TreasuryDirect Security: Should All Financial Websites Be Like This?

TreasuryDirect, which allows individuals to buy securities online directly from the US Treasury, has to be the least accessible financial website in the country. It takes me about 20 minutes to log in each time! Let’s look at all the hoops we get to jump through:

Account number – Of course it can’t be a username you can remember like “bob222″, but is more like Z-334-946-124. This makes me have to dig up my encrypted login/password file.

Password – Use your own keyboard? Nope, you must click it out on a randomized virtual keyboard. Gets around basic keyloggers, but not something that catches your screen as well. I’m actually okay with this one, but I’m glad my password isn’t very long and my vision is good.

td_login.gif

Access Card – Finally, you need to read characters off a Access Card in order to access your account. (Like a secret decoder ring!) Of course, being a physical object, I can never find it. I ended up transcribing the entire card contents onto a spreadsheet file, and shredded the card.

Now, finally you can buy a savings bond. Can you imagine the hassle if every financial institution were like this? I understand the need for security, but I think having a physical type of verification token should be an option for the customer, not a requirement.

Lost TreasuryDirect Access Card?
If you lost your card, you’ll have to call (304) 480-7711, verify your identity, and request for a new one to be sent to your mailing address. Your old card will no longer work. In the meantime, no access. Call early and keep trying until you reach someone, because if they’re busy you have to leave a message (no hold system?), and they never called me back.

Comments

  1. Siggyboss says:

    I remember getting my Access Card in the mail years ago, and immediately thinking the US Government is no more efficient than the USSR. The best part is that the system still remains in place, with all of its flaws.

  2. That site is a nightmare. My wife screwed up setting up an account years ago and it has been easier just to use mine ever since. I think the point is that they really just don’t want the public to use it.

  3. Jonathan,

    I agree with you! I gave up after a while before they have this access card thing, then I got it, decided it was a good idea to give up.

  4. I’ve been a computer programmer for 20+ years, our systems are being attacked by hackers foreign and domestic daily. A huge publicity target like treasury direct, is probably attacked 10,000+ times a day. If you look at the effort that goes into defeating Yahoo’s / Microsoft’s and Google’s captcha’s (all of which have been overcome), the (e)street credit that goes with that is NOTHING compared to a US government penetration.

    The security is excessive, but semi necessary. In real life if some kid/KAOS got in to your account. A simple phone call to customer service would fix it, but imagine the news stories. US TREASURY HACKED. Old ladies crying on the local news. Since it’s the US Government, it could cause markets to panic.

    The longer I work in the IT industry the more I doubt the human race.

  5. The virtual keyboard is awful. Try entering a randomly created 30 character password that uses letters, numbers and special characters! It took me a good 2-3 minutes to enter my password.

  6. cmon guys (gals)!! I don’t mind this security at all the few times I go on a month to check my i-bonds / TIPS. It takes a total of 2 minutes to get on. I have the decoder card in my wallet but also keep a jpeg of it on my keydrive (secured) and hard drive encoded. I use keypass (drag and drop) for account #’s. I would much rather have this system and not be compromised. This is not a checking account that is accessed daily!!

  7. On the bright side, you just solved a mystery for me. A couple of weeks ago I discovered that decoder card in my wallet and since it has no identification on it whatsoever, I couldn’t remember what it was for. I was pretty annoyed and not being able to figure it out, so thanks for the reminder.

  8. What I hate the most about the site is when you print out the 1099 tax forms after the end of the year (you have to, they don’t mail it to you), you need to answer a security question. If you forgot the answer, oh, no, it took me weeks to get back on after being locked out having forgotten one of the 3 questions. I was furious and cashed out everything as soon as I got access back.

    @Bill: User level security is very different than server security, the way they are punishing the users for a non-existent problem is astonishing!

  9. yodlee handles it perfectly well

  10. AMEN!

    That site is an absolute nightmare for me! I shudder to think of ever having to log back in there….I rather take a trip to the dentist.

  11. SanDance says:

    The nice thing about the TreasuryDirect site is that it works so nicely with Yodlee Moneycenter! After entering all the laborious info into Yodlee, I have never had a problem with it connecting (unlike TradeKing, KeyBank, and some others)
    Whenever I need to login, I just have yodlee show me the password and all the other info I need to ‘remember’.

