My (general) contacts with Treasury Direct re loss & liability

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
Post Reply
beardsworth
Posts: 1980
Joined: Fri Jun 15, 2007 4:02 pm

My (general) contacts with Treasury Direct re loss & liability

Post by beardsworth » Thu Aug 10, 2017 8:47 am

I’m posting this in order to share information which may be of interest to other forum participants who buy securities, in particular I Bonds (U.S. Savings Bonds, Series I) through Treasury Direct. And the story is rather long because it involved multiple rounds of communication with Treasury.

I would appreciate it if any posted replies did not speculate on the actual likelihood of theft at Treasury Direct; or whether I myself “worry too much” about losing money there; or whether I Bonds themselves are a worthwhile investment. That’s not the point of my post. I do buy securities through Treasury Direct. But it also somewhat creeps me out, because it seems uncomfortably “virtual,” i.e., it’s the only financial entity I’ve ever dealt with that never self–initiates any communication with me, for the record, about activity in the account, or even about the existence of my holdings.

I began this correspondence, which would eventually spread over many months, by sending an e-mail to Treasury Direct itself. I quoted a statement previously made on this forum by Mel Lindauer, a Bogleheads book author, forum moderator, and probably the forum’s main popularizer of, and educator about, I Bonds:
Mel Lindauer wrote:with paper Savings Bonds, if they're lost [or] stolen . . . Treasury will make you whole, but if someone cleans out your TD account, you're simply out of luck and have no recourse.
And I asked Treasury Direct: “Is this true?” I said I was referring specifically to a situation in which a loss occurred in a customer account due to some breach or hacking or other shortcoming in Treasury Direct’s own systems but which the customer did absolutely nothing to permit or enable through any compromise of his/her log-in credentials, i.e., there was no way in which the customer could be viewed as at-fault in the loss. I also noted that, because Treasury Direct itself does not issue any direct account communications to the customer (no purchase or redemption confirmations, no periodic statements, no year–end tax forms)(i.e., the burden is on the customer to print all of these from the website), a Treasury Direct customer wouldn’t even have a way, other than compulsive online account-checking, of knowing, in real time, when any strange activity on the account was even occurring.

I received a form reply stating that the customer was responsible for the use made of his log-in credentials and for safeguarding them.

I e-mailed again and said this was not responsive to the question asked; that I had never doubted the customer’s obligation to do everything possible to protect his credentials; that I'd already made clear that I was asking about a situation in which the customer bore no fault or responsibility; and that I was asking about Treasury Direct’s liability for losses caused, or not prevented, by Treasury Direct itself. I repeated the Lindauer quote above and again asked “Is this true?” I then rephrased it in the opposite way and asked if there were any circumstances under which Treasury Direct would make a customer whole for losses which were in no way the customer’s fault––and, if so, what were those circumstances?

I received another form e-mail assuring me that customer security was of the utmost importance to Treasury, and that the institution regularly looked for ways to make its site even more secure.

Well, that wasn’t responsive to the specific question, either.

I decided to “go to the top.” I sent a postal letter to the Secretary of the Treasury. I noted the previous e-mail correspondence, then repeated the Lindauer quote and my own would-Treasury-ever-make-a-customer-whole follow-up question, and I emphasized that These are yes-or-no questions. Please answer “yes” or “no.”

Months passed, during which, following a change of administrations, I also sent that letter to more than one Treasury Secretary.

Finally I received a form postal letter from Treasury Securities Services in Minneapolis. It said: “The Government Loss in Shipment Act (GLSA) covers the loss/theft of United States Savings Bonds, whether in paper form or electronic form. If a Treasury Direct owner has his/her savings bonds stolen out of his/her account (and the claim is examined, validated, and approved for relief) the Treasury Department will compensate him/her for the loss. Please let us know if we can be of further service.”

I'd never heard of that law. As its name suggests, its language pertains to securities and other valuables lost or stolen while being shipped.

http://uscode.house.gov/view.xhtml?path ... ion=prelim

https://www.treasurydirect.gov/faq_glsf.htm

So, while Treasury Direct assures users that this law applies, which is good to know, it still seems a bizarre outcome, since statement-less electronic Savings Bonds are the very opposite of physical items being "shipped." And while it’s only reasonable to expect a government agency, or any business, to pay only those loss claims which are legitimate, the requirement that a claim concerning almost–virtual electronic Savings Bonds must be “examined, validated, and approved for relief,” by the Treasury, seems to provide a very large amount of wiggle room.

