Despite this limitation, confirmation emails are useful as one security control for an e-commerce website, but...
they shouldn't be relied on as the sole control for preventing registration by malicious users.
An example of fraud would be a malicious user trying to gain access to an e-commerce site as someone else, say, using someone else's email address. They might do this to gain access to a bank account that already exists, but isn't yet registered for online account access.
A confirming email would then be sent to the legitimate user's email address. If the real account holder had actually registered, he or she would expect such an email. If the email was unexpected, the account holder can call the bank, which can investigate and freeze the account, if necessary, to prevent malicious use or access.
Confirming emails that require the user to click on a link, or return to the site to verify their access, can also block spam bots that try to automatically register to sites. Spammers can hit a site with hundreds or thousands of possible account names to find a legitimate account to steal. Confirming emails block these types of attacks by requiring a response to each individual email, something an automated script can't do.
Another thing to consider when using confirming emails involves session-replay attacks. Make sure the link in the email contains a unique identifier that can only be used once. After the user clicks on the link and confirms their registration, the link should expire. Otherwise, a malicious user could cut and paste the URL to try and access the account. Session expiration should be part of e-commerce registration software.
Again, it should be emphasized that confirmation emails are only one type of fraud and spam control, and not a form of authentication.
Dig Deeper on Web authentication and access control
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ...continue reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ...continue reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.