TreasuryDirect enhances security features

Friday, August 11th, 2006
Categorized as: Treasury Direct

TreasuryDirect enabled new security features this week, including a new, state-of-the-art method for entering passwords that is designed to foil keylogging programs.

The What’s New section on TreasuryDirect reports:

To keep personal information protected and to make the TreasuryDirect site even more secure, we have implemented new security features. The requirements for choosing a password and security questions have been strengthened, some sensitive information has been masked, and a virtual keyboard is provided at logon for added password protection. Additionally, customers now have the option of placing holds on their accounts if they suspect that someone has obtained their access information.

We will continue to add new features that will maintain the protection and integrity of customers’ accounts and security holdings. In addition, we will continue to make changes behind the scenes that will allow TreasuryDirect to run smoother and process transactions even more efficiently. Most of the upgrades won’t be noticeable, but you can be sure that we’re working to make TreasuryDirect better than ever for all your investment needs.

The new login process uses an on-screen keyboard. You “type” in your password by clicking the keyboard with your mouse. The keys are randomly mixed each time the page is displayed, so even if someone captures your mouse clicks, those same clicks won’t work to log you on a second time.

Our previous articles on TreasuryDirect security, TreasuryDirect refuses to confirm transactions and Wall Street Journal questions TreasuryDirect security, raised the following issues:

  • TreasuryDirect has no paper trail.
    • This is still true. On the page on which you choose which Treasury application you want to login to, there’s a notice that cautions that TreasuryDirect does not provide paper securities or paper account statements. It recommends printing TreasuryDirect screens using your browser. Because you can always show how much money you’ve moved into and out of TreasuryDirect using your bank’s records, I don’t consider this a major problem.
  • If someone gets your security information and accesses your account, the risk is all yours. The Treasury will not cover your losses. Banking’s Regulation E, which protects consumers from credit card fraud, does not apply to TreasuryDirect.
    • This is the case not only with TreasuryDirect, but also with other online investment accounts at brokerage firms, banks, and mutual fund companies. If you want to invest online, it’s a risk you have to take. The question is, given the security features the investment account offers, are you comfortable taking that risk?
  • TreasuryDirect displays detailed banking and personal information.
    • This has been fixed. Sensitive information, such as account and Social Security numbers, is masked.
  • An extra, offline step should be required to open a TreasuryDirect account.
    • If TreasuryDirect’s “authentication process could not adequately verify” you, you will be required to submit a form with your signature certified by a bank.
  • TreasuryDirect doesn’t notify you if your account details change.
    • This had been fixed to some extent before this week’s update. Several users reported receiving email notification after adding new bank accounts. However, to test this week’s update, I changed my own email address in TreasuryDirect. I had to provide the answer to one of my security questions to be able to do this. Afterwards, an email notice about the change was sent to my new email address, but not to my old one. This means all a crook has to do is change the email address first, then the bank account. The notification about the new email address goes to the crook, not to you, as does the notification about the bank account change. TreasuryDirect still doesn’t have this basic security feature right. [Note: Since this article was published, TreasuryDirect has contacted me to see if this a bug with my account. They say emails are supposed to go to both addresses, which is great news!]

Although the people I correspond with at the Treasury seem to feel that I whine about TreasuryDirect because I want it to fail, the truth is I want it to succeed. I do all my banking and investing online. My own bank won’t touch Savings Bonds.

It’s because I want TreasuryDirect to succeed that I whine about its security. Security is particularly important to TreasuryDirect’s customers, who invest in TreasuryDirect’s products because they prefer the safety of government investments to the risk of corporate investments. TreasuryDirect’s customers want to invest their money with the utmost safety.

But TreasuryDirect puts all the risk of password fraud on the customer. The new virtual keyboard for logon is terrific. It’s a great defense against one of the ways that your password can be compromised. But only one of the ways, and there are many.

If I’m going to take all the risk of password fraud, what I really want is immediate notification that my account has been accessed by someone else. That is what will prevent a crook from even trying TreasuryDirect fraud. How can a no-cost, basic, simple, security measure like sending notifications about a changed email address to both the old and new addresses not be fixed yet?

I want TreasuryDirect to succeed. I expect TreasuryDirect to succeed. But I won’t be comfortable with TreasuryDirect security until I’m sure that I’ll know if someone has my password. Frankly, I’d like the option to receive an email every time a logon occurs.

Since I’m the one taking all the risk of password fraud, TreasuryDirect has to provide security features that make me comfortable with taking that risk.

Rate this post (1 to 5 stars):  1 Star2 Stars3 Stars4 Stars5 Stars
(Average rating: 4.80 stars)
Loading...Loading...

