JBM’s Basic Guide To Online Subterfuge | Phase 0

This guide primarily suggests US based services, because I am based in the US. I wish I could help those outside the US, but I am not familiar enough with the laws, available services, etc..I still hope this gives you a rough guide for you to explore these ideas in your own country.

Phase 0: You, but not you

Ok, so when you’re doing things online you are inevitably going to have to sign up for things. There are a ton of free things out there, but they always require a sign up. That wouldn’t be a huge problem in itself but unfortunately all these little websites suck at OpSec… and they get hacked. Even the big boys get hacked. Once you have several databases you can track individual persons, know their habits, and even personal information about them.

If you wanted to, you could then exploit them with that knowledge. Prey on their fears or hopes and dreams. Steal their credit profile, work illegally in their name or even ruin their reputation. So, to counteract that we’re going to create a fake person. Now obviously this fake person won’t check out with a government agency or whatever. It’s just an online alias, but it’s a good one. Also … and I shouldn’t have to tell you this but, don’t use this alias on things like bank accounts, credit apps, etc… we’re just violating some website terms of service here, not tryna commit bank and wire fraud. Understand? Good. Disclaimer over.

Now to sign up online, make purchases online, and generally do business online you need a few basic things. Websites think these things are unique in some way, or difficult to obtain so they use them as some sort of stupid unique identifiers. I guess in a way they are because people rarely lie about them or go through the trouble to hide themselves online, and companies encourage you to give them your life story. At any rate those things in no particular order are:

1. A Full Name
2. An Email address
3. A phone number
4. A physical address
5. A credit card number (must match name and address above)

So what we’re going to do is create a fake identity to use online. While this will take some money and expense to setup, it is well worth the safety of your anonymity online. Also, in the event that you are being targeted, or exploited, this will send your attacker on a wild goose chase and allow you to burn that identity to escape if needed. Good OpSec, good subterfuge is all about layers.

Again, none of this will hold up to intense scrutiny or deep investigation by government authorities. First you need to think about who this person is, as good layering involves adding plausible data in the event one of your layers is peeled back. If your online identity is a ghost with no social media profiles, or if you talk like you’re from the UK but claim you are from the US, the gig will be up. So we’re not just going to create an identity, we’re going to also create a personality.

0.1: A Name

Now you might think you can pick any name, but choosing a name is important for several reasons. First, you want your name to not be too unique. For example, my first choice of “Starfire Unicorn” is not a good one. Why? There is no one else on this planet with that name. I will stick out like a Unicorn at a Rodeo with a name like that. So … we want to choose something generic. I like to choose the names of famous or semi-famous people personally. That way when people do a web search, or even a public database search, it’s flooded with them instead of me. So a name like Michael Jackson or Jim Smith is good. Obviously choose a very common name for your region and to match your new personality.

0.2: An Email Address

This one is fairly easy to obtain, but no one wants to manage 100 different email addresses. There are several different methods to this, but I highly recommend you sign up for, and pay for an account with Proton Mail. While the free service is adequate for simple email, the paid service is worth the cost. For the next part of this guide you will need a Proton Unlimited account in order to take advantage of the “hide my email” feature. Until then you can create a free account for your single alias here and continue this guide. Make your email convincing, something like michael.jackson55@protonmail.com, creating more plausibility for your new identity. Eventually you may want want to create multiple identities, in that case a Proton Unlimited account would make that easier as well.

0.3: A credit card number

I sorta jumped our line from up above huh? Well you’re going to need a credit card number for all the rest of this stuff, so we have to. This one is tricky huh? I mean you can’t use your new alias on a credit card application … remember? We’re not committing wire fraud here. Also when you buy things, the name on the card, and the address have to match. Hmmm. It’s actually quite easy! If you already have a credit card (not a debit card with a credit card logo) you can get a second card issued in anybody’s name!

So go ahead, call them up and tell them you want to add another signer to your account. Give them your alias created above. You can use the same billing address for now. We’ll get to that and come back to change it later. The key here is to make sure they issue a different number and not just another card with a different name. I know Chase Bank sometimes uses the same card number for every signer. Others don’t. Be sure to inquire and if necessary request a unique number for this card. If everything worked well you should have a new card in your mailbox in a week or so.

0.4: A phone number

This is a bit trickier than the first two. I know what you’re thinking … why not get a Google Voice number, or some other VOIP service? Primarily because a lot of websites now block those numbers, don’t allow them for authentication or even block calls and texts from them due to spam. Also those numbers get spammed to death. So, we need a real number, preferably a cell phone number that accepts SMS. I’m not going to lie to you, this is going to cost a little bit of money, but it’s worth it. You’re essentially going to have a burner phone, but since you’re not trying to hide from the authorities you won’t dramatically smash your phone after ending a call and have to buy a new one every couple of hours.

