TreasuryDirect Changes Security Features – Easier Account Access?

TreasuryDirect Changes Security Features

Guess what? It just got easier to access your TreasuryDirect account. If you’re not familiar with TreasuryDirect, it’s a website run by the US Treasury which allows individual investors to make direct purchases of Treasury securities. And it used to be a huge pain in the butt to login.

Not only did you need your account number and password (which was entered on a virtual keyboard), but there were multiple security questions, plus you needed a physical access card. This card was roughly equivalent to an old-school secret decoder ring in that they’d give you row/column coordinates and you had to look up values on your card and enter them in the appropriate fields.

Using the card itself wasn’t terribly hard, but you had to keep track of it and have it handy whenever you wanted to login. I ended up taking a picture of mine and storing the image inside a encrypted password keeper because, without it, I couldn’t get into our account.

And if you lost your card? Too bad for you… You’d have to call the Treasury, verify your identity, and then wait for a replacement card to be snail-mailed to you before you could get back in.

I was thus intrigued when I got an e-mail last month saying the following:

Dear TreasuryDirect Account Holder:

We’re committed to providing a secure environment for your investments and personal information.

In a few weeks, we’ll be replacing the access card with personalized images, one time passcodes, and computer registration as new layers of security to your TreasuryDirect account. Continue to use your access card until you’re notified within your TreasuryDirect account.

Thank you for using TreasuryDirect.

Woohoo! No more physical access cards! And no more lists of security questions. In their place would be a much more standard login process involving personalized images, computer registration, and one-time passcodes. The changes apparently went live this past Friday (Nov 4th) and I was able to test them out over the weekend.

In short, the login process is now a whole lot easier. I started by entering my account number, after which I was greeted with the following message:

We are unable to recognize your computer. (You may not have registered your computer or some settings may have changed.)

To provide an additional form of authentication, we have sent you an e-mail containing a one time passcode. The passcode will be valid for 2 hours from the time it was sent. If you do not receive your e-mail within 30 minutes, please contact us at 304-480-7711. Please enter your passcode, indicate whether you want to register your computer, and click Submit.

The one-time code showed up a few minutes later. I clicked the “Remember This Computer” box, entered my code, and clicked submit. I was then asked to enter my password using a the mouse to click buttons on a virtual keyboard. Interestingly, I noticed that the password is not case-sensitive — kind of odd for a website that seems so focused on security.

After that, I was asked to choose a personalized image and enter a caption, which will be presented me in the future so I’ll know that I’m on the real TreasuryDirect site as opposed a scammer’s site designed to steal my credentials. This is pretty much standard fare for financial institutions nowadays, and I’m glad to see the Treasury taking a step into the 21st century.

But guess what? While logging out and logging back in to test the process for this article, I somehow managed to lock myself out of my account!

For security reasons, your account has been locked and cannot be accessed. Please contact us at (304) 480-7711.

As I write this, I’m sitting on hold waiting to get my account unlocked. Even with the new security features, some things never change…

Update: I was on hold so long that it forced me over to a voicemail system where I had to leave account and contact details so they could call me back. I’m still waiting for that call.

27 Responses to “TreasuryDirect Changes Security Features – Easier Account Access?”

  1. Anonymous

    This system still isn’t secure – use of a silly virtual keyboard and prevention of copy-paste only serves to lead people to use short passwords which are easy to enter via the virtual keyboard.

    My password is more than 20 characters long, because I use secure ones and I use a password vault to auto-fill those fields. Can’t do that on TD — so I may change to a short, much less secure password.

  2. Anonymous

    I have been locked also, no calls back I tried numerous times also. I wanted to purchase savings bonds but this has become a nightmare. Besides collecting social security numbers of individuals I want to purchase bonds for and co ownersd too I need their treasury direct account number too. I was willing to try but after being locked out and no return calls, keeping you on hold too long. The govt has won, they are discouraging its use, trying to get out of the business all together.

  3. Anonymous

    I am on day 7 of being locked out and no one will answer or return my calls. My first act of business (should I ever get back in) is to take my $$ out and delete the account.

