How secure do you think Treasury Direct is? (2024)

gavinsiu wrote: ↑Sun Aug 07, 2022 1:28 pmHow secure do you think Treasury Direct is? Have there been instances of hacks? I am not talking about hacks that occur because someone has crappy password. I am thinking of a mass hack where they hacked into the server and stole PII or actual bonds.

You need to mail in a form with a signature guarantee to transfer marketable treasuries. You need to mail in a form with a signature guarantee to add a new bank account to recieve the proceeds of redeemed or matured treasuries.

So what is a hacker going to do?

I am not worried about someone stealing my stuff from my TD account, getting locked out is more likely.

anon_investor wrote: ↑Sun Aug 07, 2022 1:36 pm... I am not worried about someone stealing my stuff from my TD account, getting locked out is more likely.

That's been my experience unfortunately, and has seriously impacted my thoughts about TD as an "emergency fund" and being confident I can get my money out (if needed) without a prolonged hassle. If the rates on Series I Savings Bonds wasn't currently so good, I'd already be gone. With interest rates in marketable securities are going up, and TIPS already having positive yields (higher than I-bonds 0% real) I think I'll be moving away from it.

JoMoney wrote: ↑Sun Aug 07, 2022 1:42 pm

anon_investor wrote: ↑Sun Aug 07, 2022 1:36 pm... I am not worried about someone stealing my stuff from my TD account, getting locked out is more likely.

That's been my experience unfortunately, and has seriously impacted my thoughts about TD as an "emergency fund" and being confident I can get my money out (if needed) without a prolonged hassle. If the rates on Series I Savings Bonds wasn't currently so good, I'd already be gone. With interest rates in marketable securities are going up, and TIPS already having positive yields (higher than I-bonds 0% real) I think I'll be moving away from it.

Yeah, I only have I Bonds at TD. I hold my T-Bills at Fidelity on autoroll.

gavinsiu wrote: ↑Sun Aug 07, 2022 1:28 pmHow secure do you think Treasury Direct is? Have there been instances of hacks? I am not talking about hacks that occur because someone has crappy password. I am thinking of a mass hack where they hacked into the server and stole PII or actual bonds.

heh none. It takes a month to link a bank account, assuming hackers can fake the signature medallion etc. I would give props to those hackers for their patience. It’s not a big prize for them. 10k limit per person per year. Compare to crypto wallet that can worth tens of millions of dollars, allegedly.

H-Town wrote: ↑Sun Aug 07, 2022 2:48 pm

gavinsiu wrote: ↑Sun Aug 07, 2022 1:28 pmHow secure do you think Treasury Direct is? Have there been instances of hacks? I am not talking about hacks that occur because someone has crappy password. I am thinking of a mass hack where they hacked into the server and stole PII or actual bonds.

heh none. It takes a month to link a bank account, assuming hackers can fake the signature medallion etc. I would give props to those hackers for their patience. It’s not a big prize for them. 10k limit per person per year. Compare to crypto wallet that can worth tens of millions of dollars, allegedly.

Even a fraudulent ACATS transfer would seem more lucrative.

AnnetteLouisan wrote: ↑Sun Aug 07, 2022 2:39 pmI’m not worried about it, but if something were to happen, doesn’t the government backing mean they would make us whole? As long as we properly notified them and were not ourselves at fault?

viewtopic.php?t=87934

JoMoney wrote: ↑Sun Aug 07, 2022 2:53 pm

AnnetteLouisan wrote: ↑Sun Aug 07, 2022 2:39 pmI’m not worried about it, but if something were to happen, doesn’t the government backing mean they would make us whole? As long as we properly notified them and were not ourselves at fault?

viewtopic.php?t=87934

That is why TD probably now requires a mailed in form with signature guarantee to add a new bank.
Possible loss of $ via hacking is greatly reduced now. Bad guys would need access to your TD account and an already linked bank account in order to steal funds. Even if TD would not reimburse you, your bank probably would have to.

anon_investor wrote: ↑Sun Aug 07, 2022 3:03 pm

JoMoney wrote: ↑Sun Aug 07, 2022 2:53 pm

AnnetteLouisan wrote: ↑Sun Aug 07, 2022 2:39 pmI’m not worried about it, but if something were to happen, doesn’t the government backing mean they would make us whole? As long as we properly notified them and were not ourselves at fault?

viewtopic.php?t=87934

That is why TD probably now requires a mailed in form with signature guarantee to add a new bank.
Possible loss of $ via hacking is greatly reduced now. Bad guys would need access to your TD account and an already linked bank account in order to steal funds. Even if TD would not reimburse you, your bank probably would have to.

