Recently, I received an email from PayPal asking to confirm my email address for a new account. Since I do not use PayPal, I figured it was a phishing scam and ignored it. However, I started getting other emails, which included updated address information and a sales transaction. The name for the account was not mine (but the first name was the same), and the address was in a different state.
Looking at the raw email headers, it appeared to be legitimate emails from PayPal. What confused me was that I never responded to the email confirmation message, so why would PayPal allow a person to perform a transaction without confirmation? Since the email in question is a Gmail account, I have had since Gmail beta, I wondered if my account had been compromised, but there is nothing to indicate that. Another idea was someone could be intercepting/listening to my email, but that is a lot of effort to do for a simple paypal transaction.
The likely scenario is PayPal failed to check the account email and suspend any further actions until the address is confirmed. PayPal sends an email to confirm the address, but does not bother to wait for the confirmation.
I called PayPal support, and after some time and educating the support person on how technology works, the person put in a support ticket. Not sure if the problem will ever get resolved or if PayPal will admit they have a problem. As of now, I have not received any more emails. I will have to decide if it is worth my time to call support again and get the disposition of the ticket.
(Score: 3, Insightful) by Anonymous Coward on Tuesday April 18 2017, @09:34PM
Unless the verification link requires the user to type the password (which they've already set during creation); since the wrong-email recipient doesn't know the password, they can't verify it.
You can use a cookie in lieu of the password, to make it easier on the user in the common case where the same browser is used to open the verify link that was just used to create the account; you still gotta fall back to password in case it's a different browser, cookies have been deleted/aren't stored, etc..