FDIC Insured Certificates of Deposit can pay 1 or 2% more than savings bonds when held for a similar length of time. See top CD Rates Below:

23 Comments

On August 11th, 2006 Mario said:

Tom, I think your concerns are partially (admittedly not fully) mitigated by their other, less visible enhancements, including showing the last logon time and the ability to place a hold on your account. Also, something that’s always been there is the account history; and change made, any redemption that’s been scheduled or deleted, any change in registration, is all logged.

On August 11th, 2006 tom said:

What good is the ability to put a hold on your account?
If a criminal gets your password, he will not only change the email address, but also the password so you cant get in your own account to set the hold. There needs to be a phone-in hold mechanism.

On August 11th, 2006 Tom Adams said:

Tom – I agree. If you think your account password has been compromised, but you can still get into your account, you should just change the password.

The hold mechanism would only be useful if your password had already been changed and you couldn’t get into your account. But in that case you can’t put your account on hold, because you can’t get in!

Providing a hold that can only be turned on from within the account seems not only useless, but counter-productive to me. It will create unnecessary work for TreasuryDirect and account owners to clear the holds.

On August 12th, 2006 billy said:

The biggest threat I see is in the “add new bank” feature. I was told that the only verification done is that the specified account exists, not that it belongs to you.

I did a little research on this ACH subject. It seems that TD tried to make the banks verify the account belongs to you, but NACHA rules say it’s only necessary to verify the account exists, and the banks complained that it would be too much a burden to manually check. So TD backed off.

If the exploit is sucessful, a crook can use your account to redeem all your bonds to his account, or he can use his account to empty your checking account into his C of I.

To limit losses, TD should limit redemptions (per day) or force redemptions to the bank from which they were funded.

Other suggestions:
Email/phone verify.
Behavior monitor (no redemptions after a bank change)

On August 12th, 2006 Tom Adams said:

Billy – very interesting information about ACH. Can you divulge your sources on that info?

TD does already limit the amount you can transfer from a bank to a C of I to $1,000 if the request is made from within TD. If the request is made on the bank account side there’s no limit – see this article on transferring funds into TreasuryDirect.

On August 13th, 2006 Mario said:

If only the existence but not ownership of an account needs to be verified for ACH credits, it should be possible to ACH money into anyone’s bank account regardless of ownership, right? I don’t think that’s the case. For instance, for my direct deposit of my salary, the payroll company first verifies the account belongs to me before they let me deposit into it.

I’m wondering if a thief would be successful with an ACH to his account, if the receiving bank could be held liable?

On August 14th, 2006 Barry said:

Tom,
Call me paranoid, cynical, and distrustful, but here are my concerns:

You say you are fine with no paper trail because you can see on your bank account that the money went to Treasury Direct. As I recall, my account statement read some nondescript name that the money went to.
How do I know there was not some sophisticated thief that was able to get that to appear as the destination?
That is why it would be much more secure from my standpoint if Treasury Direct would give us the common courtesy of a paper confirmation, on their stationary, of major changes to an account.

On August 14th, 2006 Paul said:

What would be the most effective way to complain to TD to let them know that their security guarantees and features are still inadequate?

On August 14th, 2006 Mario said:

The most effective way would be to keep buying paper bonds…

About the hold feature, can a hold even be initiated from within TD? I don’t see it anywhere. I thought it was a phone-in system.

On August 15th, 2006 billy said:

Sources of info reguarding TD and ACH rules:

http://www.fms.treas.gov/eftps/203final.pdf (may be old info), http://www.treasurydirect.gov/td2006pia.pdf, 31 cfr 210,370,375, and just google for: cfr prenotification (or prenote)

From what I gather, TD does a good job verifying you (and your bank) when you first setup an initial TD account. After that, they do a simple “bank account exist” check when you “add new bank”. They trust you in giving a good account number because they dont believe a crook can get your password.

Mario, ACH only checks security if you try to ‘pull’ money from somebody. They do not care who you push your money to (ex. electronic bill pay). The banks may check identity and permission, but ACH rules dont require it.

On August 15th, 2006 billy said:

Also, see this from the Electronic Code of Federal Regulations.

On August 16th, 2006 Tom Adams said:

Good news! – I received a message from my contacts at the Treasury yesterday saying that TreasuryDirect is supposed to be sending notifications to both the old and new address when the email address is changed, and that it works that way in their internal testing.

It still doesn’t work that way with my account, however, so they’re trying to debug that. Has anyone else tried this change? What were the results?

On August 16th, 2006 Charles said:

The electronic regulation code seems to be for “Legacy Treasury Direct”.

Hit BROWSE NEXT a few times until you come to part 31 CFR part 363 – which is for the new Treasury Direct.

What still spooks me is in LEGACY TDC it says this about “Liability of Transfers:
A depository institution or other entity that transfers to, or receives, a security from Legacy Treasury Direct is deemed to be acting as agent for its customer- Which seemss to say the bank is responible.