Regulation E does provide some protections for fraudulent ACH transfers. How that applies might vary depending on the situation though, and who is at fault... I don't know if "the government" holds themselves to the same standards they apply to other financial institutions.
But there might be other ways you could get defrauded... say if someone "hacked" your account, sold your Savings Bonds and bought some marketable long maturity treasuries that fell in value, you might have an issue. Or if they just sold your Savings Bonds and let the cash sit in the 0%-CI , yeah you have the cash ... but you can't re-purchase your past years savings bonds.

An interesting side note about how banks skirt the Reg E fraudulent ACH transfers when it comes to things like "Zelle" ... if you agreed to use "Zelle" they don't regard any transfers as fraudulent, you agreed to Zelle's transfer terms and you have to take the issue up with Zelle ... which happens to be the entity created/owned by the banks to do all sorts of financial things the banks might otherwise be prohibited from doing directly on their own.

JoMoney wrote: ↑Sun Aug 07, 2022 3:13 pm

anon_investor wrote: ↑Sun Aug 07, 2022 3:03 pm

JoMoney wrote: ↑Sun Aug 07, 2022 2:53 pm

AnnetteLouisan wrote: ↑Sun Aug 07, 2022 2:39 pmI’m not worried about it, but if something were to happen, doesn’t the government backing mean they would make us whole? As long as we properly notified them and were not ourselves at fault?

viewtopic.php?t=87934

That is why TD probably now requires a mailed in form with signature guarantee to add a new bank.
Possible loss of $ via hacking is greatly reduced now. Bad guys would need access to your TD account and an already linked bank account in order to steal funds. Even if TD would not reimburse you, your bank probably would have to.

Regulation E does provide some protections for fraudulent ACH transfers. How that applies might vary depending on the situation though, and who is at fault... I don't know if "the government" holds themselves to the same standards they apply to other financial institutions.
But there might be other ways you could get defrauded... say if someone "hacked" your account, sold your Savings Bonds and bought some marketable long maturity treasuries that fell in value, you might have an issue. Or if they just sold your Savings Bonds and let the cash sit in the 0%-CI , yeah you have the cash ... but you can't re-purchase your past years savings bonds.

That would need to be a really malicious hacker to do that for no benefit to themselves (financial or otherwise).

gavinsiu wrote: ↑Sun Aug 07, 2022 3:29 pmI don't remember having to do a signature guarantee when I sign up for Treasury Direct. Does the signature guarantee apply only if I add another account after sign up?

New requirement (since last year?) to add additional bank accounts.

Doom&Gloom wrote: ↑Sun Aug 07, 2022 3:23 pmI have left my heirs a detailed roadmap and I have little confidence that they will be able to retrieve what will be rightfully theirs without jumping through a thousand hoops.
LOL @ hackers having any chance at all for my limited assets at TD!

Isn't it like with all POD accounts, they have to call? no hacker will want to sit on hold for 2 hours...

gavinsiu wrote: ↑Sun Aug 07, 2022 3:37 pmIf there is a linked account, how quickly can you get the funds if it's linked to an account? I am trying to sign my mom up to Treasury Direct but she raised her usual concern about not being able to get the money when she needs it. Note that in reality, she hasn't touch the money in the last 30 years or so.

I think they say 2-3 business days. When I've transferred funds from TD to my Fidelity CMA account, it only took a day. Different banks may have different policies on availability of funds.
The bigger issue is if she forgets a password or security question and gets the account locked. It may require a signature verification form that might take a month or more to process... In some situations, customer service phone number MAY be able to "unlock" account if you later remember the correct info AND can get through the (currently lengthy) customer service queue times.

