[Owasp-leaders] email verification

Ali Khalfan ali.khalfan at owasp.org
Fri Mar 17 05:00:42 UTC 2017


My thinking exactly 

Possibility of leakage of info is huge 
I think the additional step is worth it 

On March 17, 2017 12:45:19 AM GMT+03:00, Jeremy Long <jeremy.long at gmail.com> wrote:
>From personal experience, and having a common name that I use for my
>email
>address - yes verification should be required. I've recieved balance
>and
>payment due notices from American Express for a different Jeremy Long,
>I've
>received Uber receipts from another Jeremy Long in Florida, I've
>recieved
>amusment park tickets for a Jeremy Long in California, etc.  The most
>fun
>of those was AmEx, try calling a financial institution and asking them
>to
>remove an email address from an account that I could only provide the
>last
>4 digits of the account and email address.
>
>Jeremy
>
>On Mar 16, 2017 4:48 PM, "Ali Khalfan" <ali.khalfan at owasp.org> wrote:
>
>> I'm interested in soliciting opinions regarding e-mail address
>> verification when users enroll in e-banking/e-learning/e-government
>> services.  Should this always be a necessary step that a user should
>> verify that they own the e-mail ?
>>
>>
>> what would be the risk if the user's ownership of the e-mail is not
>> verified?   I know this may sound like an obvious question, but I
>keep
>> seeing many critical services (such as e-banking) where users'
>ownership
>> of an email address is not verified.
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170317/b011db77/attachment.html>


More information about the OWASP-Leaders mailing list