Kathmandu. Serious technical and security vulnerabilities have been found in the surveyor reporting portal under the Insurance Regulatory Management Information System operated by the Nepal Insurance Authority.
There is a lack of identity authentication in this online system where licensed insurance surveyors enter their performance details.
Since there is no security ring in this portal, there is a risk that unauthorized person or bot (computerized automated system) will easily enter the details in the name of any surveyor. Apart from this, there is also a risk of adding more load to the central information system of the Authority by entering unnecessary and overburdened documents.
Anyone can easily access the license number, name and name of the insurer by checking the Surveyor’s Surveyor Works Detail Reporting {{TAG_OPEN_a_30 TAG_CLOSE_a_30}} by the Insurance Khabar in the Surveyor’s Surveyor Works Detail Reporting {{}}. The file will be automatically stored in the Authority’s Unified Information System by pressing on the option to enter a digital document, enter the MicrosoftExcel file, and press on the bulk upload option. The user does not have to confirm his identity in this entire process.
}
1) Misuse of Identity: Anyone can damage the reputation of the concerned person or get into legal trouble by sending false information in the name of another surveyor.
2) System Disruption: In the absence of a security wall, the system can be filled with fake data by misusing the bulk upload. As a result, the server of the authority is down and the credibility of the data of the authority is questioned.
3) Risk of Cyber Attack: If the uploaded files are not strictly checked, it can open the way for malware attacks such as CSV injection, which can compromise the authority’s internal data storage.
This open and easy access to such an important system of insurance regulators shows a great laxity in digital security.
According to information technology security experts, this flaw has not only made the data of real surveyors insecure, but the data of the entire insurance sector has become insecure. In this regard, the authority needs to include features such as password protected login and data checking.
There is a risk that hackers can automatically upload unnecessary details and documents through the ‘bot’ on this portal of the Authority if they want.
The Authority has launched this portal with the objective of collecting updated details from the surveyors. In this, the surveyor can enter the details of how many damages have been evaluated by the insurer, how many are in the evaluation stage, and how many have been finalized and the claim payment process has been entered in the online portal of the authority.
On the basis of the details received, the Authority can stop the insurer from giving additional responsibility to the concerned surveyor who has left a large number of damage assessment work.