So, there you have it. Knowing that Treasury Direct procedures and security issues have been the subjects of other threads on this forum, I just offer the results of my own correspondence for anyone else interested.

lazyday
Posts: 3015
Joined: Wed Mar 14, 2007 10:27 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by lazyday » Thu Aug 10, 2017 9:11 am

Thanks for sharing this.
When valuables that have been shipped in accordance with regulations are lost, destroyed, or damaged a claim in writing for replacement shall be made on the Secretary of the Treasury.
(2) Shipment.—The term "shipment"—
(A) means the transportation, or the effecting of transportation, of valuables, without limitation as to the means or facilities used or by which the transportation is effected or the person to whom it is made; and
(B) includes shipments made to any executive department, independent establishment, agency, wholly owned or mixed-ownership Government corporation, officer, or employee of the Federal Government, or any person acting on behalf of, or at the direction of, the executive department, independent establishment, agency, wholly or partly owned Government corporation, officer, or employee.
hmmm

So if someone fraudulently clears the account, does that effect transportation of your valuables in accordance with regulations?

Mel, did you have a source on this issue? I couldn't find any with a quick google.

Grt2bOutdoors
Posts: 17256
Joined: Thu Apr 05, 2007 8:20 pm
Location: New York

Re: My (general) contacts with Treasury Direct re loss & liability

Post by Grt2bOutdoors » Thu Aug 10, 2017 9:16 am

As of June 30, 2017 there is approximately $520,826,995 in various series of Savings Bonds outstanding. Of those outstanding, $384,367,775 were of the EE series and $106,859,564 were of the I series, the remaining amounts outstanding are of various series. I would find it hard to believe that the US Treasury would not make a legal, valid account holder of securities "whole" if things were found to be in proper order and theft/fraud was through no fault of their own. Not doing so, would subject the US Treasury to difficulty in raising funds through public debt issuances that are by and large made via book-entry system. The Treasury Direct portal is one such "book-entry" system.
"One should invest based on their need, ability and willingness to take risk - Larry Swedroe" Asking Portfolio Questions

User avatar
flamesabers
Posts: 1572
Joined: Fri Mar 03, 2017 12:05 pm
Location: Rochester, MN

Re: My (general) contacts with Treasury Direct re loss & liability

Post by flamesabers » Thu Aug 10, 2017 9:34 am

Could you not use FS Form 1048 to claim the loss of electronic savings bonds? The title of the form is Claim for Lost, Stolen, or Destroyed United States Savings Bonds. Granted, the form was intended for paper savings bonds, but I don't see anywhere on the form that precludes using the form to reclaim the loss of electronic savings bonds.

Nate79
Posts: 1453
Joined: Thu Aug 11, 2016 6:24 pm
Location: Portland, OR

Re: My (general) contacts with Treasury Direct re loss & liability

Post by Nate79 » Thu Aug 10, 2017 9:57 am

Perhaps transportation includes electric form as well?

Osp62
Posts: 98
Joined: Sat Oct 04, 2014 9:25 am

Re: My (general) contacts with Treasury Direct re loss & liability

Post by Osp62 » Sat Aug 12, 2017 9:40 pm

Brardsworth, Until fall 2016, I used to have almost one third my assets at Treasury Direct and started getting concerned about their willingness to make you whole in the event of some online hacking or fraud. I read the account agreement, then talked to several customer support representatives and then was also connected to a lawyer. They all essentially said that the account agreement clearly states that TD is not responsible for any online hacking or fraud. Had three or four discussions with these people and the more I talked to them, esp. the lawyer, the more uncomfortable I got. Around that time there were also media stories about hacking of private companies and I realized that the online hacking risk was too high for an entity like TD when much more sophisticated private companies were getting hacked. Given there complete refusal to even discuss the possibility of TD compensating a customer in the event of any type of online fraud, I did not see why I should keep any assets with them.

I decided to transfer all my Treasuries to another entity and now I definitely feel much more comfortable not having any assets with TD.

Dead Man Walking
Posts: 509
Joined: Wed Nov 07, 2007 6:51 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by Dead Man Walking » Sun Aug 13, 2017 12:22 am

I read the terms of a Treasury Direct account when the Treasury stopped issuing paper bonds. I decided that a TD account was too risky for me. Mel's comments reinforced my decision. My younger friends and relatives think that I am paranoid.

DMW

lazyday
Posts: 3015
Joined: Wed Mar 14, 2007 10:27 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by lazyday » Sun Aug 13, 2017 5:56 am

Osp62 wrote:
Sat Aug 12, 2017 9:40 pm
I read the account agreement, then talked to several customer support representatives and then was also connected to a lawyer. They all essentially said that the account agreement clearly states that TD is not responsible for any online hacking or fraud.
https://www.treasurydirect.gov/terms.htm

