Unrestricted Access to Sensitive Business Flows
SecureBank operates a comprehensive online banking portal serving 2M+ customers. The portal currently supports account management, fund transfers, bill payments, and investment services. The bank is now expanding its digital services to improve customer satisfaction.
VP of Customer Experience
"We're receiving too many customer complaints via email and phone. We need a digital complaint submission system integrated into our online banking portal. Customers should be able to submit complaints directly, and we need to prevent spam submissions. This should be available to all authenticated banking customers."
BRD-2024-0847 — Customer Complaint Portal Module
Digital Complaint Submission
Customers shall be able to submit complaints through the online banking portal with a structured form including subject, description, and severity rating.
Spam Prevention
The system shall implement CAPTCHA verification to prevent automated spam submissions to the complaint system.
Customer Authentication
Only authenticated banking customers shall be able to access and submit complaints through the portal.
Complaint Tracking
Each complaint shall be assigned a unique reference number and stored in the banking database for tracking and resolution.
Notification
The system shall notify the assigned relationship manager when a new complaint is submitted.
Key Observation
Notice that the business requirements mention "CAPTCHA verification" and "authenticated customers" — but they don't specify how many times a customer can submit, or whether the CAPTCHA should be single-use. This ambiguity is where the business logic flaw begins.