Despite this limitation, confirmation emails are useful as one security control for an e-commerce website, but they shouldn't be relied on as the sole control for preventing registration by malicious users.
An example of fraud would be a malicious user trying to gain access to an e-commerce site as someone else, say, using someone else's email address. They might do this to gain access to a bank account that already exists, but isn't yet registered for online account access.
A confirming email would then be sent to the legitimate user's email address. If the real account holder had actually registered, he or she would expect such an email. If the email was unexpected, the account holder can call the bank, which can investigate and freeze the account, if necessary, to prevent malicious use or access.
Confirming emails that require the user to click on a link, or return to the site to verify their access, can also block spam bots that try to automatically register to sites. Spammers can hit a site with hundreds or thousands of possible account names to find a legitimate account to steal. Confirming emails block these types of attacks by requiring a response to each individual email, something an automated script can't do.
Another thing to consider when using confirming emails involves session-replay attacks. Make sure the link in the email contains a unique identifier that can only be used once. After the user clicks on the link and confirms their registration, the link should expire. Otherwise, a malicious user could cut and paste the URL to try and access the account. Session expiration should be part of e-commerce registration software.
Again, it should be emphasized that confirmation emails are only one type of fraud and spam control, and not a form of authentication.
This was first published in September 2008