probably partitioned enough that you could use it for work and personal, but this is just a guess. I’m not certain.

The key can work with your phone or desktop/lap. It uses a specific connector, not a plain old USB connection. Tryst recommends using only the latest devices for security purposes but they also do not offer to pay for you to upgrade your devices, so take that with a big shaker of salt.

If you aren’t sure what connections your device offers, feel free to Google the make/model of your device and check. Or contact the key company and request assistance if it’s not in their FAQs.

The keys are an excellent idea in theory, but that theory falls apart because they require biometrics to access their functions.

If you already use your biometrics to unlock your devices, and don’t wish to roll them back (or can’t), then the key might be a good option. You buy it once and use it forever. You’re already fucked by the biometrics requirement, might as well have fun with it.

Remember that Tryst will give you an emergency passcode to write on a piece of paper.

Because paper is hacker-proof and Tryst knows it.

Final Thoughts

Really didn’t even have to tighten my tinfoil hat on this one. Some states now require ID verification just to access porn sites. How much longer before escort sites are wiped off the Internet? Or access to them? Tryst is worried about Tryst being stable and secure. They aren’t looking further down the road in a country where they aren’t based (a country whose idiotic laws are the whole reason they came into being in the first place).

Requiring elaborate, invasive, and potentially self-incriminating methods just to run an escort ad is going to cause unintended consequences for US users. Or, I guess the consequences will be very intentional, from the perspective of law-makers and police. It’s only a matter of time.

We already know that Eros is compromised. We know that sex workers from other countries are regularly detained and sent back to their country of origin for the crime of showing their face online in connection with their sex work. We are forced to use cryptocurrency to pay for ads because banks will shut us down and credit card companies have already shut down these payment avenues.

How to protect against hackers? Education instead of apps. Make sure everyone knows app-free ways of not falling for phishing emails, or how to create very strong passwords and where to keep them (piece of paper!).

Tryst has long used an unnamed service to automatically check our passwords against a list of known passwords from other data breaches (it’s from one of the authenticator services they signed up with, but forgot which one offered that). I have always found that a little disturbing, and it’s something they’ve never addressed, but it’s far less invasive than their new requirements.

Tryst is offering everyone 20 credits to “upgrade” to 2FA before Sept. 1. They should offer a free Platinum month to everyone, at the very least (150 credits).

For those who don’t know, Tryst offers a free plan to everyone; and the next step up is 35 credits/month. This 20 credit bonus is not much bonus. They give out 25 credits every Christmas.

Even the least offensive app is a step I’ve not taken before and absolutely did not want to take. I don’t make much money from Tryst but I get appointments from there and would like more (I always want more). They’re holding our income hostage to create a tighter electronic trail (or leash) between our personal and professional lives. Those whose income completely depends upon Tryst are the ones who most likely don’t have the economic freedom to pay for the necessary electronic compartmentalization to neutralize the effects of using any of these methods.

Tryst has tried very hard to listen to sex worker concerns, and to support sex workers worldwide. Tryst stuck their necks out to create Switter, which had to close after two years due to legal issues, and the potential for even more issues (which always cost money).

All of which makes the 2FA requirement feel ugly. They may not intend to do anything but keep the site and users secure (and maybe lower their IT bills by not having to pay to fix emergency hacking situations). The unintended consequence is holding potential income hostage, for nothing valuable in exchange. The unintended consequence is being able to tie the personal and professional together much more easily for random companies and law enforcement. It makes Tryst feel one step closer to every other ad platform without our best interests in mind.

Additional thought: I forgot to mention that all these companies that Tryst has partnered with (except 1Password) are US-based. Which means they’re subject to US laws and anti-trafficking hysteria. Which means that at any time they could decide to end the partnership with Tryst, or turn user logs over to the police. Then what? Not good for Tryst, not good for any Tryst user in the US.

The Yubio key requires an application to interact with, as far as I can tell, which means one of the apps Tryst has partnered with. If those companies stop allowing use with Tryst, the key is also rendered useless for logging into Tryst. (This is my understand of how it functions, I could be wrong.)

It’s my opinion that in attempting to heighten security, Tryst has instead made their site, and users, less secure due to the dependence on US-based companies. I assume it’s because their largest user-base is in the US, and these companies like to make apps for everything. It’s a decision that solves one problem while creating the opportunity for a much bigger problem.

Important Update

Turns out that Twilio, who owns and operates the Authy app, is also involved with OneReach. OneReach is described in the PDF linked in the Tweet below as a “demand-deterrence” platform, dedicated to the service of police in anti-prostitution efforts.

On page 80 of 2019 PDF, you can read about One Reach/Twilio:

OneReach / Twilio — A front-end and application programming interface for integrating voice call and text messaging into 3rd-party applications. The back-end that is used for some demand deterrence platforms.

I’m not claiming this is deliberate on Tryst’s part, I doubt it. Nor do I have any idea how connected Authy, Twilio, and OneReach actually are. But the connection is there, and has been there for years. The companies themselves don’t have a lot of public overlap, at least not what I found with a little searching.

OneReach openly works with the LAPD, and refers to human trafficking on its website. Twilio doesn’t seem to mention OneReach in any recent news. That doesn’t mean they don’t sell data or services from any of their products (Authy being one of them) to OneReach or law enforcement.

