Users Really Do Plug in USB Drives They Find

We investigate the anecdotal belief that end users will pick up and plug in USB flash drives they find by completing a controlled experiment in which we drop 297 flash drives on a large university campus. We find that the attack is effective with an estimated success rate of 45 -- 98% and expeditious with the first drive connected in less than six minutes. We analyze the types of drives users connected and survey those users to understand their motivation and security profile. We find that a drive's appearance does not increase attack success. Instead, users connect the drive with the altruistic intention of finding the owner. These individuals are not technically incompetent, but are rather typical community members who appear to take more recreational risks then their peers. We conclude with lessons learned and discussion on how social engineering attacks -- while less technical -- continue to be an effective attack vector that our community has yet to successfully address.

[1]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[2]  Pau-Chen Cheng,et al.  Perceived Security Risks in Mobile Interaction , 2013 .

[3]  E. Weber,et al.  A Domain-Specific Risk-Attitude Scale: Measuring Risk Perceptions and Risk Behaviors , 2002 .

[4]  Anja Feldmann,et al.  An Assessment of Overt Malicious Activity Manifest in Residential Networks , 2011, DIMVA.

[5]  Sunny Consolvo,et al.  "My religious aunt asked why i was trying to sell her viagra": experiences with account hijacking , 2014, CHI.

[6]  Vyas Sekar,et al.  Measuring user confidence in smartphone security and privacy , 2012, SOUPS.

[7]  L. Cronbach Coefficient alpha and the internal structure of tests , 1951 .

[8]  Andrew Welsh,et al.  Risky eBusiness: An Examination of Risk-taking, Online Disclosiveness, and Cyberstalking Victimization , 2012 .

[9]  M. McQueen Software and human vulnerabilities , 2010, IECON 2010 - 36th Annual Conference on IEEE Industrial Electronics Society.

[10]  R K McKinley,et al.  Reliability and validity of a new measure of patient satisfaction with out of hours primary medical care in the united kingdom: development of a patient questionnaire , 1997, BMJ.

[11]  Michael K. Reiter,et al.  An Epidemiological Study of Malware Encounters in a Large Enterprise , 2014, CCS.

[12]  Sholom Cohen,et al.  Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits , 2014, 2014 IEEE Security and Privacy Workshops.

[13]  Thomas J. Holt,et al.  On-line Activities, Guardianship, and Malware Infection: An Examination of Routine Activities Theory , 2009 .

[14]  Jeffrey Robert Jacobs,et al.  Measuring the Effectiveness of the USB Flash Drive as a Vector for Social Engineering Attacks on Commercial and Residential Computer Systems , 2011 .

[15]  J. R. Landis,et al.  The measurement of observer agreement for categorical data. , 1977, Biometrics.

[16]  E. Weber,et al.  A Domain-Specific Risk-Taking (DOSPERT) Scale for Adult Populations , 2006, Judgment and Decision Making.

[17]  Helen Nissenbaum,et al.  Users' conceptions of web security: a comparative study , 2002, CHI Extended Abstracts.

[18]  Christopher Hadnagy,et al.  Social Engineering: The Art of Human Hacking , 2010 .

[19]  Lauren I. Labrecque,et al.  Toward an Understanding of the Online Consumer's Risky Behavior and Protection Practices , 2009 .

[20]  Yada Zhu,et al.  Social Phishing , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[21]  Fawn T. Ngo,et al.  Cybercrime Victimization: An Examination of Individual and Situational Level Factors , 2011 .

[22]  Bonnie Brinton Anderson,et al.  Using Measures of Risk Perception to Predict Information Security Behavior: Insights from Electroencephalography (EEG) , 2014, J. Assoc. Inf. Syst..

[23]  Engin Kirda,et al.  Insights into User Behavior in Dealing with Internet Attacks , 2012, NDSS.

[24]  Scott Flinn,et al.  User Perceptions of Privacy and Security on the Web , 2005, PST.

[25]  Nicolas Christin,et al.  It's All about the Benjamins: An Empirical Study on Incentivizing Users to Ignore Security Advice , 2011, Financial Cryptography.

[26]  Malka N. Halgamuge,et al.  Threat analysis of portable hack tools from USB storage devices and protection solutions , 2010, 2010 International Conference on Information and Emerging Technologies.

[27]  Zinaida Benenson,et al.  Susceptibility to URL-based Internet attacks: Facebook vs. email , 2014, 2014 IEEE International Conference on Pervasive Computing and Communication Workshops (PERCOM WORKSHOPS).

[28]  Sonia Chiasson,et al.  A clinical study of risk factors related to malware infections , 2013, CCS.

[29]  Serge Egelman,et al.  Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS) , 2015, CHI.

[30]  Marwan Al-Zarouni,et al.  The reality of risks from consented use of USB devices , 2006 .

[31]  David A. Wagner,et al.  I've got 99 problems, but vibration ain't one: a survey of smartphone users' concerns , 2012, SPSM '12.

[32]  Gordon B. Forbes,et al.  Regional differences in willingness to help strangers: A field experiment with a new unobtrusive measure☆☆☆ , 1972 .

[33]  Pieter H. Hartel,et al.  Applying the Lost-Letter Technique to Assess IT Risk Behaviour , 2013, 2013 Third Workshop on Socio-Technical Aspects in Security and Trust.

[34]  Leyla Bilge,et al.  On the effectiveness of risk prediction based on users browsing behavior , 2014, AsiaCCS.