My bold:
5. YOUR ACCOUNT

If you use this site, you are responsible for maintaining the confidentiality of your account, password and for restricting access to your computer. You also agree to assume responsibility for all activities that occur under any account or password that you maintain for electronic commerce with Treasury or Fiscal Service. TreasuryDirect.gov, fiscal.treasury.gov and all other websites operated by Fiscal Service do not sell products to minors. If you are under 18, you may use TreasuryDirect.gov only with involvement of a parent or guardian. TreasuryDirect.gov, fiscal.treasury.gov, and all other websites operated by Fiscal Service reserve the right to refuse service, terminate accounts, remove or edit content, or cancel purchases in their sole discretion.
Also see "3. DISCLAIMER OF LIABILITY AND WARRANTIES". I'm not a lawyer, can't say if it means that the site doesn't have to protect against hackers.

lazyday
Posts: 3015
Joined: Wed Mar 14, 2007 10:27 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by lazyday » Sun Aug 13, 2017 6:12 am

For PAPER savings bonds:

https://www.treasurydirect.gov/indiv/re ... q.htm#lost
We can replace your savings bonds if we can establish that a person entitled to cash the bonds hasn't done so.
There may be a better source, found that one quickly.

beardsworth
Posts: 1980
Joined: Fri Jun 15, 2007 4:02 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by beardsworth » Sun Aug 13, 2017 7:30 am

The language quoted by lazyday, two posts above, concerning the Treasury Direct customer's responsibility for the use of his/her log-in credentials, is plain in the site's terms of use. That's why, as noted in my original post which started this thread, my inquiries to Treasury specified a loss situation in which the customer bore no fault for compromising access to the account but a loss was nevertheless suffered by the customer as a result of hacking or other failure or shortcoming in Treasury's own systems which allowed, or at least failed to prevent, a loss.

As I've pondered the answer Treasury finally sent me, i.e., that an obscure law about the "shipping" of federal securities and valuables applies to electronic I Bonds which haven't actually been "shipped" anywhere at all, the following questions continue to bother me:

•Why aren't the existence of that law, and that recourse for losses, ever mentioned in Treasury Direct's online terms of use?

•Why did I have to "pull teeth," corresponding with Treasury four times, before that law was ever mentioned? The applicability of that law could, after all, have been revealed in the very first e-mail reply I got from Treasury, so let's say, charitably, that Treasury was not exactly eager to be forthcoming about it.

•Assuming that there are customers who have suffered losses from their Treasury Direct accounts (and this may or may not be the case), has this law ever been used successfully by a customer who suffered a Treasury Direct account loss which was in no way his/her fault but who nevertheless managed to find out about the law through no help from Treasury Direct? Since this law puts the burden on the customer to file a loss claim, and then gives Treasury the authority to determine whether a claim against Treasury itself is valid, has it ever done so? Of course, I have no answer.

In both psychological and financial terms, I'm still where I was in the opening paragraph of the thread, and also where I was before I ever wrote to Treasury: Other than the small exception for getting up to $5,000 of federal tax refund in the form of paper I Bonds, an electronic account is currently the only way to buy them. My wife and I both have Treasury Direct accounts, but it creeps us out, and we have an ongoing debate over whether we should get out, precisely because of such loss liability concerns and the obligation placed on the customer to create a paper trail (for the benefit of heirs or an executor, for example) documenting that the bond holdings even exist.

One thing is clear to me: The publicly stated reason for Treasury's switch from paper to electronic was to save tax money spent on printing, storing, and mailing paper bonds. And I'm sure it did so. But, to whatever extent Treasury does not make the customer whole for account losses of electronic bonds in the same way as for loss or theft of paper bonds, then a second effect of the paper-to-electronic switch was also to offload that degree of liability from the issuer to the buyer. And it seems quite bizarre that paper bonds, which are in the physical possession of the buyer, will be replaced by Treasury if lost or stolen, while electronic bonds, which are actually in the custody of Treasury itself, may or may not.

* * *
Edited to correct proofreading error.
Last edited by beardsworth on Thu Sep 28, 2017 1:31 am, edited 1 time in total.

User avatar
FIREchief
Posts: 1417
Joined: Fri Aug 19, 2016 6:40 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by FIREchief » Sun Aug 13, 2017 4:15 pm

OP - thanks for starting this thread. I'm shocked by what I've read so far. Fortunately, I no longer hold any EE or I bonds, and my individual treasuries are held at my brokerage. Scary stuff.
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.

Avo
Posts: 1097
Joined: Wed Jun 11, 2008 2:21 am
Location: California

Re: My (general) contacts with Treasury Direct re loss & liability

Post by Avo » Sun Aug 13, 2017 5:11 pm

beardsworth wrote:
Thu Aug 10, 2017 8:47 am
Treasury Direct itself does not issue any direct account communications to the customer (no purchase or redemption confirmations, no periodic statements, no year–end tax forms)
I receive an email from them whenever one of my EE bonds matures.