Note that some securities you can hold at TD, like Savings Bonds, have a minimum 12month holding period before they're eligible to be redeemed (*some rare exceptions in certain disaster emergency situations)

JoMoney wrote: ↑Sun Aug 07, 2022 3:49 pm

gavinsiu wrote: ↑Sun Aug 07, 2022 3:37 pmIf there is a linked account, how quickly can you get the funds if it's linked to an account? I am trying to sign my mom up to Treasury Direct but she raised her usual concern about not being able to get the money when she needs it. Note that in reality, she hasn't touch the money in the last 30 years or so.

I think they say 2-3 business days. When I've transferred funds from TD to my Fidelity CMA account, it only took a day. Different banks may have different policies on availability of funds.
The bigger issue is if she forgets a password or security question and gets the account locked. It may require a signature verification form that might take a month or more to process... In some situations, customer service phone number MAY be able to "unlock" account if you later remember the correct info AND can get through the (currently lengthy) customer service queue times.

If only TD allowed Fidelity to sell I Bonds...

gavinsiu wrote: ↑Sun Aug 07, 2022 3:37 pmIf there is a linked account, how quickly can you get the funds if it's linked to an account? I am trying to sign my mom up to Treasury Direct but she raised her usual concern about not being able to get the money when she needs it. Note that in reality, she hasn't touch the money in the last 30 years or so.

Next business day.

anon_investor wrote: ↑Sun Aug 07, 2022 3:54 pm...
If only TD allowed Fidelity to sell I Bonds...

You can get TIPS, and at current rates they have positive real yields higher than I bonds.
Fidelity even offers a broad-duration TIPS index fund (FIPDX) at a very low ER. One does need to be willing to match an appropriate time horizon and be willing to accept the fluctuating value.

JoMoney wrote: ↑Sun Aug 07, 2022 4:00 pm

anon_investor wrote: ↑Sun Aug 07, 2022 3:54 pm...
If only TD allowed Fidelity to sell I Bonds...

You can get TIPS, and at current rates they have positive real yields higher than I bonds.
Fidelity even offers a broad-duration TIPS index fund (FIPDX) at a very low ER. One does need to be willing to match an appropriate time horizon and be willing to accept the fluctuating value.

I Bonds are special, a bit different from TIPS, especially in a taxable account.

I am much more worried about people with legitimate reasons to get money out of my Treasury Direct account--e.g. my family after I pass--being denied access than I'm worried about hackers gaining access.

I don't believe there's any way for an ordinary layperson to accurately evaluate the security practices of a financial institution.

gavinsiu wrote: ↑Sun Aug 07, 2022 1:28 pmHow secure do you think Treasury Direct is? Have there been instances of hacks? I am not talking about hacks that occur because someone has crappy password. I am thinking of a mass hack where they hacked into the server and stole PII or actual bonds.

As secure as Vanguard, Fidelity, et al. Given that it's a government site, it's less likely to be targeted by non-state actor since that then puts your botnet / group on the US Government's radar.

I was wondering if anyone knew if Treasury Direct was hacked at any point. I cannot find any incident online. I recall having my PII breached by OPM back in 2015, so I am a bit weary of Government security.

One of the other reason I was worry is that some of the site's authentication seemed kind of old. When you login, they send a 2FA code to your email, and then they use a virtual keyboard to enter yoru password, which encourage the user to use a really simple password since they can't easily use their password manager. At least use TOTP that doesn't use email or SMS and get rid of the virtual keyboard.

Chances are that TD security is of a similar level than Schwab, Vanguard, Fidelity. It's impossible to say anything specific about any institution, but security best practices are well known, although in practice operational issues are often more important.

I would imagine that the median balance of any TD account is relatively low compared to a brokerage account, this making it a less attractive target, not to mention a hacker would very likely incur in the full wrath of the Federal govt.

As always by far the biggest danger is the human factor, how we are at following best practices, do we use a password manager protected with 2FA, do we avoid clicking suspect links, do we have an up to date virus scanner on the desktop/laptop, do we check the trustworthiness of the web site we download data (or worse, applications) from?
Also ACATS fraud is probably a far bigger danger. The point is that hacking financial accounts is usually fairly difficult, and the best way for any entity that is not a nation-state is to go for the weakest link, the end user.

