|
|
|
|
Treasury Direct Security Policies
|
rookie05
11-10-2005, 9:47 PM | Post #159411 |
| 0 |
  |
|
I am considering opening an acct with the new Treasury Direct (paperless) system to buy I-bonds and T-bills online. I was evaluating their security policies and am concerned about some of them. I sent email to their support and some of the replies make me nervous. Here are some of the excerpts.
Q:If the linked bank account information or mailing address is changed using the new Treasury Direct online account, are there any restrictions placed on redeeming/selling securities for a certain period?
A:We normally don't send anything by regular mail concerning these accounts. Since this is a paperless system, our normal means of communication with our account owner will be by e-mail. Banking information cannot be modified on the web without both the account number and password. There are no restrictions for completing transactions after banking information has been changed. We cannot overemphasize the importance of the account owner keeping his or her account number and password secure.
Q:Is the new online account locked as a precaution, if multiple unsuccessful login attempts are made in a short interval of time?
A:After 3 unsuccessful attempts to access your account, it is locked and a telephone number is provided requesting the account owner call us. When you call, you must answer the three security questions that you answered when you opened the account, before we will unlock it.
Q:If the password was compromised (despite account holder taking all safeguards) due to a hacker doing a brute-force attack on the account, is there any way to dispute any unauthorized transactions performed on
the account?
A:The regulations governing TreasuryDirect state that we are not liable for any interception of electronic data or communication. Appropriate safeguards are in place that meet or exceed industry standards. If you are not comfortable with our system's security, you can still continue to purchase paper savings bonds at any financial institution which participates in the Savings Bond program.
Here's some more info from the reply email from TD.
===
Regulations governing TreasuryDirect (31 CFR Part 363) state the following in regards to liability and unauthorized access:
Who is liable if someone else accesses my New TreasuryDirect account using my password?
You are solely responsible for the confidentiality and use of your password. We will treat any transactions conducted using your password as having been authorized by you. We are not liable for any loss, liability, cost or expense that you may incur as a result of transactions made using your password.
Is Public Debt liable if the electronic transmission of my data is intercepted?
We are not liable for any interception of electronic data or communication
====
So everything rides on your account password. I will try my best to create a strong password and keep it secure (not write it down anywhere, not tell anyone etc.) However, if that is compromised, the attacker can change the email address and proceed to do whatever he wants to do with the account. Even if I file a police complaint and it gets proven that I was the victim, there is no way to get TD to return any lost money.
I know a lot of folks on this forum have invested in I-bonds using this system. Are you not concerned by this set of policies?
At the least, TD can do the following:
1. send printed letters to the mailing address for the following account actions: change in email ID, change in address, change/addition of linked bank account etc.
In addition, the following should be considered.
2. place restrictions in redeeming/selling securities for some time after an address change.
3. some dispute-resolution mechanism when complaints of fraud are reported.
Is there an effective way to let TD know of such suggestions? I think if I write to them, it will probably be ignored and boilerplate responses given (like they use 128-bit encryption, their servers are secure, the system is unbreakable, you should keep password secure etc. etc.)
What are your thoughts?
Regards,
rookie
Originally posted in thread: 45135
|
View Complete Thread
|
|
|
