Comments on: TreasuryDirect enhances security features

by: Tom Adams

Mon, 21 Aug 2006 17:32:11 +0000

The problem with email notifications mentioned in this article has been fixed. I tested it this morning and received notifications at both the old and new address. For more information, see TreasuryDirect email notifications fixed.

by: Charles

Fri, 18 Aug 2006 19:21:17 +0000

The fact that the new TD is paperless does add somewhat to the security. In a way, your account # is as good as your password since no statements are sent. When you get your 1099's at the end of the year or a statement, any crook with access to your mail can get your SS#, account# and everything else that is printed and they are good to go.

My local back sent out last years 1099 with my SS# showing under my name thru the plastic window of the envelope :'(

by: billy

Thu, 17 Aug 2006 22:40:38 +0000

A prenote is a zero dollar ACH to give the bank the opportunity to verify the account. TD does send your account info with it, but it's up to the bank to make sure the account is yours. They DONT normally do that since ACH rules only require them to check that the account exists, hence, the risk of fraud.

If the bank is liable….well…good luck in trying to collect.

The big risk is what could happen if a crook gets your password.

by: jon

Thu, 17 Aug 2006 22:11:26 +0000

I believe Reg E applies to any electronic transaction like ACH. If I'm a victim of fraud in a bank to bank ACH transfer, I'm covered (by the bank). TD uses ACH (no protection).

Investment accounts have SIPC (an FDIC equivalent).

by: Mario

Thu, 17 Aug 2006 02:36:16 +0000

I'm actually more worried about elaborate schemes, such as when someone gains access to your TD account, changes the registration such that they are co-owner, gives themselves transact rights, then transfers the security to their account and deposits in their bank account.

Therefore I think registration changes are probably the weakest link, and should require something like TD sending you an email that prompts you to verify by logging back into your account before the change becomes effective. And email changes should require the same such that the thief can't change the email to theirs.

Tom, please forward ideas to your TD contacts …

by: Mario

Thu, 17 Aug 2006 02:27:44 +0000

Billy, thanks for providing all the information. In the PIA you linked, it does say "financial institutions provide the initial defense against fraudulent or unauthorized transactions" which implies to me that the Treasury pushes the responsibility to the banks - which makes logistic sense, because anyone who knows your account number could otherwise attempt an ACH; generally speaking for an ACH debit, do we know if the liability lies with the bank that requests the ACH or the bank thar receives the request?

They also say in that document that the names you provided on the account are transmitted to the bank. I would assume the Treasury would at least flag the transaction if you don't provide your own name; and the bank would hopefully flag if the name doesn't match the name on file for the account. I think ideally they should also transmit SSN because two people could have the same name.

I don't see that as being very different from a prenotification, where it is also the bank which verifies account ownership.