Buckle up, babes: it’s time for this quarter’s tech rant. Today’s subject is digital security, aka how to not get hacked. Grab some coffee and set aside an hour, because this one is interactive.
As sex workers, we’re targeted by scammers, hackers, and vindictive clients more often than our vanilla counterparts. When our accounts are insecure, we don’t just risk our own information; we put our friends and clients at risk as well.
We all know that security is valuable, but increased security often comes with the tradeoff of decreased convenience. How do we batten down the hatches without making life suck? Keep reading for my top 3 suggestions.
1. 2FA is bae
Two factor authentication (aka 2FA or multi-factor authentication) means that you add an extra step, or “factor”, to logging in.
Usually, one factor is something you know, and the other factor is either something you have in your physical possession (like your phone) or something that you are (think a fingerprint or FaceID).
Don’t leave yet! It’s not as complicated as it sounds; you already use 2FA in everyday life without realizing it.
When you pay with a debit/ATM card, you use your physical card (something you have) and your PIN (something you know). When you log into your bank, you use your username/password (something you know) and then input the code that gets texted to your phone (something you have).
Two-factor authentication is important because it means that if someone gains access to your username/password, they still can’t log in as you unless they also control your second ‘factor’- typically your phone. If someone gets your user/pass for IG, they still can’t log in unless they also input the login code that IG texted you.
The vast majority of the account hacks I’ve seen this year could have been prevented just by setting this up.
The majority of SWer account hacks I've seen this year could have been prevented just by setting up two-factor authentication.
So how do you enable two-factor authentication?
Each app/website has their own process, but let’s keep using Instagram as a generic example. When you enable two-factor authentication on Instagram, they give you the option to either get a text message with a code to log in, or to set up an authenticator app. An authenticator app is simply an app that generates special temporary login codes. It’s similar to getting a code in a text message, but faster.
I recommend using an authenticator app instead of your phone number for many reasons, but the biggest one is that it’s easier to lose access to a phone number than it is to lose access to your authenticator app. If you lose your phone, have bad cell service, or if (god forbid) Google Voice bans you, you’ll be locked out of your accounts. It’s highly unlikely you’ll lose access to your authenticator app, since you can just reinstall it on a new phone and log in to continue accessing all of your temporary codes.
There are several comparable options for authenticator apps. Some popular ones are Authy, Google Authenticator, and Duo Authenticator. I personally prefer Authy, since it can be installed on your computer as well as your phone and it’s the easiest to reinstall if you lose your device. It’s slightly less secure than Google Authenticator, but in my opinion the increased convenience is worth it.
Once you’ve set up your authenticator app, it’s time to start turning it on for critical sites. You can usually find this setting under Settings > Security > Two-factor authentication.
The setup process looks like this:
First, you scan a QR code to link your authenticator app with the site. Then, you enter a temporary code from the app to confirm that it worked. It’s easy to get the hang of it after you do it once, and I’ve linked to individual guides below.
These sites are particularly vulnerable, so I highly recommend doing them first:
- Your email account (Protonmail, Gmail)
- Your bank accounts
- Payment apps (Cashapp, Coinbase)
- Any platform you use to keep track of client data (calendars, accounting software, spreadsheets)
- Ad sites (e.g. Tryst)
Using 2FA only adds an extra few seconds to the log in process, but does a hell of a lot for your peace of mind.
Important note: If anyone asks you for your two-factor authentication code- either the code that gets texted to your phone number, or the code that’s displayed in your authenticator app- do not give it to them. No support team will ever ask you for this. Once someone has access to your password + this code, they can then take control of your account and lock you out. Don’t share this even if you think it’s a friend asking for it. Their account could be hacked, and you might actually be talking to a scammer.
Speaking of scammers…
2. Too bad to be true? It’s probably a scam.
If your friend posts a story testifying about a great bitcoin investment? Ignore it. They’ve been hacked.
If someone asks you to send them a reset password link? Don’t. Tell them to Google it.
That email with an enticing message that looks like it’s from Tryst? It’s not.
The email from Eros threatening to deactivate your account if you don’t re-verify? Scam.
The DM from a sugar daddy offering you a high-value trip, right off the bat? Also a scam.
Your client who claims he needs access to the private key of your bitcoin wallet? Absolutely the fuck not.
If anyone sends you a link that takes you to ANY sort of login page, password reset page, or signup form, close that window and go to the website directly instead. A common technique that scammers use is to create a fake login page, so when you enter your username & password, they can see it and use it to gain access to your account.
Two techniques that scammers rely on are creating a false sense of urgency and a false sense of security.
When you get unexpected emails about account deactivations, password resets, or time-sensitive transactions, pause! Take a breath. These scammers are hoping that you’ll jump into panic mode and won’t notice that the convincing login page is actually at faketryst.com instead of tryst.com.