User avatar
weltschmerz
Posts: 271
Joined: Thu Jul 30, 2009 9:17 pm
Location: SoCal

Re: My (general) contacts with Treasury Direct re loss & liability

Post by weltschmerz » Sun Aug 13, 2017 7:06 pm

Osp62 wrote:
Sat Aug 12, 2017 9:40 pm
I decided to transfer all my Treasuries to another entity and now I definitely feel much more comfortable not having any assets with TD.
I did something similar earlier this year. Sold my meager TD holdings and transferred them out. It's not that I ever had any problems with TD, I just wanted to simplify my assets, and so that account went on the chopping block. I prefer to keep my assets with actual businesses that issue account statements and value me as a customer. TD is a government service, I'm sure they don't even miss me.

User avatar
friar1610
Posts: 1033
Joined: Sat Nov 29, 2008 9:52 pm
Location: MA South Shore

Re: My (general) contacts with Treasury Direct re loss & liability

Post by friar1610 » Sun Aug 13, 2017 8:57 pm

Beardsworth,

Thank you for starting this thread. This week I plan to go through the thread in more detail, copy TD's rules, etc. and put together a letter to one of my senators asking why TD is able to exempt itself from any responsibility for our money if their site gets hacked. She is supposed to be a big-time consumer advocate and champion of financial reform so it will be interesting to see what she has to say. I don't really expect anything to come of it but it will make me, with a big chunk of electronic I-Bonds, feel better.
Friar1610

lazyday
Posts: 3015
Joined: Wed Mar 14, 2007 10:27 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by lazyday » Mon Aug 14, 2017 3:11 am

beardsworth wrote:
Sun Aug 13, 2017 7:30 am
My wife and I both have Treasury Direct accounts, but it creeps us out, and we have an ongoing debate over whether we should get out, precisely because of such loss liability concerns and the obligation placed on the customer to create a paper trail (for the benefit of heirs or an executor, for example) documenting that the bond holdings even exist.
The problem for heirs is another issue with TD, though I suppose it can be reduced with an In Case of Death folder that they know about. If you pay taxes on TD holdings, it would also appear in your returns. Of course, as you say, they will not get any statements by snail mail, including tax statements.

On your concern for loss: I view this as one of many risks in investing. It would be convenient to convert my paper savings bonds to electronic, but I don't because of this risk. Others might find the risk so insignificant that it's worth converting to make things simpler. I do purchase the max amount of I bonds each year, in spite of this risk.

If you log in to TD and try to link a new bank account, I think you'll find it a bit of a challenge. If either someone you know or an unknown hacker tries to steal your bonds, they will probably have difficulty getting the cash, unless they also have access to your linked bank. So I view the risk as quite small.

EDIT: Adding a new bank no longer requires a snail mail form with medallion guarantee. Just tried this and was only required to answer a security question. Also was sent an email warning that a change was made.
Last edited by lazyday on Mon Nov 06, 2017 4:20 pm, edited 1 time in total.

sophie1
Posts: 53
Joined: Thu Apr 18, 2013 1:58 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by sophie1 » Fri Nov 03, 2017 7:12 am

Taking beardsworth's advice to revive this thread rather than to derail a thread about the I Bond fixed rate...

I've assumed that the best protection you have with Treasury Direct is that a link to a bank account can only be made by submitting a form with a medallion signature guarantee. How easy is it to fake one of those, and will Treasury Direct reliably check each stamp? I do know that a notary signature is laughably easy to fake. A member of my mother's church provided notary services for around 40 years before it was discovered that after her original notary license expired sometime in the 1960s, she bought new stamps at Staples and carried on. She didn't know she had to renew it, and it took that long before anyone checked.

A medallion signature requires that the bank or brokerage providing it have a relationship with the person requesting it, although it would of course be easy to open an account online and then come in the next day with a driver's license to get the stamp. Not something you can easily do from, say, Romania. Also I assume TD would alert you by email to any change in the account (hopefully not by some method that ends up in a spam folder).

fipt2030
Posts: 49
Joined: Tue Oct 03, 2017 8:09 am

Re: My (general) contacts with Treasury Direct re loss & liability

Post by fipt2030 » Fri Nov 03, 2017 7:51 am

lazyday wrote:
Mon Aug 14, 2017 3:11 am
beardsworth wrote:
Sun Aug 13, 2017 7:30 am
My wife and I both have Treasury Direct accounts, but it creeps us out, and we have an ongoing debate over whether we should get out, precisely because of such loss liability concerns and the obligation placed on the customer to create a paper trail (for the benefit of heirs or an executor, for example) documenting that the bond holdings even exist.
The problem for heirs is another issue with TD, though I suppose it can be reduced with an In Case of Death folder that they know about. If you pay taxes on TD holdings, it would also appear in your returns. Of course, as you say, they will not get any statements by snail mail, including tax statements.

On your concern for loss: I view this as one of many risks in investing. It would be convenient to convert my paper savings bonds to electronic, but I don't because of this risk. Others might find the risk so insignificant that it's worth converting to make things simpler. I do purchase the max amount of I bonds each year, in spite of this risk.

