Photo by Serkan Turk on Unsplash
Internet stalking and tracking are the new normal. We’ve had no choice but to accept that commercial interests and bad guys have taken over the internet and fending off these unwelcome advances and attacks have become the entry fee for using the internet. There are several apps and services that can help us cloak our online identities, but none are as elegant as Masqt.
I had the good fortune to be able to share emails with Seán Ó Bearnaig, one of the founders and Managing Director of Masqt , while writing this article. That cooperation allowed me to include some “up and coming” information that I otherwise would not have known.
Our online identities are stolen and sold as a matter of course. Not a day goes by without a new data breach in the news and in almost every case the stolen data contains email addresses. Bad guys then use those email addresses along with password lists to try to break into your various online accounts using a technique called credential stuffing.
Credential Stuffing is an automated process that attempts to break into online accounts by guessing the password.
The next most valuable thing attached to us is our phone numbers. While the frequency of actual phone calls may be on the decline, our phone number is still a unique identifier because no two people can have the same one. Many sites use the Short Messaging System (SMS, or “text” message) to deliver multi-factor authentication codes to your phone when attempting to log in to an online account. What many people do not know is that your phone number isn’t attached to your phone. It is attached to the Subscriber Identity Module (SIM) card inside your phone. Bad guys know this and execute SIM Swap attacks to gain control of your phone number.
A SIM Swap attack is one where a bad guy engages your carrier’s support team to move your phone number to their own SIM card, thus intercepting all your calls and text messages, including multi-factor authentication codes.
Masqt provides a way to “mask” (get it?) your email address and phone number so that it is much harder for bad guys to take over your identity. When that data is breached, all they get is your disposable contact information.
Both the App Store and Play Store contain apps that will provide you with temporary phone numbers, and email addresses are essentially free these days. With a little work anyone can amass many email addresses from a variety of services. I was assessing which service would be best for me when I ran across Masqt and I was sold. From the masqt.com website:
Keep your personal data private by replacing it with a persona: a Masque.
A Masque comes with a masked email address, and you can give it a name, record the situation you use it in, and attach a virtual phone number.
By eliminating the bad guys’ ability to steal your real email address and phone number, you’ve significantly reduced the threat of being phished and hacked.
How does it work?
Masqt’s configuration is all done from the website. There is nothing installed on my phone and there does not need to be (more on that later). I set Masqt to forward emails from my Masqt email address(es) to wherever I want. The same with my Masqt phone number; it forwards to a real phone number — no app required. It’s doubtful that most people will need to make such frequent changes that an app is needed, but the website is responsive and works perfectly from a mobile device if needed.
The Masqt FAQ states that Android and iOS apps are coming, but I wasn’t so sure I want or need an app. I have a love/hate relationship with apps on my mobile devices. Apps can have privileged access to the sensors on my phone and potentially access data such as my location which I do not like. Yes, I can shut that off, but I’m never sure how much to trust my phone’s privacy settings. But, sometimes there is a need for an app.
Some services just don’t work well from a mobile website so an app is easier. On the other extreme, some apps are the service, such as PagerDuty, and there’s simply no practical way to use the service without installing an app.
Masqt has no such problem but Ó Bearnaigh clarified some of the benefits the app will bring to the table when it is launched, so I’ve changed my mind a bit:
The potential for accidental de-masking if a call goes to voicemail is nullified
People can isolate contacts within each Masque to prevent a host of other accidental de-masking activities, and
People won’t have to give us their phone number. All contact and any other data-sugar the app uses is encrypted in local storage with keys we don’t have (so it can be synced if needed).
Let’s look at each feature more in-depth.
Masqt email addresses
Masqt doles out 10 random @masqt.com email addresses for each account, and you can easily create more. These email addresses forward to whatever email address you want and can be disabled or enabled as required. An interesting feature of the forwarders is that you can enable email replies in your settings page. This allows you to reply to emails sent to your Masqt email and the reply will appear to come from your Masqt email. This is done with some trickery in the reply-to address. To prevent spam, you cannot originate an email with your Masqt email address, however.
A reply to an email send to a Masqt email address. Note how the From address is a Masqt address.
You can set a proper name for each of your Masqt email addresses in the Masques page of your settings, but that information isn’t used anywhere at the moment. Some future iteration of Masqt may use it in the future, but at least it serves as a good place to leaves notes for yourself as to what pseudonym you’ve associated with that email address.