On August 16th, 2006 Charles said:

In the new TDC:
You are solely responsible for the confidentiality and use of your password. We will treat any transactions conducted using your password as having been authorized by you. We are not liable for any loss, liability, cost or expense that you may incur as a result of transactions made using your password. -Whicj=h seems to say not thier problem.

On August 16th, 2006 jon said:

True, but the TD could prevent or limit fraud if they take some other precautions like bank account verifications, email receipts, etc. Since they hold themselves blameless, why should they care. The Gov pushes REG E on banks, but dont like to eat their own cookin’

On August 16th, 2006 Charles said:

Even your local bank is required to give you $100k in FDIC insurance. Someone forges your check, you don’t lose out. TD like goverment in all aspects holds itself harmeless.

TD slogan :
American aren’t saving enough. Give us your hard earned money, we’ll inflate it away. To top it off, we’ll tax you on the inflation so you come out in the hole and if someone steals it all, tuff stuff.

On August 16th, 2006 Tom Adams said:

Jon and Charles – I think you’re comparing apples and oranges.

Banking’s Regulation E is about credit card accounts, not investment accounts. While it would be great for TreasuryDirect to offer that kind of protection, why should it have to if Vanguard and Fidelity, for example, don’t have to?

You have to compare TreasuryDirect with online accounts at brokerage firms and mutual fund companies. The question is whether TD has better or worse security than the best practices at investment companies.

FDIC insurance covers you if your bank goes belly up. Experts would say that TD gives you the same or better protection since it’s the US Treasury that protects both TD and the FDIC from default.

On August 16th, 2006 Mario said:

Billy, thanks for providing all the information. In the PIA you linked, it does say “financial institutions provide the initial defense against fraudulent or unauthorized transactions” which implies to me that the Treasury pushes the responsibility to the banks – which makes logistic sense, because anyone who knows your account number could otherwise attempt an ACH; generally speaking for an ACH debit, do we know if the liability lies with the bank that requests the ACH or the bank thar receives the request?

They also say in that document that the names you provided on the account are transmitted to the bank. I would assume the Treasury would at least flag the transaction if you don’t provide your own name; and the bank would hopefully flag if the name doesn’t match the name on file for the account. I think ideally they should also transmit SSN because two people could have the same name.

I don’t see that as being very different from a prenotification, where it is also the bank which verifies account ownership.

On August 16th, 2006 Mario said:

I’m actually more worried about elaborate schemes, such as when someone gains access to your TD account, changes the registration such that they are co-owner, gives themselves transact rights, then transfers the security to their account and deposits in their bank account.

Therefore I think registration changes are probably the weakest link, and should require something like TD sending you an email that prompts you to verify by logging back into your account before the change becomes effective. And email changes should require the same such that the thief can’t change the email to theirs.

Tom, please forward ideas to your TD contacts … ;)

On August 17th, 2006 jon said:

I believe Reg E applies to any electronic transaction like ACH. If I’m a victim of fraud in a bank to bank ACH transfer, I’m covered (by the bank). TD uses ACH (no protection).

Investment accounts have SIPC (an FDIC equivalent).

On August 17th, 2006 billy said:

A prenote is a zero dollar ACH to give the bank the opportunity to verify the account. TD does send your account info with it, but it’s up to the bank to make sure the account is yours. They DONT normally do that since ACH rules only require them to check that the account exists, hence, the risk of fraud.

If the bank is liable….well…good luck in trying to collect.

The big risk is what could happen if a crook gets your password.

On August 18th, 2006 Charles said:

The fact that the new TD is paperless does add somewhat to the security. In a way, your account # is as good as your password since no statements are sent. When you get your 1099’s at the end of the year or a statement, any crook with access to your mail can get your SS#, account# and everything else that is printed and they are good to go.

My local back sent out last years 1099 with my SS# showing under my name thru the plastic window of the envelope :'(

On August 21st, 2006 Tom Adams said:

The problem with email notifications mentioned in this article has been fixed. I tested it this morning and received notifications at both the old and new address. For more information, see TreasuryDirect email notifications fixed.

Comments Closed

June 1, 2010

After six years, over 400 posts, 3,680 real comments, and over 90,000 spam comments (thank you, Akismet, for making managing a blog with comments possible), I am closing public comments on Savings-Bond-Advisor.com. I will contine to update the main articles on this site, but not the comments.

Virtually every question about Savings Bonds has been asked and answered on this site multiple times. Use the search feature (see the box in the gray area near the top of this page) or the detailed menu on the lower part of the home page to find the information you're looking for. If you have a copy of Savings Bond Advisor, you can ask me a question here.

Tom Adams

Savings Bond Calculator



Help

Savings Bond
Questions

Get an answer to your questions from the Treasury's Savings Bonds team.

Click below to ask a question.

Ask the Treasury

TreasuryDirect

Invest online in Savings Bonds or
marketable Treasury securities.

Deal directly with the U.S. Treasury.

More info

Enroll

Log in