That said it's important to periodically monitor accounts and keep recent statements because anything is possible. Foolproof security simply does not exist.

gavinsiu wrote: ↑Sun Aug 07, 2022 9:11 pmI was wondering if anyone knew if Treasury Direct was hacked at any point. I cannot find any incident online. I recall having my PII breached by OPM back in 2015, so I am a bit weary of Government security.

One of the other reason I was worry is that some of the site's authentication seemed kind of old. When you login, they send a 2FA code to your email, and then they use a virtual keyboard to enter yoru password, which encourage the user to use a really simple password since they can't easily use their password manager. At least use TOTP that doesn't use email or SMS and get rid of the virtual keyboard.

Very few people use password managers.

I have no concerns about their security.

It's a low-value target. And, it's a US Government site connected with the US Treasury. It's not the kind of site that attracts anyone with actual means. You don't paint a target on your back by attacking this type of site.

JoMoney wrote: ↑Sun Aug 07, 2022 3:49 pm

gavinsiu wrote: ↑Sun Aug 07, 2022 3:37 pmIf there is a linked account, how quickly can you get the funds if it's linked to an account? I am trying to sign my mom up to Treasury Direct but she raised her usual concern about not being able to get the money when she needs it. Note that in reality, she hasn't touch the money in the last 30 years or so.

I think they say 2-3 business days. When I've transferred funds from TD to my Fidelity CMA account, it only took a day. Different banks may have different policies on availability of funds.
The bigger issue is if she forgets a password or security question and gets the account locked. It may require a signature verification form that might take a month or more to process... In some situations, customer service phone number MAY be able to "unlock" account if you later remember the correct info AND can get through the (currently lengthy) customer service queue times.

Note that some securities you can hold at TD, like Savings Bonds, have a minimum 12month holding period before they're eligible to be redeemed (*some rare exceptions in certain disaster emergency situations)

How is it that TD can be so complicated and inefficient? Are complicated, inefficient, and not customer friendly in their mission statement?

Jeepergeo wrote: ↑Sun Aug 07, 2022 10:43 pmHow is it that TD can be so complicated and inefficient? Are complicated, inefficient, and not customer friendly in their mission statement?

Why is the IRS site so complicated and unfriendly.
Why is the Social Security site so complicated and ufriendly.
Why is the DMV site so complicated and unfriendly.

This is my opinion, but government sites tend to be less innovative. There is less competition unlike their corporate counterparts.

Based on the comments here, I am convinced that Treasury Direct is secure enough.

exodusNH wrote: ↑Sun Aug 07, 2022 10:22 pm

gavinsiu wrote: ↑Sun Aug 07, 2022 9:11 pmOne of the other reason I was worry is that some of the site's authentication seemed kind of old. When you login, they send a 2FA code to your email, and then they use a virtual keyboard to enter yoru password, which encourage the user to use a really simple password since they can't easily use their password manager. At least use TOTP that doesn't use email or SMS and get rid of the virtual keyboard.

Very few people use password managers.

The use of email for 2FA is kind of ancient but not hugely different from sending an SMS, but as long as you use 2FA for the email account and have a reputable ISP, it's actually safer than getting SMS for 2FA, as they can be hi-jacked unless you disable number porting.

The comments of "use a really simple password" and "Very few people use password managers." prove the point I made in my comment, it's somewhat irrelevant to worry about TD or Brokerage account security unless you always use randomly generated passwords all different from each site AND use a password manager. You also need to make sure the backup communication (email, SMS, ....) is locked down as much possible because otherwise it's another weakness. You should also never use the same answer for security questions, and make them non-sensical. For instance If the question is "favorite color", "blue" is an unsecure answer because it's too easy to guess, "wet ice" is much better because it makes no sense. Of course you would store these non-sensical questions/answer in the password manager because you wouldn't be able to remember them -- the whole point is to make them very difficult to guess.

anon_investor wrote: ↑Sun Aug 07, 2022 1:36 pmYou need to mail in a form with a signature guarantee to transfer marketable treasuries.

How do you get money out? Does redeeming your I Bonds to the same account used to fund it require a signature guarantee?

DarkHelmetII wrote: ↑Mon Aug 08, 2022 3:22 am

anon_investor wrote: ↑Sun Aug 07, 2022 1:36 pmYou need to mail in a form with a signature guarantee to transfer marketable treasuries.