If you log in to TD and try to link a new bank account, I think you'll find it a bit of a challenge. If either someone you know or an unknown hacker tries to steal your bonds, they will probably have difficulty getting the cash, unless they also have access to your linked bank. So I view the risk as quite small.
Thank you for that reasoning, I am about to start my hopefully 50 year relationship with TD ( EE and I bond )
the above concerns on this thread gave me pause

User avatar
Phineas J. Whoopee
Posts: 6698
Joined: Sun Dec 18, 2011 6:18 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by Phineas J. Whoopee » Fri Nov 03, 2017 6:04 pm

sophie1 wrote:
Fri Nov 03, 2017 7:12 am
...
I've assumed that the best protection you have with Treasury Direct is that a link to a bank account can only be made by submitting a form with a medallion signature guarantee. ...
I'm afraid that's no longer the case. Today you can simply add a bank account, with identical registration of course, online.
PJW

Call_Me_Op
Posts: 6581
Joined: Mon Sep 07, 2009 2:57 pm
Location: Milky Way

Re: My (general) contacts with Treasury Direct re loss & liability

Post by Call_Me_Op » Sat Nov 04, 2017 7:12 am

This is a very relevant and timely thread for me, as I only recently became aware of TD's stated policy. Needless to say, I am very concerned, and I am considering transferring my assets out of there. It is a shame, because I really like IBonds.
Best regards, -Op | | "In the middle of difficulty lies opportunity." Einstein

User avatar
samsoes
Posts: 437
Joined: Tue Mar 05, 2013 9:12 am

Re: My (general) contacts with Treasury Direct re loss & liability

Post by samsoes » Sat Nov 04, 2017 7:45 am

Call_Me_Op wrote:
Sat Nov 04, 2017 7:12 am
This is a very relevant and timely thread for me, as I only recently became aware of TD's stated policy. Needless to say, I am very concerned, and I am considering transferring my assets out of there. It is a shame, because I really like IBonds.
Agreed. The only thing holding me back is the 1.1% fixed rate on the pile of bonds I bought in the early 2000's, and regrettably converted them to electronic format at TD a short time later. That I-Bond fixed rate is looooong gone, not likely to be seen again anytime soon!
"Happiness Is Not My Companion" - Gen. Gouverneur K. Warren. (Avatar is the statue of Gen. Warren at Little Round Top @ Gettysburg National Military Park.)

mpsz
Posts: 171
Joined: Sat Jan 09, 2016 7:11 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by mpsz » Sat Nov 04, 2017 8:56 am

Thanks for sharing. This is pretty scary, especially since the TD site uses that stupid click-keyboard to log in and it's difficult to use a long, random password.

I'll likely switch to paper I-bonds... seems to be no downside to doing this (except for overpaying taxes temporarily) since the bonds can always be converted to electronic at a later date if TD switches to a more modern/sane fraud policy.

beardsworth
Posts: 1980
Joined: Fri Jun 15, 2007 4:02 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by beardsworth » Sat Nov 04, 2017 10:02 am

mpsz wrote:
Sat Nov 04, 2017 8:56 am
Thanks for sharing. This is pretty scary, especially since the TD site uses that stupid click-keyboard to log in and it's difficult to use a long, random password.

I'll likely switch to paper I-bonds... seems to be no downside to doing this (except for overpaying taxes temporarily) since the bonds can always be converted to electronic at a later date if TD switches to a more modern/sane fraud policy.
It's not clear whether you're under the impression that you can buy the same amount of paper I Bonds each year as you can of online I Bonds, i.e., that it's simply a matter of choosing between the two "formats." You cannot. The only way that I Bonds can still be purchased in paper form is by filing Form 8888 with your federal tax return in order to allocate a maximum of $5,000 of federal tax refund to be received as paper I bonds. And that $5,000 is per tax return, not per person, i.e., the amount is not increased for married filers or dependents listed on the return. It's never been clear how long this option will last, i.e., whether it's going to a permanent feature, or is just the government's way of using up leftover paper bonds until the supply is gone.

Some people intentionally overpay their federal estimated tax in order to get that $5,000 of paper I Bonds, because they consider $5,000 to be better than none, and the $5,000 does still increase the maximum (paper + online combined) which can be bought each year. But that tax refund mechanism is the sole exception to the requirement that I Bonds must otherwise be bought through an online account at Treasury Direct.
Last edited by beardsworth on Sat Nov 04, 2017 10:09 am, edited 1 time in total.

mpsz
Posts: 171
Joined: Sat Jan 09, 2016 7:11 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by mpsz » Sat Nov 04, 2017 10:07 am

beardsworth wrote:
Sat Nov 04, 2017 10:02 am
It's not clear whether you're under the impression that you can buy the same amount of paper I Bonds each year as you can of online I Bonds, i.e., that it's simply a matter of choosing between the two "formats." You cannot. The only way that I Bonds can still be purchased in paper form is by filing Form 8888 with your federal tax return in order to allocate a maximum of $5,000 (per tax return, not per person) of federal tax refund to be received as paper I bonds.