Just go to the website or app directly, log in, and check your account settings to confirm nothing actually changed. If you have two-factor authentication enabled, you’re probably fine.
Another technique (that’s pure evil, in my book) is to create a false sense of security by communicating with someone’s friends from a hacked account. Right now I’m seeing this happen most frequently with bitcoin scammers, who convince their victims to film a video testimonial promoting their crypto scheme, then hack their victim’s account & use the testimonial video to persuade their friends to get scammed as well.
If you fall for one of these scams, don’t beat yourself up! It happens to ALL of us. I can’t tell you how many times I’ve panicked at a fake account deactivation email. You’re not stupid, weak, or vulnerable; you were just caught in a bad moment where some asshole took advantage of your humanity.
When this happens, change your username/password on the impacted site as soon as you can, turn on 2FA if it wasn’t already enabled, and change your password on any other site where you reused that password as well.
This brings us to our third tip…
3. unique passwords, THE EASY WAY
Now we’re going to do something that can be a little bit of a mindfuck. Let’s take a look at some of the times your passwords have been leaked in the past. Ready?
If you search for a long-standing personal email, you might get a list of a dozen data breaches where your information was leaked. Usernames, passwords, social security numbers, past job titles, addresses, all over the past decade. It can be really unnerving to see how poor the security is at so many major companies.
I like this as an exercise because it usually drives home an important point on password reuse. Say you create a super secure password (like “S0o0p3rs3cure!”), memorize it, and use on a ton of sites… Twitter, Instagram, Adobe. Then Adobe has a data breach (à la 2013), and your login email & password are leaked.
A common technique used by hackers is to take these leaked username/password combos and test them out on other sites, like banks or payment apps. Even though your password is nice and complex and hard to guess, it’s still vulnerable solely because it was reused.
But creating unique passwords is hard. It’s incredibly difficult to remember random phrases and combinations of letters and numbers. How do you make this secure without feeling like you’re digging through a giant key ring every time you need to log in?
I like a combination of passphrases and password managers.
A passphrase is simply a random unique combination of words. This classic XKCD comic has a great explanation of why passphrases are both easier to remember and generally more secure than regular passwords:
Don’t worry- nobody is expecting you to generate dozens of memorable passphrases and keep them in the back of your mind for every single website. That’s why we have password managers.
Password managers are just apps that keep track of your usernames & passwords. Most good ones will even generate & save secure passwords for you.
Some popular password managers include:
Password managers will typically ask you to create a single master password which protects your collection of individual unique usernames/passwords. It’s like having a key that unlocks the safe with all your other keys inside.
As a general rule of thumb, you should never write down your usernames & passwords on paper; this can fail in so many unexpected ways. Sometimes a nosy neighbor spots it, sometimes it shows up in the background of photos, sometimes your ex snaps a photo of it before they move out. Sometimes your kid covers it in crayon and then you’re toast.
But with that being said, I’m going to give one piece of technically bad advice here. If you have a terrible memory for secure passwords and you decide to use a password manager app, this is the one time you’re allowed to write your super secure master password (or passphrase) down on a sticky note. Don’t write down what the password is for. Don’t write down a username that goes along with it. Just write down the secure password and put it somewhere memorable but hidden, like behind your favorite painting or tucked inside your least-favorite book. Treat this with more security than you do your house key. Never tell anyone where you’ve put it, and never tell anyone else it exists. You can destroy it once you’ve firmly memorized it.
Bonus points:
Protect against bogus password resets
While we’re on the subject of passwords, another point of vulnerability is any password reset process that asks you for personal information. Here’s the hard truth: it’s VERY easy to figure out someone’s mother’s maiden name, where they grew up, and where they got married. Most of these questions aren’t secure.
How do we make them secure? We lie!
I make this easy on myself by choosing questions with zero personal relevance so it’s obvious that the answer was something I made up. When I’m on the phone with support and they ask me where I was married, I reply with something seemingly bizarre like “broccoli”. It doesn’t matter if the answer makes sense; it just matters that the answer matches whatever I put in the form when I signed up.
If you use a password manager, you can usually save these answers alongside your passwords. Otherwise, find a strategy that makes sense for you. I have one friend who answers those questions based on what her wife would say, and vice-versa. I had an ex who used the same nonsense word for every question, so he only needed to remember one word. You could even find a way to turn it into an algorithm, like answering truthfully but including a nonsense word first – My first pet? Broccoli Lassie. First car? Broccoli Ferrari.
Here’s your checklist for today:
- Set up two-factor authentication
- Don’t click on links in unexpected emails
- Use a password manager
- Lie on your password reset questions
I know that this can be a lot to set up, but don’t let perfect be the enemy of good. Do what you can with the skillset and tools you have, and focus on consistency above all else. The tools you use are always better than the ones you don’t.
Good luck!