How do you get money out? Does redeeming your I Bonds to the same account used to fund it require a signature guarantee?

Nope. If you have a bank account already connected, your money will be in it the next business day after you request it. No additional signature guarantees are required.

squirrel1963 wrote: ↑Mon Aug 08, 2022 12:37 am

exodusNH wrote: ↑Sun Aug 07, 2022 10:22 pm

gavinsiu wrote: ↑Sun Aug 07, 2022 9:11 pmOne of the other reason I was worry is that some of the site's authentication seemed kind of old. When you login, they send a 2FA code to your email, and then they use a virtual keyboard to enter yoru password, which encourage the user to use a really simple password since they can't easily use their password manager. At least use TOTP that doesn't use email or SMS and get rid of the virtual keyboard.

Very few people use password managers.

The use of email for 2FA is kind of ancient but not hugely different from sending an SMS, but as long as you use 2FA for the email account and have a reputable ISP, it's actually safer than getting SMS for 2FA, as they can be hi-jacked unless you disable number porting.

The comments of "use a really simple password" and "Very few people use password managers." prove the point I made in my comment, it's somewhat irrelevant to worry about TD or Brokerage account security unless you always use randomly generated passwords all different from each site AND use a password manager. You also need to make sure the backup communication (email, SMS, ....) is locked down as much possible because otherwise it's another weakness. You should also never use the same answer for security questions, and make them non-sensical. For instance If the question is "favorite color", "blue" is an unsecure answer because it's too easy to guess, "wet ice" is much better because it makes no sense. Of course you would store these non-sensical questions/answer in the password manager because you wouldn't be able to remember them -- the whole point is to make them very difficult to guess.

I disagree about random passwords. Unique per site, of course, but unless you spend a lot of time on questionable sites, no site is storing your passwords in plain text. They're salted and hashed. If their password database is leaked, having your password being one character different on another is indistinguishable from having used two randomly-generated passwords.

If your passwords have a pattern, that's still very secure as, unless you are being specifically targeted and they somehow manage to capture the plain text, all of this work is done by automated tools. No human is looking at your password of "Vanguard Horse Battery Staple Correct" and saying "aha! I know their Fidelity password is going to be 'Fidelity Horse Battery Staple Correct'".

I'd go further and say that you should use different user names and emails per site. Gmail lets you add + addresses, although many sites have developers who don't know what they're doing and treat that as invalid. You can also add one or more periods anywhere in your email name and Gmail will still deliver it to your account. E.g., someuser@gmail and s.o.meuser@gmail go to the same account.

Your email password is your most important one as that's the gateway to everything else.

exodusNH wrote: ↑Mon Aug 08, 2022 7:56 am

squirrel1963 wrote: ↑Mon Aug 08, 2022 12:37 am

exodusNH wrote: ↑Sun Aug 07, 2022 10:22 pm

gavinsiu wrote: ↑Sun Aug 07, 2022 9:11 pmOne of the other reason I was worry is that some of the site's authentication seemed kind of old. When you login, they send a 2FA code to your email, and then they use a virtual keyboard to enter yoru password, which encourage the user to use a really simple password since they can't easily use their password manager. At least use TOTP that doesn't use email or SMS and get rid of the virtual keyboard.

Very few people use password managers.

The use of email for 2FA is kind of ancient but not hugely different from sending an SMS, but as long as you use 2FA for the email account and have a reputable ISP, it's actually safer than getting SMS for 2FA, as they can be hi-jacked unless you disable number porting.

The comments of "use a really simple password" and "Very few people use password managers." prove the point I made in my comment, it's somewhat irrelevant to worry about TD or Brokerage account security unless you always use randomly generated passwords all different from each site AND use a password manager. You also need to make sure the backup communication (email, SMS, ....) is locked down as much possible because otherwise it's another weakness. You should also never use the same answer for security questions, and make them non-sensical. For instance If the question is "favorite color", "blue" is an unsecure answer because it's too easy to guess, "wet ice" is much better because it makes no sense. Of course you would store these non-sensical questions/answer in the password manager because you wouldn't be able to remember them -- the whole point is to make them very difficult to guess.