Some people intentionally overpay their federal estimated tax in order to get that $5,000 of paper I Bonds, because they consider $5,000 to be better than none, and the $5,000 does still increase the maximum (paper + online combined) which can be bought each year. But that tax refund mechanism is the sole exception to the requirement that I Bonds must otherwise be bought through an online account at Treasury Direct.
I'm aware of those caveats, but this is a good reminder. I'm intending to purchase well below $5k in I-bonds per year.

Thanks

User avatar
Phineas J. Whoopee
Posts: 6698
Joined: Sun Dec 18, 2011 6:18 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by Phineas J. Whoopee » Sat Nov 04, 2017 1:19 pm

mpsz wrote:
Sat Nov 04, 2017 8:56 am
Thanks for sharing. This is pretty scary, especially since the TD site uses that stupid click-keyboard to log in and it's difficult to use a long, random password.
...
That stupid click-keyboard prevents keyloggers, should you be infected with one, from learning your password.

Some years ago there was a physical card with codes on it, a second authentication factor, which people here derided as "the secret decoder ring." In response TD replaced it with less-secure email.

I do not understand the hostility people have toward security measures that keep them safer than if the measures weren't in place.

Especially in a thread about not feeling secure.

PJW

User avatar
dual
Posts: 447
Joined: Mon Feb 26, 2007 7:02 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by dual » Sat Nov 04, 2017 1:41 pm

What are the alternatives for my electronic I-bonds to keeping them at TreasuryDirect?

Five minutes on the wiki and a search engine indicates that the only alternative is to sell them.

Correct?

User avatar
llama
Posts: 67
Joined: Wed Dec 23, 2015 1:41 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by llama » Sat Nov 04, 2017 1:45 pm

mpsz wrote:
Sat Nov 04, 2017 8:56 am
Thanks for sharing. This is pretty scary, especially since the TD site uses that stupid click-keyboard to log in and it's difficult to use a long, random password.
I use a long, random password for TD and paste it in from my password manager software by using my browser to edit the page's HTML to remove the readonly="readonly" attribute from the input box.

User avatar
Phineas J. Whoopee
Posts: 6698
Joined: Sun Dec 18, 2011 6:18 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by Phineas J. Whoopee » Sat Nov 04, 2017 1:50 pm

dual wrote:
Sat Nov 04, 2017 1:41 pm
What are the alternatives for my electronic I-bonds to keeping them at TreasuryDirect?

Five minutes on the wiki and a search engine indicates that the only alternative is to sell them.

Correct?
Yes, that's correct. Savings bonds can only be held directly with the treasury, and can't be held via anybody else. It's true of paper as well as electronic, but some people are more comfortable with physically printed savings bonds.
PJW
Last edited by Phineas J. Whoopee on Sat Nov 04, 2017 2:14 pm, edited 1 time in total.

User avatar
TheTimeLord
Posts: 4897
Joined: Fri Jul 26, 2013 2:05 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by TheTimeLord » Sat Nov 04, 2017 1:52 pm

Phineas J. Whoopee wrote:
Fri Nov 03, 2017 6:04 pm
sophie1 wrote:
Fri Nov 03, 2017 7:12 am
...
I've assumed that the best protection you have with Treasury Direct is that a link to a bank account can only be made by submitting a form with a medallion signature guarantee. ...
I'm afraid that's no longer the case. Today you can simply add a bank account, with identical registration of course, online.
PJW
I would assume you would be notified with an email confirmation if your bank account or email address was changed. I am correct to assume providing you monitor your email, they would need to discern your password, hijack your email, change your email and change your bank account with you noticing to transfer money out?
Run, You Clever Boy! 8723

User avatar
Phineas J. Whoopee
Posts: 6698
Joined: Sun Dec 18, 2011 6:18 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by Phineas J. Whoopee » Sat Nov 04, 2017 2:06 pm

TheTimeLord wrote:
Sat Nov 04, 2017 1:52 pm
Phineas J. Whoopee wrote:
Fri Nov 03, 2017 6:04 pm
sophie1 wrote:
Fri Nov 03, 2017 7:12 am
...
I've assumed that the best protection you have with Treasury Direct is that a link to a bank account can only be made by submitting a form with a medallion signature guarantee. ...
I'm afraid that's no longer the case. Today you can simply add a bank account, with identical registration of course, online.
PJW
I would assume you would be notified with an email confirmation if your bank account or email address was changed. I am correct to assume providing you monitor your email, they would need to discern your password, hijack your email, change your email and change your bank account with you noticing to transfer money out?
They could also hack your linked bank account.

