I'm pretty sure my assumptions here are correct, so let me if they're not.

I went to change the e-mail address for an account I have with an online store. Unlike most stores that allow you to change it in your account settings on their website, this site requires you to send an e-mail from your currently subscribed e-mail address with the new e-mail address you want to use. It seems to me that anyone can set their mail client to send a e-mail and make it look like it has come from me. There is no way to properly verify that. Wich means someone could, without any authentication, change my e-mail with said online store and then retrieve my password. The really scarey thing is that this particular online store stores your full credit card details (although it doesn't display them so you can't use it elsewhere) so they could go on a shopping spree with my money.

The ironic thing is that when I placed an order with them they requested a copy of my drivers license and credit card statement to verify my address. All that effort to prevent fraud, and then they have a seriously flawed system for changing e-mail addresses.

Unfortunately I have an order pending with this store, so I'm not prepared to name them until I get my product and I can have all my details stripped from their system. I have contacted them about my concerns and look forward to their reply.