Wall Street Journal questions TreasuryDirect security
Monday, July 10th, 2006
Categorized as: Treasury Direct
This weekend’s edition of The Wall Street Journal included the article Buying Treasuries Online: How Safe Is It? (non-subscriber link), by Eleanor Laise.
The article refers to our March 18 article TreasuryDirect refuses to confirm transactions, and quotes Dan Sadler, one our readers who commented on that article.
Laise reports, “TreasuryDirect is dealing with security issues at a time with the financial services industry is struggling to fight a wave of online fraud. ‘There’s been a tremendous increase in the theft of information electronically,’ says Avivah Litan, an analyst at research and consulting firm Gartner Inc.”
Later in the article, Litan is quoted saying TreasuryDirect’s display of full bank account and Social Security numbers on some screens is an “antiquated security paractice.”
Laise also reports that last year the Chairman of the House Government Reform Committee, Tom Davis, (R. Va) wrote VanZeck, Commissioner of the Public Debt, about the inability to open TreasuryDirect accounts except by using the Internet. Security experts say an extra step, such as paperwork or a phone call, should be required to link a bank account to an investment account.
Laise also spoke with Stephen Meyerhardt, a spokesperson for the Treasury, who says that TreasuryDirect hasn’t experienced any security breaches. Meyerhardt also says the security of TreasuryDirect is constantly being improved and by next year will include masking of sensitive numbers, password entry on a virtual keyboard, and an extra layer of authentication in the login process.
(Average rating: 3.50 stars)
Loading...9 Comments
Comments Closed
After six years, over 400 posts, 3,680 real comments, and over 90,000 spam comments (thank you, Akismet, for making managing a blog with comments possible), I am closing public comments on Savings-Bond-Advisor.com. I will contine to update the main articles on this site, but not the comments.
Virtually every question about Savings Bonds has been asked and answered on this site multiple times. Use the search feature (see the box in the gray area near the top of this page) or the detailed menu on the lower part of the home page to find the information you're looking for.
Tom Adams
The biggest problem is that there is inadequate verification that a specified linked bank account truly belongs to the account holder.
Another is the display of personal info and lack of email confirmations.
Other suggestions:
- disallow redemptions to a new bank account for a period of time while a email confirmation takes place.
- red flag behavior causes the account to be restricted. Ex. a change to email address, password, and bank info before a redemption.
- daily redemption limits.
- if the email address is changed, send a comfirmation to the OLD address also.
Agree completely with Tommy above.
It seems the e-mail notification is already automatic for some account changes at Treasury Direct, and it doesn’t seem like it would be a huge obstacle for those maintaining the website to add similar notifications for other account changes as a safety net.
The blocking out of sensitive information is paramount! I know of no other financial site that shows long-ago entered customers’ account numbers on screen. The online banks all show a line of X’s with the last 2-4 digits visible. Again, this is a simple change that I don’t think would be a huge expense or hastle for T.D. but would add considerable safety. With this one simple improvement, all of a sudden obtaining someone’s T.D. password would not also automatically provide access to SS#’s and any linked bank accounts!
It is good to know that this is getting exposure from the major media, so we can expose these flaws in Treasury Direct, and get the motivated to fix them.
Personally, I feel like I have more security with my Yahoo account than TD Electronic.
I signed up for the electronic account some time ago and never used it for all of the above reasons.
To add to the discussion, they should:
- Allow a longer stronger user password.
- Not allow the use of dummy email addresses like Yahoo, Hotmail etc.
- Get rid of overly simplistic security questions anyone can know the answer to like “what’s your mothers maiden name” etc.
-Provide users an “option” to permanently NOT ALLOW transfers to any bank except the original account without signed, bank notarized, ID proven written consent.
One thing they did right is to ask a security question before allowing to view/change your info. Since you rarely need to change this, there is little chance that a keylogger will capture it. BTW, use another (different) password as the answer to the question.
Charles,
By “dummy” e-mail, I assume you mean free, web-based e-mail, right?
I’m not sure I agree with this suggestion. My free Hotmail account is the only one I’ve had uninterrupted for the last decade. I use it for any recipients outside of people I know personally, and try my best to only use my work e-mail for work purposes. I would bet that a very significant number (if not a majority) of Internet users use their free, web-based e-mail address almost exclusively.
I don’t know about they idea to ban “dummy” email accounts. For many people, a free web-based account is the only email account they have.
Myself, I have one “real” email account that I only give to personal friends. All online merchants and banks are given unique email accounts that are used only for communication with that merchant or bank.
This way, if any single email account is compromised, there is no effect on any of my other business.
If you select a beneficiary when you buy a bond at TD, there’s a field for that person’s social security number. Is that required? It’s bad enough to put myself at risk for identity theft. I don’t want to put my family also at risk.
There’s a follow-up to this article today at TreasuryDirect enhances security features