An update . . .
As promised following the exchange of posts above with TravelGeek, I sent another e-mail to Treasury Direct, although, as usual in my contacts with this agency, no useful information was received on one try alone.
I asked (closely paraphrasing my actual words here):
The Treasury Direct site [URL] contains the following language:
"Customer Hold: As an added security feature, TreasuryDirect allows you to place a hold on your account. If you believe someone else has learned your account access information and you want to prevent unauthorized access to your account, you may edit your Account Info in your primary account to place a Customer Hold. This action will prohibit all transactions associated with your primary and linked accounts. After you place your Customer Hold, you will not have access to your account until the hold is removed. To remove the hold, you must contact the Bureau of the Fiscal Service (formerly Bureau of the Public Debt), Risk Management Group.”
And when a Customer Hold has been placed, what is the specific procedure to remove it? The web site language quoted above tells the customer how to place a hold, but says nothing about how to lift it, other than to “contact” Fiscal Service. That’s vague. What is involved to lift a hold? (Phone call? E-mail? Specific Treasury forms? Notarized signature? Medallion-guaranteed signature? Other?)
I received a boilerplate brushoff e-mail from Treasury Direct, giving the same kind of irrelevant response as when I first wrote, over a year ago, in an effort to clarify the issue of account losses caused by a situation in which Treasury Direct itself was hacked or otherwise failed to maintain account security, i.e., that customer security is very important and Treasury is always working to make the site better to meet or exceed the guidelines issued by the Federal Financial Institutions Examination Council; that the customer should do everything possible to protect log-in credentials; that the site uses Secure Sockets Layer technology; and (in language sufficient to make any reader wonder whether Treasury Direct’s behind-the-scenes systems are as antiquated as its boilerplate correspondence) “For your protection, TreasuryDirect requires the security that up-to-date Web browsers provide, specifically Microsoft Internet Explorer 5.01 or Netscape Navigator 6.2 or later.”
So I wrote again, via postal mail, to the Secretary of the Treasury, the third time I’d done so in somewhat over a year (twice to the current occupant, once to his predecessor), and observed that the reason for this new postal correspondence was the same as the others: Treasury Direct’s inability or unwillingness to give direct answers to simple direct questions. And I repeated the inquiry above. I did not, of course, expect a reply from anyone actually located in the Secretary’s office, but hoped that a new round of correspondence sent to “the top” might again produce a more relevant response out of Treasury Direct.
I recently received the following e-mail reply from Treasury Direct. For privacy reasons I’ve omitted here the salutation containing my own name, and the sign–off containing the Treasury Direct staff member’s name and title, but otherwise this is an exact copy-and-paste of the text, with spelling, punctuation, and syntax preserved just as in the chaotic original: “The customer hold code you are referring to can only be lifted by contacting Customer Service and is only should be placed by the account owner as only if the account owner believes someone else has learned their account access information, which means someone would have your TreasuryDirect account number, your password, access to your email to obtain the pass code and know the answers to your security questions. The answer is no TreasuryDirect will not routinely permit a customer to place that hold on their account and have the customer request that hold be removed only when they wish to access their account.”
my understanding of the information I’ve been gathering and presenting since this thread began:
•If Savings Bonds are held in paper form, then Treasury promises to make the customer whole for loss or theft, even though paper bonds are in the physical custody of their individual owners in places and storage conditions over which Treasury Direct has absolutely no control. Although Treasury obviously continues to maintain an inventory of paper I Bonds in order to fulfill requests for tax refunds in the form of paper bonds, the replacement for lost or stolen paper I Bonds will nevertheless be in the form of new electronic I Bonds.
https://www.treasurydirect.gov/indiv/re ... eplace.htm
In contrast to paper Savings Bonds, which are in the custody of their owners under conditions beyond Treasury Direct's control, electronic bonds are in the actual custody of Treasury Direct itself
. However, unlike losses in paper bonds, where Treasury’s commitment to make the customer whole appears to be completely unambiguous, losses in electronic bonds in the custody of Treasury may or may not
be made whole, depending on the circumstances of the loss:
allow a customer to routinely place such a hold, in a manner similar to a credit freeze, unless the customer’s log-in credentials have alread
y been compromised. This clearly seems a case of (choose your favorite folksy description) the horse is already out of the barn; the train has already left the station; the water has already gone over the dam; if your house has burned down, be sure to ask about our complimentary fire extinguisher gift package. “An added security feature” is something which should be a preventive
, i.e., available before
an account has been compromised or looted. So this seems to me the worst of both worlds: Treasury disclaims liability for every manner of loss attributable to use of log–in credentials, but Treasury will not allow its own freeze procedure to be used routinely as a means for the customer to further minimize the possibility of fraudulent activity before it happens. . . . No reason was given for this denial of routine account freezes. I imagine that (1) Treasury doesn’t want to be bothered, because such an option would require the hiring of additional customer service staff to un–freeze individual holds maintained on a widespread basis; and/or (2) a failure of Treasury’s own “customer hold” feature, if the feature were implemented as a preventive
measure against losses, would imply Treasury liability, e.g., in the event of a site hacking, to make whole for any losses suffered on accounts which already had routine preventive customer holds in place.
I repeat an observation I made earlier here: While a reduction of Savings Bond program costs for printing, storage, and mailing of paper bonds may have been a major “official” reason given for the switch from paper to electronic, another effect of that change, coupled with Treasury’s stance on security and liability issues, was to shift the risk burden for loss and fraud toward Savings Bond customers.
Losses or thefts of paper Savings Bonds are made whole. Period. Losses in electronic bonds, not so much. Whether that outcome was intentional is a question whose answer may depend heavily on a person’s level of cynicism (or, as the case may be, realism).
This thread was intended only as a report of my own exploration of loss prevention and loss recovery issues. I ask again, as I did in my original post, that the thread not be diverted toward conversation about whether Savings Bonds are a good investment, or whether I myself “worry too much” about Treasury Direct security policies. My wife and I do own electronic I Bonds. We are also reconsidering that part of our investments, because, although we hope that the actual risk of loss is small, we’re really turned off by Treasury Direct’s position on its liability-related obligations to its customers. And it’s the very opposite of reassuring to learn that Treasury Direct offers account freezes but will not allow them in advance as a preventive measure; nor is it reassuring to receive a near–illiterate explanation of that policy; nor is it reassuring to read Treasury Direct boilerplate reminders (in response to questions about site security
!) to make sure we’re logging into our accounts with the latest version of Internet Explorer or Netscape Navigator.
Other readers will, of course, have to form their own conclusions about the balance of risks of doing online business with this entity, and the various ways in which its practices might or might not leave customers “holding the bag” in the event of loss. Meanwhile, paper Savings Bonds remain the only instrument for which Treasury unambiguously promises to make the customer whole in case of loss or theft, but the allowable purchase quantity of paper bonds is exactly what Treasury has severely limited, and I believe that the promise embodied in the former is one reason for the limitation imposed on the latter.
For a while now, there have been news reports about the hobbling of the IRS through budget cuts, and about the antique software being used there. That's beyond the scope of this post and thread. I do wonder, however, whether Treasury Direct, a unit of the same federal department, is getting everything it needs to maximize account security.