SoylentNews is people
SoylentNews
from the Email-confirmation-just-slows-us-down dept.
Recently, I received an email from PayPal asking to confirm my email address for a new account. Since I do not use PayPal, I figured it was a phishing scam and ignored it. However, I started getting other emails, which included updated address information and a sales transaction. The name for the account was not mine (but the first name was the same), and the address was in a different state.
Looking at the raw email headers, it appeared to be legitimate emails from PayPal. What confused me was that I never responded to the email confirmation message, so why would PayPal allow a person to perform a transaction without confirmation? Since the email in question is a Gmail account, I have had since Gmail beta, I wondered if my account had been compromised, but there is nothing to indicate that. Another idea was someone could be intercepting/listening to my email, but that is a lot of effort to do for a simple paypal transaction.
The likely scenario is PayPal failed to check the account email and suspend any further actions until the address is confirmed. PayPal sends an email to confirm the address, but does not bother to wait for the confirmation.
I called PayPal support, and after some time and educating the support person on how technology works, the person put in a support ticket. Not sure if the problem will ever get resolved or if PayPal will admit they have a problem. As of now, I have not received any more emails. I will have to decide if it is worth my time to call support again and get the disposition of the ticket.
(Score: 2) by nobu_the_bard on Tuesday April 18 2017, @06:44PM (4 children)
There could be a technical solution - not allow them to charge their cards until they have proven they control the email address by clicking the link in the first "Welcome to " email. Also, not allow them to even view the full information they may have provided when they configured the account, until they confirm the email, in case they did use a wrong email address. Have seen a handful of vendors with such setups.
I think the poster for this story assumed that's what happens with Paypal, but it isn't what happens. Paypal emphasizes minimum hassle, not maximum security. You can sign up and use the new account (+card info) for a transaction inside a couple minutes without changing windows or looking at your phone or whatever. I use it for a variety of reasons also, but most of them boil down to "it simplifies some transactions".
(Score: 4, Insightful) by ledow on Tuesday April 18 2017, @07:08PM (3 children)
Okay.
So they send me an email by mistake when they create an account with the wrong address.
I "verify" it for them.
They don't necessarily even realise that I've even done that, if I leave it a few minutes, they'll just think they were finally successful at verifying things and start adding in credit cards.
Now I still have their account.
It's just a matter of timing.
There is no technical solution here. User education is what matters.
(Score: 0) by Anonymous Coward on Tuesday April 18 2017, @07:50PM (1 child)
Not quite right. the problem here is that it is allowing account creation without clicking the verification link. I've seen it done with my email no less than 3 times, and I know for certain I never clicked the link, yet the account got created and used just fine. I took control of two of them with the password reset to delete them then gave up. I guess I could create my own account to prevent this, but why should I have to?
(Score: 2) by ledow on Tuesday April 18 2017, @08:09PM
Isn't what you describe exactly what would happen if someone were to do what I said, but to you?
(Score: 3, Insightful) by Anonymous Coward on Tuesday April 18 2017, @09:34PM
Unless the verification link requires the user to type the password (which they've already set during creation); since the wrong-email recipient doesn't know the password, they can't verify it.
You can use a cookie in lieu of the password, to make it easier on the user in the common case where the same browser is used to open the verify link that was just used to create the account; you still gotta fall back to password in case it's a different browser, cookies have been deleted/aren't stored, etc..