[Owasp-leaders] email verification

Lucas Ferreira lucas.ferreira at owasp.org
Fri Mar 17 13:16:51 UTC 2017


Hello Ali,

I have a similar experience: there are a couple of guys that keep using my
gmail address to enroll in multiple web sites. so I end up getting their
private stuff, from invoices, to credit card statements to college emails
about homework. I can also easily impersonate them in most sites they use
my email in and change passwords, names or even to see their private info.
In some cases, I could use the services they pay for (music streaming, wifi
providers, Netflix, Uber, etc).

So, there are security implications in not verifying the email address.

Best regards,

Lucas

On Fri, Mar 17, 2017 at 6:01 AM Ali Khalfan <ali.khalfan at owasp.org> wrote:

> My thinking exactly
>
> Possibility of leakage of info is huge
> I think the additional step is worth it
>
> On March 17, 2017 12:45:19 AM GMT+03:00, Jeremy Long <
> jeremy.long at gmail.com> wrote:
>
> From personal experience, and having a common name that I use for my email
> address - yes verification should be required. I've recieved balance and
> payment due notices from American Express for a different Jeremy Long, I've
> received Uber receipts from another Jeremy Long in Florida, I've recieved
> amusment park tickets for a Jeremy Long in California, etc.  The most fun
> of those was AmEx, try calling a financial institution and asking them to
> remove an email address from an account that I could only provide the last
> 4 digits of the account and email address.
>
> Jeremy
>
>
> On Mar 16, 2017 4:48 PM, "Ali Khalfan" <ali.khalfan at owasp.org> wrote:
>
> I'm interested in soliciting opinions regarding e-mail address
> verification when users enroll in e-banking/e-learning/e-government
> services.  Should this always be a necessary step that a user should
> verify that they own the e-mail ?
>
>
> what would be the risk if the user's ownership of the e-mail is not
> verified?   I know this may sound like an obvious question, but I keep
> seeing many critical services (such as e-banking) where users' ownership
> of an email address is not verified.
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-- 

Homo sapiens non urinat in ventum.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170317/95b8f449/attachment.html>


More information about the OWASP-Leaders mailing list