I don't know about Treasury Direct email notifications. My practice is to log in to every place where I have substantial assets to be sure we agree, and to verify security items like address (for possible paper checks) and linked bank accounts, weekly. I know some people won't want to do such a thing.

I personally think TD's security is pretty good, but I don't think anybody's is perfect, which is why I log in everywhere weekly. I look at my checking account balance, to see if we agree, daily because that's probably my most hackable, stealable, and least easy to recover from pocket that can be picked.

Some people don't want to lock their door, or carry a key, because they believe it shouldn't be their responsibility to manage their home's physical security. It should be somebody else's responsibility. Different strokes for different folks.

PJW

mpsz
Posts: 171
Joined: Sat Jan 09, 2016 7:11 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by mpsz » Sun Nov 05, 2017 3:29 pm

Phineas J. Whoopee wrote:
Sat Nov 04, 2017 1:19 pm
That stupid click-keyboard prevents keyloggers, should you be infected with one, from learning your password.
...
I do not understand the hostility people have toward security measures that keep them safer than if the measures weren't in place.
I stand by what I said.

The click keyboard does prevent against keyloggers... sure. However, it does not prevent against someone observing you logging in, whether this is somebody standing over your shoulder or screen monitoring software. If your computer is compromised to the point you have a keylogger installed, you could also have screen monitoring software installed.

A traditional password field is not vulnerable to being observed, because the attacker would see just dots or asterisks on the screen. With TD, they see which button you clicked.

As such, since the stupid click keyboard closes one attack door, opens a new attack door, and makes it more difficult to use a secure password in the first place, it's complete baloney. It reduces the overall security of the TD platform. There's a reason no other sites do this.

lazyday
Posts: 3015
Joined: Wed Mar 14, 2007 10:27 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by lazyday » Mon Nov 06, 2017 4:23 pm

Phineas J. Whoopee wrote:
Fri Nov 03, 2017 6:04 pm
Today you can simply add a bank account, with identical registration of course, online.
Thanks, wasn't aware of this change.

TD required my answer to a security question, and sent me an email warning that a change had been made. I haven't tried the new linked bank yet so don't know if there's anything else.

leehsm
Posts: 70
Joined: Sat Nov 28, 2009 5:42 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by leehsm » Mon Nov 06, 2017 7:25 pm

Is there a way I can sell, or move my TD I bonds to another financial institution without being hit with taxes on the interest earned over the past 8 years. Thanks

beardsworth
Posts: 1980
Joined: Fri Jun 15, 2007 4:02 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by beardsworth » Mon Nov 06, 2017 8:30 pm

leehsm wrote:
Mon Nov 06, 2017 7:25 pm
Is there a way I can sell, or move my TD I bonds to another financial institution without being hit with taxes on the interest earned over the past 8 years. Thanks
If your mention of "selling" your I Bonds refers to redeeming them, then you could deposit the cash proceeds in whatever financial institution you wish (bank, credit union, mutual fund), but you'd owe federal (although not state) income taxes on the accrued interest in the tax year of the redemption. (I won't deal here with separate tax rules about using I Bonds for children's education, or other special situations.)

With regard to your mention of "moving" them, the answer is no, because they can't be moved. I Bonds are not marketable securities and can't be held in any brokerage situation or third-party custodial institution. You can hold them personally in paper form (if you originally bought them that way), or you can hold them in electronic form on the "books" of Treasury Direct. That's it.

TravelGeek
Posts: 1245
Joined: Sat Oct 25, 2014 3:23 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by TravelGeek » Tue Nov 07, 2017 1:44 am

Phineas J. Whoopee wrote:
Sat Nov 04, 2017 2:06 pm

I personally think TD's security is pretty good, but I don't think anybody's is perfect, which is why I log in everywhere weekly. I look at my checking account balance, to see if we agree, daily because that's probably my most hackable, stealable, and least easy to recover from pocket that can be picked.
What I see when I log into a site like TD (or Vanguard or Fidelity or redneck bank or ...) is just the tip of the ice berg of their software. Not necessarily a good way to judge the overall system security based on the login screen and other security mechanisms. E.g., a site might have strict password rules, require 2FA, and store the passwords in clear text and I would never know. Sites might also not have the latest updates and security patches applied. Large well-known companies have had hacks that revealed surprising bad practices (I look at you, Linkedin and Equifax).

That said, I think TD was, I think, one of the first financial sites that forced me to use 2FA with their physical code card.

I don’t mind the on-screen keyboard. Small inconvenience and some additional protection (since it isn’t common practice, screen recording tools are also less common than keystroke loggers).

