An update . . .
As promised following the exchange of posts above with TravelGeek, I sent another e-mail to Treasury Direct, although, as usual in my contacts with this agency, no useful information was received on one try alone.
I asked (closely paraphrasing my actual words here):
The Treasury Direct site [URL] contains the following language: "Customer Hold: As an added security feature, TreasuryDirect allows you to place a hold on your account. If you believe someone else has learned your account access information and you want to prevent unauthorized access to your account, you may edit your Account Info in your primary account to place a Customer Hold. This action will prohibit all transactions associated with your primary and linked accounts. After you place your Customer Hold, you will not have access to your account until the hold is removed. To remove the hold, you must contact the Bureau of the Fiscal Service (formerly Bureau of the Public Debt), Risk Management Group.”
Since the site’s own “Terms of Use” make clear that Treasury Direct renounces all liability for mis-use of log-in credentials, is it possible to place a routine “Customer Hold” on an account even if the customer does not have specific reason to believe that log-in credentials have been compromised? It seems to me that Treasury Direct would—or should—allow such a practice, if Treasury Direct truly wishes to maximize customer protection in view of Treasury Direct’s own rejection of liability for mis-use of log-in credentials. The situation described would be very much like a person who places a freeze at the national credit bureaus in order to prevent anyone from applying for credit in his name, but can temporarily un-freeze the credit file when actually applying for a new loan or credit card, and then re-freeze the file. Similarly, there would be a “Customer Hold” on the Treasury Direct account at all times except when the customer was actually buying or selling securities. . . .
And when a Customer Hold has been placed, what is the specific procedure to remove it? The web site language quoted above tells the customer how to place a hold, but says nothing about how to lift it, other than to “contact” Fiscal Service. That’s vague. What is involved to lift a hold? (Phone call? E-mail? Specific Treasury forms? Notarized signature? Medallion-guaranteed signature? Other?)
I received a boilerplate brushoff e-mail from Treasury Direct, giving the same kind of irrelevant response as when I first wrote, over a year ago, in an effort to clarify the issue of account losses caused by a situation in which Treasury Direct itself was hacked or otherwise failed to maintain account security, i.e., that customer security is very important and Treasury is always working to make the site better to meet or exceed the guidelines issued by the Federal Financial Institutions Examination Council; that the customer should do everything possible to protect log-in credentials; that the site uses Secure Sockets Layer technology; and (in language sufficient to make any reader wonder whether Treasury Direct’s behind-the-scenes systems are as antiquated as its boilerplate correspondence) “For your protection, TreasuryDirect requires the security that up-to-date Web browsers provide, specifically Microsoft Internet Explorer 5.01 or Netscape Navigator 6.2 or later.”
So I wrote again, via postal mail, to the Secretary of the Treasury, the third time I’d done so in somewhat over a year (twice to the current occupant, once to his predecessor), and observed that the reason for this new postal correspondence was the same as the others: Treasury Direct’s inability or unwillingness to give direct answers to simple direct questions. And I repeated the inquiry above. I did not, of course, expect a reply from anyone actually located in the Secretary’s office, but hoped that a new round of correspondence sent to “the top” might again produce a more relevant response out of Treasury Direct.
I recently received the following e-mail reply from Treasury Direct. For privacy reasons I’ve omitted here the salutation containing my own name, and the sign–off containing the Treasury Direct staff member’s name and title, but otherwise this is an exact copy-and-paste of the text, with spelling, punctuation, and syntax preserved just as in the chaotic original:
“The customer hold code you are referring to can only be lifted by contacting Customer Service and is only should be placed by the account owner as only if the account owner believes someone else has learned their account access information, which means someone would have your TreasuryDirect account number, your password, access to your email to obtain the pass code and know the answers to your security questions. The answer is no TreasuryDirect will not routinely permit a customer to place that hold on their account and have the customer request that hold be removed only when they wish to access their account.”
Recapping my understanding of the information I’ve been gathering and presenting since this thread began:
•If Savings Bonds are held in paper form, then Treasury promises to make the customer whole for loss or theft, even though paper bonds are in the physical custody of their individual owners in places and storage conditions over which Treasury Direct has absolutely no control. Although Treasury obviously continues to maintain an inventory of paper I Bonds in order to fulfill requests for tax refunds in the form of paper bonds, the replacement for lost or stolen paper I Bonds will nevertheless be in the form of new electronic I Bonds.