  12. You forgot the fun things they make you do if you want to add or modify a linked account (try it!). I suppose there is some logic in that because that’s the only way “hackers” could actually steal your money (rather than just annoy you by selling your bonds), but then why does it need so much security in the first place?

    I can see two good models for financial site security:
    1. Just a plain username/password to log in. Nothing can be done online which might allow theft of money.
    2. Very secure/complex login system. But you can do anything online.

    TD seems to combine the worst of both.

  13. funny, i just had to go through this and got a new access card as i lost my old one (that i never used). the person i spoke with was pretty helpful and funny (i couldnt remember the ‘my favorite movie’ question and he provided funny hints to the late john candy). i have to say, i havent been able to login since purchasing an i bond last april, but how often do you need to access your account there? either a couple times a year, or all the time, i would guess. so you either dig out the card a couple times a year or you almost memorize your card if you visit often. as someone else said, i just put all the info in yodlee and set it and forget it.

  14. Actually, I don’t like that Yodlee can show me my entire passwords. I use BofA MyPortfolio so that is not possible. It can still login and check balances, but won’t show anyone who knows my Yodlee password all my other passwords.

  15. If every site implements this kind of security (or worse yet, Yodlee does so for its own login), I swear I will kill myself.

  16. i hate the treasury direct website, it’s such a pain. Make sure you don’t accidentally hit the back button too, or you get kicked out and have to go through the convoluted login all over again.

  17. I’m glad they got strong security now. When they first started, anyone who got your password could steal all your money. TD is not a bank and is not covered by REG E, so you wont get reimbursed.

  18. Virtual keyboard is largely stupid, but the access card is, generally speaking, a good idea. It does increase your security substantially. (Of course, making you suffer great deal every time you lose the card is not good). On the point that “security should be at the option of the user” — would you like the “0 liablity guarantee” to also be optional? I.e. — if you don’t use the card, it means that you loose all your money if your password is stolen?

    PS. Banks in Europe use two-factor auth much more widely then banks here.
    PPS. Gazillions of stupid personal questions asked in addition to the password do not constitute additional authentication factors, and do not add substantially to your security.

  19. Actually, I was hoping for something like the Etrade key fob described here.

    Even if someone were to log into my TreasuryDirect account, they can only transfer money to a linked bank account. To add an additional bank account starts another layer of security, of which just one is that the bank account must have the same name as me. There is no “Send me all of Jonathan’s money in the form of an anonymous cashier’s check.” button.

  20. You can get around the virtual keyboard if you disable javascript. I use complex passwords, so a virtual keyboard doesn’t work for me.

    Personally, I think B of A has the right idea when it comes to security. You log in with the standard userid/password, but B of A TXTs you a PIN and you can’t log in without entering the PIN. You still get the “something you know, something you have”, but I don’t have to carry around a secret decoder ring.

  21. I totally agree with SanDance, the integration with Yodlee MoneyCenter saves it. In fact, of all the hundreds of linked accounts I have in my profile, it seems like TreasuryDirect always is the one that updates without error. And the later compaint about how MoneyCenter is not secure — same paranoia.

    But this discussion does raise the overall point that’s long overdue, that these Web sites are increasingly built by lawyers who are in the CYA mode rather than customer service mode.

    For one example, TradeKing cannot be pulled into an account aggregator like Yodlee’s, and when I contacted them, naturally their response was, “Tough s&#@.” So basically, I can see my stock positions from every single other online broker but TradeKing — which inspired me to stop using their service. Great job, TradeKing…

  22. This website is easy, I don’t mind at all the extra step of using the access card. I go in at least once a week for various reasons.

    I spoke to a financial planner who thought it was an excellent idea to have the extra step, considering all the fraud out there.

    My experience calling them twice has been fine. Both times I called I was called back- once the same day, and the second time within 24 hours.

  23. Oh man, I actually don’t have a problem w/ the security here (although it takes a while), but I DO have a problem w/ the navigation…if you ever hit “back” you lose everything and have to start logging in from scratch!

    I’m working on my 3rd time logging in this week w/out messing up (the other 2 times I did in a row and just lost it…so we shall try again soon ;) )

  24. How many are having problems deciphering the new ACCESS CARD
    of Treasury. For those who know, plese give a more specific way
    to handle it. I still can not figure it out. Amen.

  25. PO'd Customer says:

    Outside of banker’s hours and locked out? Tough luck! Their system is way too retarded!

Speak Your Mind

*