  4. Anonymous

    some one did not think this thru! hast make waste. It is going to take more time and money to pay staff to straighten out this mess. Mean time where to save/ shelter my tokens of earnings?

  5. Anonymous

    I’m back. I finally decided to do something about my locked account. I called my Congressman’s local office and told the people there what was going on, not just with me but thousands of others. They called the Treasury Dept. and within two hours I got a call from Treasury. They unlocked my account and stayed on the phone till I got a new one time code and got into my account. I found that the clue to keeping your account open is to check that little box “Remember this computer.” Gives you a cookie but is worth it. Good luck folks. Treasury is terribly undermanned for an undertaking like this security change.

  6. Anonymous

    I’ve had problems too!

    I accidentally locked my account (forgot my password) and received this msg:

    The following error(s) have occurred:

    For security reasons, your account has been locked and cannot be accessed. Please contact us at (304) 480-7711.

    So I call the number and end up leaving a message because no one answers the phone. It’s been over 3 days and no one has called me back. I’ve probably called and left a message 5 times now. Account is still locked.

    I emailed support and the answer they gave me is:


    We have had over 90,000 phone calls. So, it is taking longer than usual to get back with everyone.


    Which doesn’t really help me. Account is still locked so I can’t do anything. 🙁

  7. Anonymous

    Same experience as the rest – trying to get into my account to get 1099 info, since it’s been several months since my last login, I couldn’t remember my password nor all security questions.

    Account got locked, so far i’ve called 7 times today and have not gotten a live person. Their system lets you stay on hold roughly 7 minutes, then forces you to leave a message whether you like it or not.

  8. Anonymous

    My experience is a carbon copy of Nickles. My account is locked. I’ve called twice, left voice mail and have waited days for a return call which does not come. If the whole system is down, why don’t the numbskulls tell us. Give us a clue. I feel like I’ve lost my money.

  9. Anonymous

    Like some, I changed my email address since opening my Treasury account – thus I didn’t get my passcode. Over the past 3 weeks I have left messages at all time of the day, early morning to late afternoon. I have submitted emails to the help desk, to update Tdirect with my new email address in the vain hope of getting a passcode. I received one phone call back early on, but I was not at my phone. The customer service rep left a message that gave me the same long distance #, and did not provide a six digit extension or any method to expedite this awful process.

    This is a dreadful system – no customer service at all.

  10. Anonymous

    Like some, I changed my email since opening my Treasury account – thus I didn’t get my passcode. Over the past 3 weeks I have left messages at all time of the day, early morning to late afternoon. I have submitted emails to the help desk, to update Tdirect with my new email address in the vain hope of getting a passcode. I received one phone call back early on, but I was not at my phone. The customer service rep left a message that gave me the same long distance #, and did not provide a six digit extension or any method to expedite this awful process.

    This is a dreadful system – no customer service at all.

  11. Anonymous

    This website is ridiculous. Among my problems:

    1) My e-mail address changed since I created my TD account. Thus, I couldn’t receive the one-time passcode e-mail messages. Needed to call TD to receive get it updated, and no, I couldn’t remember my answer to the “who I would most like to meet” security question I answered when I created the account.

    2) Finally figured out how to create a minor linked account for my daughter, so her uncles could buy her bonds for Christmas. Unfortunately, I’m now locked out of my account again (not sure how I managed that), so I can’t login to purchase bonds for my nieces.

    3) Have called the long distance customer support # at all times of the day to get help unlocking my account. Haven’t reached a live person yet. Based on the other responses on this site, leaving a message to get a call back won’t help, so I’ll keep trying…

    What a pain…

  12. Anonymous

    I got locked out after trying to login. Having to remember which 3 security questions I had answered was my downfall. I had previously been led to believe that I had registered and that all was OK but I got routed back again through the validation process. Called customer service and got put in long hold and ultimately was told to leave a message. To date no one has called me back.

    What a mess!