More research needs to be done because I have a lot of questions about the companies’ involvement with each other. Law enforcement and anti-trafficking efforts seem to feel they’re all very cozy together, though.

Goddamnit.

Posted on by Amanda Brooks

how my personal choices affect everyone else who isn’t me

I should have Storified this but didn’t because I only have so much time and energy.

A question was posed on Twitter about not seeing guys of a certain race. I gave a flip, but honest answer, about why I no longer see Indian clients (even though Indians aren’t actually a race, they’re an ethnicity). And I don’t. I made that decision a year ago, after months of soul-searching and debate.

All of that debate was with two friends who would hear about my complaints after each and every appointment with Indian guys and they would pose the obvious solution: “Stop seeing Indian clients.” I would argue back with all the arguments I got on Twitter, plus my worry about it affecting my finances.

Read more

Posted on by Amanda Brooks

life, death, and trust

This is the far more spectacular story I once promised to tell.

I began this history in mid-May, when Jill received her terminal diagnosis. Jill has read this fully and contributed. To the disappointment of many, she hasn’t yet dropped dead. But we have both decided it is time to make public the true story of why and how she is dying. This story started as something else. Not a eulogy, not a memorial, a written memento mori of incidents and echoes.

If there is purpose in all of this, I leave it to someone else to find.

This is what Jill wants to be said, what I want to say, for now, so that it is said.

The history begins and ends with Jill.

Read more

Posted on by Amanda Brooks

saving fish from drowning

With apologies to Amy Tan.

I’ve never read her book, but I remember the title catching my eye a bookstore. It sums up sex trafficking hysteria perfectly. Amy says the title is derived from the practice of Myanmar fishermen who “scoop up the fish and bring them to shore. They say they are saving the fish from drowning. Unfortunately… the fish do not recover. This kind of magical thinking or hypocrisy or mystical attitude or sheer stupidity is a fair metaphor for the entire book.”

Or it could be a metaphor for a highly-funded rescue industry hellbent on saving someone, damnit!

saving molli from tweeting

The independent London escort Molli Devadasi has been around for a while. She hit Twitter gold by co-starting a hashtag campaign questioning the rescue industry by questioning their assumptions about sex work and sex workers, you may have seen it appear in my Twitter stream: #NotYourRescueProject.

While sex workers with blogs and Twitter are considered “privileged” and not worth listening to, apparently Molli was too successful. She was dragged from her London home, held, and questioned for two days by police before finally being released. They thought she was being trafficked because she was questioning trafficking hysteria, promoting sex worker rights, and discussing her personal choices. That makes sense. They were going to save a fish from drowning and they had a nice, shiny fish with Molli. (Let’s nevermind the time and money spent tracking her down and interrogating her when real victims of actual crimes might have needed police help.)

Molli has been terrorized for no reason other than expressing her opinions and experiences as a sex worker in a country where she was legally working. They took her money, laptop and phone so they can search for her “pimp.”

Need I point out that taking a sex worker’s money means she is going to have to earn more, very quickly? If you’re in an abolitionist frame of mind, this is the opposite of the correct move to make.

twitter safety for working activists

If you’re a sex worker and you know you’re going to Tweet as an activist, consider making a separate activist account and link it to something other than your sex work site (or blog). I have no idea what Molli’s security was like but they tracked her down either via her Twitter account or via her escort domain registration info (or maybe her escort phone number if it was public and registered in her name). Those are some determined rescuers.

Molli’s unfortunate case shows it’s vital to keep the activism and sex work apart. She got a modified version of what sex workers in the US could expect. Since we’re considered criminals before we’re considered victims, Molli in the US would have had her house stormed in the middle of the night, she would have been arrested, searched, interrogated even more harshly/detained even longer, and likely have lost any money in bank accounts and many of her possessions (like a car or house). She might still be in jail. If she had a pet, it might have been shot. If you think this scenario is far-fetched, this has happened many times to innocent people incorrectly suspected of being involved with drugs. A suspected prostitute involved in sex trafficking wouldn’t fare much better.

Congress has made it clear it’s about to go after Twitter and the sex workers on Twitter. Keep your business Twitter account tied to your business, your activist persona on its own. Speaking of which, if you’re truly concerned, use proxies to sign into Twitter. Or buy a “burner” phone and just use that to access your Twitter accounts. Even better if you can Tweet via a Google Voice number that’s tied to a burner phone (I have no idea if you can — feel free to enlighten me). Just like dressing up when it’s cold, it’s all about layers.

Posted on by Amanda Brooks

reactions v

getting paid on time

One thing sex workers have going for us is that we get paid on time. Smart ones get paid upfront (this is standard for most, but not all, of the world). While I’ve often compared mentally freelance writing work with sex work, they’re only now catching up to the pay-upon-completion model. Not the same as pay-upfront, more like pay-as-you-go but for a legal occupation, it’s a huge step forward.

make an authentic logo

Too funny! Hipster logos!

speaking of authentic

Yes, that guy I mentioned in the first section did indeed make another one of his damned “authentic” posts. I cursed at the monitor for subjecting me to it, then unsubscribed. I’ve added a couple new non-sex-work blog subscriptions and am much happier. Thank you, non-authentic bloggers, for writing more of what I like reading.

Read more