What this thread is really about, though, is what happens when my account get emptied out without the use of my credentials.

beardsworth
Posts: 1980
Joined: Fri Jun 15, 2007 4:02 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by beardsworth » Tue Nov 07, 2017 7:08 am

TravelGeek wrote:
Tue Nov 07, 2017 1:44 am

What this thread is really about, though, is what happens when my account get emptied out without the use of my credentials.
OP here.

Thanks for making that point, TravelGeek.

That is indeed what I intended the thread to be about when I started it, and that's also why my own correspondence with Treasury, described in the opening post, focused on the issue of whether, or how much, Treasury accepts any liability or responsibility to make-whole in case of hacking and other potential situations in which the Treasury Direct customer did nothing to enable an account loss. And I also expressed the wish, in the original post, that responses not debate the likelihood of theft from a Treasury Direct account.

Of course, no OP can "control" the subsequent course of a thread, and give-and-take dialogue is natural. But I hope that further responses in the thread can be kept on-topic and not get diverted into personal opinions about Treasury Direct's log-in system, or general discussions about personal security practices in people's financial lives. There were already plenty of those elsewhere on this Bogleheads forum. This one was intended to be about Treasury Direct's own policy in the event of customer losses, i.e., what Treasury Direct does, not what Bogleheads do.

TravelGeek
Posts: 1245
Joined: Sat Oct 25, 2014 3:23 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by TravelGeek » Thu Nov 09, 2017 3:14 pm

One thing, in addition to the obscure law that allegedly covers stolen iBonds from my TD account, that has been bothering me is that I probably have no way of proving that my credentials were in fact not used to access my account.

As I was looking around the TD site, I came across this feature:
Customer Hold: As an added security feature, TreasuryDirect allows you to place a hold on your account. If you believe someone else has learned your account access information and you want to prevent unauthorized access to your account, you may edit your Account Info in your primary account to place a Customer Hold. This action will prohibit all transactions associated with your primary and linked accounts. After you place your Customer Hold, you will not have access to your account until the hold is removed. To remove the hold, you must contact the Bureau of the Fiscal Service (formerly Bureau of the Public Debt), Risk Management Group.
Since I am in the accumulation phase for iBonds, I don't generally need to access my account on a regular basis to perform transactions. I wonder how much hassle it would be to get the account unlocked as needed (once a year) and leave it locked the rest of the time.

beardsworth
Posts: 1980
Joined: Fri Jun 15, 2007 4:02 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by beardsworth » Thu Nov 09, 2017 5:13 pm

TravelGeek wrote:
I don't generally need to access my account on a regular basis to perform transactions. I wonder how much hassle it would be to get the account unlocked as needed (once a year) and leave it locked the rest of the time.
That's an interesting question.

If I understand what you're thinking, the situation would be analogous to a person who freezes his files at the national credit rating bureaus at all times except when he actually wants to apply for a new loan or card, then very temporarily unfreezes them long enough to get the application approved, then freezes them again. In Treasury Direct terms, there would be a Customer Hold in effect at all times except when the customer was actually buying or redeeming securities.

Since it was the report of my own repeated correspondence with Treasury Direct which began this thread, I've written to Treasury Direct again to ask if such a Customer Hold practice would be allowed, even if the customer did not (in the Treasury Direct web site language you quoted in your post above) have particular reason to "believe" the log-in credentials had been mis-used, but simply wanted to add an additional layer of self-protection, an additional barrier to "unauthorized account access," especially in view of Treasury Direct's own disclaimer of all liability for use of customer credentials.

I'll post here again if I get any useful reply. If the experience in the original post is a guide, it may take a while.

All of which is still slightly off-topic from the original issue of whether Treasury Direct will do anything to make a customer whole for account losses attributable to a failure of security at Treasury Direct itself, rather than to any action or negligence on the part of the customer.

TravelGeek
Posts: 1245
Joined: Sat Oct 25, 2014 3:23 pm

Re: My (general) contacts with Treasury Direct re loss & liability

Post by TravelGeek » Thu Nov 09, 2017 6:40 pm

beardsworth wrote:
Thu Nov 09, 2017 5:13 pm

I'll post here again if I get any useful reply. If the experience in the original post is a guide, it may take a while.

All of which is still slightly off-topic from the original issue of whether Treasury Direct will do anything to make a customer whole for account losses attributable to a failure of security at Treasury Direct itself, rather than to any action or negligence on the part of the customer.
Thanks for following up with them.

I don't think you are likely going to get an authoritative answer (or someone speaking from experience... I hope) to the narrow (and important!) question of what they will do if you bonds get redeemed and the money vanishes (without usage of your credentials).

My gut feel is that the Dept of the Treasury would have no choice but to make you whole because in that scenario you'd unlikely be the only victim, and political pressure would be forcing the Treasury to fix their problem. The possible account lock "workaround" I might have found is simply to shortcircuit any discussion of who's fault it is if it happens.

Post Reply