  13. Anonymous

    Now they need to fix the “change of funding acct.” procedure. Because of low interest rates, I find myself moving my money around quite frequently. In order to update my info. in TD, I have to get a “medallion signature”, a major pain for us internet based banking customers. They really still live in the XXth century!!! I have not been able to purchase bonds on occasions, because my bank acct. changed, and there was no way to update the info. on TD without getting the silly “medallion signature”. Major pain.

  14. Anonymous

    I got through to TD at 8am after a short wait. After verifying my information I was told my account would be unlocked sometime today and I would receive an email to that effect. Then I would be able to try to register again. Hopefully it works this time!

  15. Anonymous

    I also have been locked out since Monday morning. I left TD messages every day and sent them a number of emails. But no response. I called the Legacy Treasury number and spoke to a representative who said she could not unlock my account but would pass along the message—still no response. Really outrageous that TD doesn’t respond or communicate with account holders regarding problems or options.

  16. Anonymous

    Wow! Who’s got the time to “sit around” on the phone with the gub’mint? I don’t look forward to changing the information for access to my TD account.

    Granted, this means missing out on bond purchases but I’d also be missing the headache that comes with getting things changed around.

    Think I’ll wait a bit.

  17. Anonymous

    Nickel – same thing happened to me yesterday. I logged in, and proceeded through the new setup. After completing this, I seem to have been auto-logged out. When I went to log in again, I was presented with that passcode business, and after trying to use the pass code, was locked out. Like you, called and had to leave a voicemail. Haven’t heard back yet. I’ll be calling every day for the next couple of weeks until this gets resolved. After that, it will be a conversation with my congressional representative. When I do get back in, the first thing I will do is get all my money out of TD, and close the account. Never again….

  18. Anonymous

    @TTFK the (usual) goal of the picture is not to identify you to the bank; it is to identify the bank to you. It is supposed to be a defense against phishing attacks.

    It might be possible to combine the two by showing a small set of pictures. You both verify that your picture is amongst the set, and have to click on your picture as a (very small) identity verification.

    With that and with security questions, it seems important that the subset of items shown does not change on every page load. In the picture case, a scammer could reload the page a couple times and know what your picture is. (Most sites only show one picture anyways; which is why I question the value of the practice.) I have one account where I only remember the answer to the “public” questions that anyone who knows me would know the answer to; I refresh the page until those show, totally defeating the purpose.

    @Nickel fair enough. Sometimes just hitting the low hanging fruit is 90% of the battle. Otherwise door locks wouldn’t prevent burglaries. Never mind fake “Protected by Pretend Security Inc.” signs. Still, just like in those cases, pic/caption won’t prevent even a slightly determined attacker.

  19. Steve: That would only work for a highly targeted attack, where the phisher figures out your username, goes to your financial institution and initiates the login process to see your picture, and then creates a custom website with your login pic and somehow gets you to visit that specific site (after connecting your username to your e-mail address so they can contact you) and divulge the rest of your login info.

    While you should never say never, that’s a HIGHLY unlikely scenario. What banks are trying to protect against with the pic/caption are the phishers that cast a wide net, sending out spam with a link to a bogus site in hopes of enticing random people to try and login.

  20. TTFK: That’s what I was trying to log back in and check, but I ended up getting before I got there. Do they present just your picture, or a set of pictures from which you must choose. Given that they also had me enter a caption, I’m assuming that it will work just like the standard approach at many banks — show that pic/caption just to give confidence that you’re at a legit site.

  21. Anonymous

    While the “pick a picture and a caption” bit is standard fare, it is still not the most secure option IMO. My credit union, for example, shows you ALL the pictures (about 25 of them) in random order; you click the button corresponding to your picture, then below it answer one of three random security questions.

  22. Anonymous

    The new system sounds like a complete opposite of the old system. Verification emails are useless if the hacker has access to the email account. And what is the deal with image+phrase? Can’t a phisher get that image and phrase from the bank web site easily enough, by attempting to log in as you? You don’t need to know a password or anything.

    That said – I lost my card long ago, so I’m glad I don’t need it any more 😛

Leave a Reply