https://www.treasurydirect.gov/indiv/re ... eplace.htm
In contrast to paper Savings Bonds, which are in the custody of their owners under conditions beyond Treasury Direct's control, electronic bonds are in the actual custody of Treasury Direct
itself. However, unlike losses in paper bonds, where Treasury’s commitment to make the customer whole appears to be completely unambiguous, losses in electronic bonds in the custody of Treasury may or may
not be made whole, depending on the circumstances of the loss:
•If the loss is due to any use of the log-in credentials, then the Terms of Use make clear that Treasury Direct renounces all obligation to make the customer whole for loss, even if the use of the credentials was not authorized or enabled by the customer, and even if the customer didn't know in real time (because Treasury Direct does not issue account statements or detailed transaction confirmations) that unauthorized activity was occurring. . . . But (translating into standard English the bizarre e-mail text recently received), notwithstanding its blanket renunciation of liability for losses caused by use of the log-in credentials, and notwithstanding the availability of a "Customer Hold" procedure which its own site describes as “an added security feature,” Treasury Direct will
not allow a customer to routinely place such a hold, in a manner similar to a credit freeze, unless the customer’s log-in credentials have
already been compromised. This clearly seems a case of (choose your favorite folksy description) the horse is already out of the barn; the train has already left the station; the water has already gone over the dam; if your house has burned down, be sure to ask about our complimentary fire extinguisher gift package. “An added security feature” is something which should be a p
reventive, i.e., available
before an account has been compromised or looted. So this seems to me the worst of both worlds: Treasury disclaims liability for every manner of loss attributable to use of log–in credentials, but Treasury will not allow its own freeze procedure to be used routinely as a means for the customer to further minimize the possibility of fraudulent activity before it happens. . . . No reason was given for this denial of routine account freezes. I imagine that (1) Treasury doesn’t want to be bothered, because such an option would require the hiring of additional customer service staff to un–freeze individual holds maintained on a widespread basis; and/or (2) a failure of Treasury’s own “customer hold” feature, if the feature were implemented as a
preventive measure against losses, would imply Treasury liability, e.g., in the event of a site hacking, to make whole for any losses suffered on accounts which already had routine preventive customer holds in place.
•If an account holder suffers a loss through a failure of Treasury Direct’s own security systems, e.g., hacking or other malicious activity not involving a customer's log-in credentials, Treasury Direct has now stated that such loss is covered by an obscure law about the “shipping” of federal property, even though electronic bonds are not actual physical objects and are not being “shipped” anywhere. The existence and applicability of that shipping law were only mentioned after my multiple rounds of correspondence with Treasury. The law is not mentioned as an available loss remedy in Treasury Direct’s online terms of use. Any loss claim under that “shipping” law will be reimbursed only if “the claim is examined, validated, and approved for relief”—in other words, only if Treasury itself concludes that Treasury should be liable. It’s not clear whether any Treasury Direct customer has ever sustained a loss attributable to (or enabled by) flaws or failures of Treasury’s own systems; or, if so, whether Treasury informed the customer of the existence and applicability of the “shipping” law; or whether any customer has ever successfully used that law to be made whole for a loss.
I repeat an observation I made earlier here: While a reduction of Savings Bond program costs for printing, storage, and mailing of paper bonds may have been a major “official” reason given for the switch from paper to electronic, another effect of that change, coupled with Treasury’s stance on security and liability issues, was to shift the risk burden for loss and fraud toward Savings Bond
customers. Losses or thefts of paper Savings Bonds are made whole. Period. Losses in electronic bonds, not so much. Whether that outcome was intentional is a question whose answer may depend heavily on a person’s level of cynicism (or, as the case may be, realism).
This thread was intended only as a report of my own exploration of loss prevention and loss recovery issues. I ask again, as I did in my original post, that the thread not be diverted toward conversation about whether Savings Bonds are a good investment, or whether I myself “worry too much” about Treasury Direct security policies. My wife and I do own electronic I Bonds. We are also reconsidering that part of our investments, because, although we hope that the actual risk of loss is small, we’re really turned off by Treasury Direct’s position on its liability-related obligations to its customers. And it’s the very opposite of reassuring to learn that Treasury Direct offers account freezes but will not allow them in advance as a preventive measure; nor is it reassuring to receive a near–illiterate explanation of that policy; nor is it reassuring to read Treasury Direct boilerplate reminders (in response to questions about site
security!) to make sure we’re logging into our accounts with the latest version of Internet Explorer or Netscape Navigator.
Other readers will, of course, have to form their own conclusions about the balance of risks of doing online business with this entity, and the various ways in which its practices might or might not leave customers “holding the bag” in the event of loss. Meanwhile, paper Savings Bonds remain the only instrument for which Treasury unambiguously promises to make the customer whole in case of loss or theft, but the allowable purchase quantity of paper bonds is exactly what Treasury has severely limited, and I believe that the promise embodied in the former is one reason for the limitation imposed on the latter.
For a while now, there have been news reports about the hobbling of the IRS through budget cuts, and about the antique software being used there. That's beyond the scope of this post and thread. I do wonder, however, whether Treasury Direct, a unit of the same federal department, is getting everything it needs to maximize account security.