Despite this limitation, confirmation emails are useful as one security control for an e-commerce website, but...
they shouldn't be relied on as the sole control for preventing registration by malicious users.
An example of fraud would be a malicious user trying to gain access to an e-commerce site as someone else, say, using someone else's email address. They might do this to gain access to a bank account that already exists, but isn't yet registered for online account access.
A confirming email would then be sent to the legitimate user's email address. If the real account holder had actually registered, he or she would expect such an email. If the email was unexpected, the account holder can call the bank, which can investigate and freeze the account, if necessary, to prevent malicious use or access.
Confirming emails that require the user to click on a link, or return to the site to verify their access, can also block spam bots that try to automatically register to sites. Spammers can hit a site with hundreds or thousands of possible account names to find a legitimate account to steal. Confirming emails block these types of attacks by requiring a response to each individual email, something an automated script can't do.
Another thing to consider when using confirming emails involves session-replay attacks. Make sure the link in the email contains a unique identifier that can only be used once. After the user clicks on the link and confirms their registration, the link should expire. Otherwise, a malicious user could cut and paste the URL to try and access the account. Session expiration should be part of e-commerce registration software.
Again, it should be emphasized that confirmation emails are only one type of fraud and spam control, and not a form of authentication.
Dig Deeper on Web authentication and access control
Related Q&A from Joel Dubin
Ensuring authenticity of online communications is critical to conduct business. Learn how to use a public key and private key in digital signatures ... Continue Reading
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading