HOPE 2020 (2020): "Anatomy of an Accidental Honeypot" (Download)
Sunday, July 26, 2020: 1800. Gus owns a couple of Gmail accounts with very generic, common user names. Unfortunately, this means she has ringside seats to some of the worst privacy and security mistakes on the web, as everyone with these names (and everyone they know) sends email to these accounts, thinking the mail will go to the right recipients. It's a common story by now, one that others have written about, but it's an under-recognized human factors problem in security. One of her accounts is a veritable nuclear waste dump of social security numbers, licenses, and bank account information that should never have been sent there.
In this talk, Gus will give an overview of what kind of documents show up in this account, and who is sending them. In talking to some of the people who have sent these misguided emails, she has learned about the specific shapes of bad habit and mistake that lead people to send email to this account - thinking it is theirs in some cases - and she will share those, along with comparisons to the Internet mistakes she saw in her dissertation research. Gus will discuss the structural problems with email that plague us this way. She will talk about the potential ramifications of accounts like this for phishing schemes and social engineering pretexting, which have been cited by other security researchers. Gus will describe the successful and unsuccessful interventions she has attempted in order to try to get people to stop sending email to these accounts, and the weird, serendipitous stories that have come about as she's talked to them (including getting written up in a North Carolina newspaper story about a dying woman she never met).
In the comments period, she will seek input from attendees facing this same problem, and will workshop other potential ways to solve it.
Dr. Gillian "Gus" Andrews