Court finds People’s United Bank security practices to be “commercially unreasonable.”

After hackers stole $300,000 from Patco Construction Company in 2009, a court has ruled that the bank’s security practices were to blame, labeling them “commercially unreasonable.” People’s United Bank will be paying Patco all the money that they lost to the hackers as well as $45,000 in interest.

During the incident, despite suspicious transactions being flagged as “high-risk” by the bank’s security system, the bank failed to contact the customer, resulting in a series of transactions over seven days. By the time Patco realized what was happening, nearly $600,000 had been transferred out of the company’s account.

This isn’t a first for this type of incident. In recent years, businesses around the country have lost millions of dollars to hackers who stole bank account credentials by infecting their computers with malware. In this specific case, an email was sent to employees who opened it and unknowingly installed the Zeus password-swiping trojan on company computers.

People’s United Bank used Jack Henry & Associates’ NetTeller as its security system at the time of the incident which offers a number of authentication options, most of which were rejected by the bank. Not only did they reject the authentication options, but they also failed to configure the system properly and failed to use it properly. The system asked users challenge questions for every transaction customers made. This security measure coupled with hackers installing keystroke-logging malware on company computers means that what the bank thought was a secure system of confirming identity is actually nonexistent. The appellate court ruled that the bank actually increased the risk of fraud by asking the security questions with every transaction.

Original article by Kim Zetter.
Read the full story here.