So we’re going to pick up a nice, clean, previously owned mobile phone of your choice. Android or iPhone, doesn’t matter as long as it’s compatible with your new provider, still receives security updates AND has the ability to be a wifi hotspot (more on this in later posts). Nothing too fancy, this won’t be your primary device. It will spend most of its life in a drawer.

Warning: Don’t ever connect this phone to your home WiFi. It will instantly be associated with your ISP, Internet provider, etc… and thus you, using fingerprinting techniques as soon as it comes online. Especially, if it’s a Google device. I recommend doing a full wipe and reset on the device as well.

Then we’re going to visit one of the many MVNO’s out there. What is a MVNO? An MVNO is a wireless carrier that doesn’t own their infrastructure. Think a middle-man or a wholesaler. You may even be subscribed to an MVNO without knowing it. Mint Wireless, Boost Mobile, MetroPCS … all MVNO’s. Basically if you aren’t a Verizon, AT&T, or Tmobile subscriber … you’re on an MVNO. There’s nothing wrong with MVNO’s, you pay a cheaper price with the understanding that you will be under prioritized when traffic is heavy.

The other great thing is, no contracts, most let you bring your own device and … you can sorta sign up anonymously. 🥸 You can choose any provider you’d like, but I personally like Mint Mobile, so this is what I will focus on.

0.41: Why I like Mint Mobile

1. All account features and changes, including porting, sim swaps, everything is handled through your online account or app, no phone customer service or physical locations to exploit.
2. App & Website has 2FA to prevent account hacks.
3. Free trial sign up doesn’t require credit card info up front.

This should theoretically work with any of the “pay as you go” providers though. So now, you should have an alias, a credit card with Michael Jackson for the name, and a basic smartphone with no cell service. For paranoia’s sake, the next part will require some cash. Not much though. You’ll just need a few bucks. Walk into any Best Buy wearing your favorite Covid mask and sombrero, head over to the cell phone section and grab the Mint Mobile free trial SIM card. Last I checked this cost $2.00 and it includes a 7 day unlimited talk/text/data trial.

I hope you didn’t jump the gun and connect your new “burner” phone to your home wifi like I told you not to. Either way, while you’re in the parking lot of Best Buy, do a full reset on your new phone. When it’s complete just slap the new SIM in there and begin setting up your new phone Mr. Jackson. Probably even need a whole new Google account or Apple ID huh MikeyJHehe@Proton.me? Since you haven’t activated your trial yet, all you can really do is download the Mint Mobile app, or visit the Mintmobile.com website. So download the app, or activate your sim card from another device on the website. Just follow the instructions, it’s easy to do.

During the sign up you will be asked for your name, Michael, and asked to choose a new phone number to begin the trial. I recommend trying to choose one in an area code far from your actual physical home location. You don’t want to get too far away though. Like … don’t get a Los Angeles number if you live in NYC, but maybe Jersey City or Scranton. Why? If your alias is exposed, we want it to seem plausible so your attacker doesn’t realize it’s a ruse and continue trying to dig deeper. So if all clues point to Michael Jackson living in Scranton, then that’s where he lives and that’s where your attacker will waste their time and effort.

Pro Tip: Mint mobile is also good for protecting accounts under your real name too. Since you can sign up with any name and everything is managed via an app, it makes it very difficult to sim jack you, even if they know your number and your real name. This of course won't prevent a Mint employee from hijacking you if they can manage to link you and your alias, but it limits it to just Mint employees instead of 1,000,000 physical locations staff and sales affiliates nationwide like the larger companies. Less moving parts, smaller surface area.

0.5: A Physical Address

Often times you need a physical address for verification, or to have something shipped to you. PCI standards require that the billing address match’s the credit card you are using to make your purchase. The name also needs to match as well. Now, you have a few choices here. You can go with a Post Office box, which is the more secure choice but many people won’t ship to a PO Box so you’re limited on what physical goods you can purchase. Due to strict privacy laws, PO Boxes are protected from search and seizure by warrant and identification of the owner can only be discovered with a warrant. This will certainly help you prevent social engineering exploits where an attacker may try to get an employee to turn over your identity as the box owner, since doing so would also carry a felony criminal charge with it.

The next choice is a mailbox at one of the privately owned shipping centers, like “Pack n’ Mail” or the UPS Store. Places like those will accept your packages, even sign for them if necessary and hold your mail. They do come with a certain security risk however as most require a state or federal ID to rent and are not protected by Federal laws. This means an adept attacker could potentially socially engineer or bribe your real identity out of an employee at one of these places. Decisions, decisions… Either way, it needs to be in the same physical location as your newly acquired phone number. So if you got a Scranton number, rent a box in Scranton, or the surrounding burbs. Plausibility.

Conclusion

There, you should have a basic alias setup now with some basic plausibility. Congratulations Mr. Michael Jackson! You’ve setup your first layer of subterfuge. But hey … we’re not done yet. Stay tuned for the next phase.