[Owasp-leaders] email verification

Ali Khalfan ali.khalfan at owasp.org
Sat Mar 18 14:33:02 UTC 2017


great input!


i think this has me convinced that adding verification is always a good
step, even if it hinders user experience a bit.



-------- Original Message --------
Subject: Re: [Owasp-leaders] email verification
From: Matt Tesauro <matt.tesauro at owasp.org>
To: Lucas Ferreira <lucas.ferreira at owasp.org>
CC: Ali Khalfan <ali.khalfan at owasp.org>, Jeremy Long
<jeremy.long at gmail.com>, owasp-leaders <owasp-leaders at lists.owasp.org>
Date: Fri Mar 17 2017 17:46:17 GMT+0300 (AST)
> Just to pile on, I don't even have a very common last name and I've
> gotten:
>
>   * Loads of information for a mtesauro that's apparently in a
>     retirement home in the UK (I'm in Texas)
>   * Information for a high school wrestler in New Jersey
>   * A Uber account for for someone in the north east United States
>
> For any of these, if the password reset mechanism uses an email
> verification loop, I could take over the accounts should I choose to
> go to the dark side.  Its happened enough that I have a 'not-me' label
> in Gmail to filter these into.
>
> Cheers!
>
> --
> -- Matt Tesauro 
> OWASP AppSec Pipeline Lead
> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline 
> OWASP WTE Project Lead
> _https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project_
> http://AppSecLive.org <http://appseclive.org/> - Community and
> Download site
>
>
> On Fri, Mar 17, 2017 at 8:16 AM, Lucas Ferreira
> <lucas.ferreira at owasp.org <mailto:lucas.ferreira at owasp.org>> wrote:
>
>     Hello Ali,
>
>     I have a similar experience: there are a couple of guys that keep
>     using my gmail address to enroll in multiple web sites. so I end
>     up getting their private stuff, from invoices, to credit card
>     statements to college emails about homework. I can also easily
>     impersonate them in most sites they use my email in and change
>     passwords, names or even to see their private info. In some cases,
>     I could use the services they pay for (music streaming, wifi
>     providers, Netflix, Uber, etc).
>
>     So, there are security implications in not verifying the email
>     address.
>
>     Best regards,
>
>     Lucas
>
>     On Fri, Mar 17, 2017 at 6:01 AM Ali Khalfan <ali.khalfan at owasp.org
>     <mailto:ali.khalfan at owasp.org>> wrote:
>
>         My thinking exactly
>
>         Possibility of leakage of info is huge
>         I think the additional step is worth it
>
>         On March 17, 2017 12:45:19 AM GMT+03:00, Jeremy Long
>         <jeremy.long at gmail.com <mailto:jeremy.long at gmail.com>> wrote:
>
>             From personal experience, and having a common name that I
>             use for my email address - yes verification should be
>             required. I've recieved balance and payment due notices
>             from American Express for a different Jeremy Long, I've
>             received Uber receipts from another Jeremy Long in
>             Florida, I've recieved amusment park tickets for a Jeremy
>             Long in California, etc.  The most fun of those was AmEx,
>             try calling a financial institution and asking them to
>             remove an email address from an account that I could only
>             provide the last 4 digits of the account and email address.
>
>             Jeremy
>
>
>             On Mar 16, 2017 4:48 PM, "Ali Khalfan"
>             <ali.khalfan at owasp.org <mailto:ali.khalfan at owasp.org>> wrote:
>
>                 I'm interested in soliciting opinions regarding e-mail
>                 address
>                 verification when users enroll in
>                 e-banking/e-learning/e-government
>                 services.  Should this always be a necessary step that
>                 a user should
>                 verify that they own the e-mail ?
>
>
>                 what would be the risk if the user's ownership of the
>                 e-mail is not
>                 verified?   I know this may sound like an obvious
>                 question, but I keep
>                 seeing many critical services (such as e-banking)
>                 where users' ownership
>                 of an email address is not verified.
>
>
>
>                 _______________________________________________
>                 OWASP-Leaders mailing list
>                 OWASP-Leaders at lists.owasp.org
>                 <mailto:OWASP-Leaders at lists.owasp.org>
>                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
>                 <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>
>
>         -- 
>         Sent from my Android device with K-9 Mail. Please excuse my
>         brevity.
>         _______________________________________________
>         OWASP-Leaders mailing list
>         OWASP-Leaders at lists.owasp.org
>         <mailto:OWASP-Leaders at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>         <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>
>     -- 
>
>     Homo sapiens non urinat in ventum.
>
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>     <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170318/52c73614/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170318/52c73614/attachment-0001.pgp>


More information about the OWASP-Leaders mailing list