Nimastic
commented
2 weeks ago Team's Response
Thank you for raising your concerns! While we understand the point raised regarding the possibility of a malicious actor editing claim descriptions, it is important to note that security against unauthorized access does not fall under the development team's responsibilities.
The responsibility to ensure that no malicious actors can access the user's device or account lies with the user and their chosen security measures (eg. device security, password management, or two-factor authentication). Our role as developers is to ensure the integrity and functionality of the system within its intended use.
To further address this, if the system is used as intended (ie. by authorized users only), the described scenario should not occur. We also recommend that users take necessary precautions, such as securing their login credentials and devices, to prevent unauthorized access. Should security be a concern beyond unauthorized access (eg. additional fraud prevention features), such enhancements should be considered as a feature request rather than a bug report.
In addition, Prudential should have their own set of protection to guard against such frauds. As our app is meant as a "notebook" app for agents to simply manage clients' details on their own desktop, adding additional features to prevent editing of claim description does not fit our aim as it adds unnecessary inconvenience when users entered a typo to the claim description.
Furthermore, your bug report is phrased as a suggestion, therefore it is not in scope.
Lastly, if this bug is eventually accepted as a valid bug report, the team would like a to suggest a downgrade the bug report from a High severity, as allowing users to edit claim description will not make the app unusable to most users. If anything, it may only cause slight disturbance to very few users.
Duplicate status (if any):
--
Since Editing claims do not track when the claim was edited, it is possible for a malicious actor to change the claim description to something that can be approved, then change the description back afterwards in order to secure their claim. This does not seem secure.
One proposed way to minimise the risk of claim fraud could be to only allow the status of the claim to be edited instead of also allowing the description to be edited.
Eg. claim for stomach surgery -> rejected -> new claim for head trauma -> approved
Rather than: claim for stomach surgery -> malicious actor change description to become claim for head trauma -> approved -> change description back to claim for stomach surgery -> end result is claim approved for stomach surgery
[original: nus-cs2103-AY2425S1/pe-interim#853] [original labels: type.FeatureFlaw severity.High]