TreasuryDirect enhances security features
Friday, August 11th, 2006
Categorized as: Treasury Direct
TreasuryDirect enabled new security features this week, including a new, state-of-the-art method for entering passwords that is designed to foil keylogging programs.
The What's New section on TreasuryDirect reports:
To keep personal information protected and to make the TreasuryDirect site even more secure, we have implemented new security features. The requirements for choosing a password and security questions have been strengthened, some sensitive information has been masked, and a virtual keyboard is provided at logon for added password protection. Additionally, customers now have the option of placing holds on their accounts if they suspect that someone has obtained their access information.
We will continue to add new features that will maintain the protection and integrity of customers' accounts and security holdings. In addition, we will continue to make changes behind the scenes that will allow TreasuryDirect to run smoother and process transactions even more efficiently. Most of the upgrades won't be noticeable, but you can be sure that we're working to make TreasuryDirect better than ever for all your investment needs.
The new login process uses an on-screen keyboard. You "type" in your password by clicking the keyboard with your mouse. The keys are randomly mixed each time the page is displayed, so even if someone captures your mouse clicks, those same clicks won't work to log you on a second time.
Our previous articles on TreasuryDirect security, TreasuryDirect refuses to confirm transactions and Wall Street Journal questions TreasuryDirect security, raised the following issues:
- TreasuryDirect has no paper trail.
- This is still true. On the page on which you choose which Treasury application you want to login to, there's a notice that cautions that TreasuryDirect does not provide paper securities or paper account statements. It recommends printing TreasuryDirect screens using your browser. Because you can always show how much money you've moved into and out of TreasuryDirect using your bank's records, I don't consider this a major problem.
- If someone gets your security information and accesses your account, the risk is all yours. The Treasury will not cover your losses. Banking's Regulation E, which protects consumers from credit card fraud, does not apply to TreasuryDirect.
- This is the case not only with TreasuryDirect, but also with other online investment accounts at brokerage firms, banks, and mutual fund companies. If you want to invest online, it's a risk you have to take. The question is, given the security features the investment account offers, are you comfortable taking that risk?
- TreasuryDirect displays detailed banking and personal information.
- This has been fixed. Sensitive information, such as account and Social Security numbers, is masked.
- An extra, offline step should be required to open a TreasuryDirect account.
- If TreasuryDirect's "authentication process could not adequately verify" you, you will be required to submit a form with your signature certified by a bank.
- TreasuryDirect doesn't notify you if your account details change.
- This had been fixed to some extent before this week's update. Several users reported receiving email notification after adding new bank accounts. However, to test this week's update, I changed my own email address in TreasuryDirect. I had to provide the answer to one of my security questions to be able to do this. Afterwards, an email notice about the change was sent to my new email address, but not to my old one. This means all a crook has to do is change the email address first, then the bank account. The notification about the new email address goes to the crook, not to you, as does the notification about the bank account change. TreasuryDirect still doesn't have this basic security feature right. [Note: Since this article was published, TreasuryDirect has contacted me to see if this a bug with my account. They say emails are supposed to go to both addresses, which is great news!]
Although the people I correspond with at the Treasury seem to feel that I whine about TreasuryDirect because I want it to fail, the truth is I want it to succeed. I do all my banking and investing online. My own bank won't touch Savings Bonds.
It's because I want TreasuryDirect to succeed that I whine about its security. Security is particularly important to TreasuryDirect's customers, who invest in TreasuryDirect's products because they prefer the safety of government investments to the risk of corporate investments. TreasuryDirect's customers want to invest their money with the utmost safety.
But TreasuryDirect puts all the risk of password fraud on the customer. The new virtual keyboard for logon is terrific. It's a great defense against one of the ways that your password can be compromised. But only one of the ways, and there are many.
If I'm going to take all the risk of password fraud, what I really want is immediate notification that my account has been accessed by someone else. That is what will prevent a crook from even trying TreasuryDirect fraud. How can a no-cost, basic, simple, security measure like sending notifications about a changed email address to both the old and new addresses not be fixed yet?
I want TreasuryDirect to succeed. I expect TreasuryDirect to succeed. But I won't be comfortable with TreasuryDirect security until I'm sure that I'll know if someone has my password. Frankly, I'd like the option to receive an email every time a logon occurs.
Since I'm the one taking all the risk of password fraud, TreasuryDirect has to provide security features that make me comfortable with taking that risk.