Masqt email addresses are free.
Masqt phone numbers
Much like email, phone numbers are simply forwarders. They work for both voice calls and also SMS messages which makes them ideal burner numbers without all the hassle of a burner phone or SIM card. You can reply to SMS messages (more on that below) and they will appear to come from your Masqt number, but you cannot originate messages or phone calls.
Phone number country selection.
Masqt has phone numbers available from the UK, the US, and Canada and are bundled into plans with a set number of minutes and messages. The combination of package and location dictates the price. Plans run from 20 minutes and/or 20 texts up to 60 minutes and/or texts. You can use the search feature to find a number you like and then view the package pricing inside your Masqt account under the Numbers –> Buy menu.
Blocking
Masqt allows you to control who can email or call/text you through the use of block lists. If you’re being pestered by someone, you can enter their email or phone number into the respective block list, and they’ll no longer be able to get through to you.
Enter numbers to block from being able to call or text your Masqt number.
Email trackers can also be a problem. When you’re using your Masqt email address, the sender can’t easily know who actually received the email under normal circumstances. But, by placing trackers in the email, they may be able to find more information about you than you’d like. To prevent that, you can enable tracking scrubbers which tells Masqt to attempt to scrub out trackers in your emails.
Masqt settings page.
Some privacy notes
Masqt is a privacy-oriented company and as such has some good tips to preserve your identity when using Masqt. In addition to the email tracker scrubbing, be aware of the content of your voicemail. Until the app is available, your Masqt number forwards to some existing mobile number you have. If the voicemail at that number says “Hi, you’ve reached Jon Watson” then callers will hear that info, which may not be what you want.
The same caveat applies to email signatures. When you reply to a Masqt email, ensure your very detailed signature does not get appended to it.
When replying to a text message sent to your Masqt number, your reply will not automatically seem to come from your Masqt number. If you simply type a reply and hit send, you will expose your real phone number. To make a reply come from your Masqt number, you need to start your reply with the last 4 digits, plus a space, of the number that sent the message. Here’s an example of how to reply to an incoming text message from 465–095–1234:
1234 This is my reply to you.
Support
Masqt provides support via email and yes, you can use your Masqt email address to engage. The level of support is excellent. I always receive very quick replies to my support queries and my issues are always resolved quickly.
Some things I’d like to see
Multi-Factor Authentication
The biggest concern I have with Masqt is the lack of multi-factor authentication on login. I feel that MFA is fundamental these days, and even more so for privacy and security-oriented services. I think it is fair to assume that most people who are interested in a service like Masqt likely already have good password hygiene and use long, unique passwords. The good news is that Ó Bearnaigh assures me that MFA is on the roadmap.
More flexible configuration
I’d like the ability to change my forwarders through self-service. Currently, I need to engage the support team to change my forwarding number or forwarding email address. I’d also like to see a feature where my Masqt email addresses and phone numbers can be forwarded individually. As it is now, all my Masqt email addresses forward to a single email address, and all my Masqt phone numbers forward to a single phone number.
Usage meters
I’d like to see some usage metrics, and it seems I am not the only one; this is also already on the Masqt road map. The phone plans are limited by minutes and messages, so it would be nice to be able to see how much of each I have left. It’s not clear to me what happens if I use my allotted plan so it’s possible I would stop getting calls or texts and have no way of knowing why.
Masqt is a good fit for me. It is easy to understand with a nicely laid out web interface that makes it obvious what I need to do. The fact that it does not require me to install an app is a bonus and the service works without any problems.
About Masqt
At Masqt we assert that privacy is a human right, and are deeply troubled by the progressive loss of control of our personal data, which can have potentially dangerous consequences. In an environment saturated with online and offline risks, our goal is to make sophisticated privacy practices accessible and easy for everyone.
Masqt was founded in 2018 in Ireland by Seán Ó Bearnaigh and Séamus Ó Buadhacháin as 50/50 partners. Seán, an erstwhile developer and systems architect, is now Managing Director of Masqt. He is also a privacy, cryptography, and infosec evangelist going back to the cypherpunk days in Berkeley in the mid 90s. Séamus, Masqt’s Technical Director, is a PhD candidate in computer science, taking a break from his dissertation to dedicate his intellect and expertise to our software development.
my shorter content on the fediverse: https://the.mayhem.academy/@jdw