I disagree about random passwords. Unique per site, of course, but unless you spend a lot of time on questionable sites, no site is storing your passwords in plain text. They're salted and hashed. If their password database is leaked, having your password being one character different on another is indistinguishable from having used two randomly-generated passwords.

If your passwords have a pattern, that's still very secure as, unless you are being specifically targeted and they somehow manage to capture the plain text, all of this work is done by automated tools. No human is looking at your password of "Vanguard Horse Battery Staple Correct" and saying "aha! I know their Fidelity password is going to be 'Fidelity Horse Battery Staple Correct'".

I'd go further and say that you should use different user names and emails per site. Gmail lets you add + addresses, although many sites have developers who don't know what they're doing and treat that as invalid. You can also add one or more periods anywhere in your email name and Gmail will still deliver it to your account. E.g., someuser@gmail and s.o.meuser@gmail go to the same account.

Your email password is your most important one as that's the gateway to everything else.

I have no concerns about using the same passwords on places of non-financial nature AND not otherwise security sensitive. Your master password for password manager must of course be unique, and your email and cell phone provider passwords are also very security sensitive because 2FA typically goes thru them and because you don't want email to be hacked, as you mention. In theory you are right that the password is salted with a per-host random salt and is one-way hashed, but why take the risk? It's of no cost to you if you use a password manager as it does the navigation to the web site, and autofill of credentials.
I also use different user names, but I gave up the idea of using bills+wellsfargo@squirrel after realizing that + functionality is poorly supported and a couple times when I called customer service they said "oh how can you have wellsfargo in the email address" I didn't realize periods in email user names is a special case, is it an RFC or a Google thing, I'll look it up.

The most important thing as you are obviously aware of is the end-to-end concept of multiple layers of security, 2FA, and overall best practices. You can follow even better practices by using for instance a hard token instead of a soft token on the phone, but given they both require the physical object I am not concerned that soft token on the phone is in theory less secure. Some hard tokens had known security flaws anyway.

Most hacking is done via social engineering anyway like phishing as well making you click on dubious links. If you get a email allegedly from Vanguard, and you click the link and don't verify the digital certificates of the web site, all hope is lost. This also another really good reason to use password managers and auto-navigation to web site, especially for users who are not familiar with SSL certs and how to verify them in a browser (the majority of users). I'll be honest, I can probably fall for it too if I'm distracted, it can happen to anyone.

Also using a desktop or laptop with good antivirus is paramount as well as avoiding downloading stuff from untrusted web sites. Ideally I should be using Linux TBH on a separate laptop, but it's annoying to use different laptops. I could set up a VM for windows but all in all I feel safe enough with password managers, up-to-date antivirus, 2FA and best practices.

At the end it's a lot more important to consistently follow good security practices, having better security practices will backfire if you end up in not being consistent with them. So for instance I'm okay with Windows for now, and I'm okay with soft tokens for now.

exodusNH wrote: ↑Mon Aug 08, 2022 7:56 am

squirrel1963 wrote: ↑Mon Aug 08, 2022 12:37 am

exodusNH wrote: ↑Sun Aug 07, 2022 10:22 pm

gavinsiu wrote: ↑Sun Aug 07, 2022 9:11 pmOne of the other reason I was worry is that some of the site's authentication seemed kind of old. When you login, they send a 2FA code to your email, and then they use a virtual keyboard to enter yoru password, which encourage the user to use a really simple password since they can't easily use their password manager. At least use TOTP that doesn't use email or SMS and get rid of the virtual keyboard.

Very few people use password managers.

The use of email for 2FA is kind of ancient but not hugely different from sending an SMS, but as long as you use 2FA for the email account and have a reputable ISP, it's actually safer than getting SMS for 2FA, as they can be hi-jacked unless you disable number porting.

The comments of "use a really simple password" and "Very few people use password managers." prove the point I made in my comment, it's somewhat irrelevant to worry about TD or Brokerage account security unless you always use randomly generated passwords all different from each site AND use a password manager. You also need to make sure the backup communication (email, SMS, ....) is locked down as much possible because otherwise it's another weakness. You should also never use the same answer for security questions, and make them non-sensical. For instance If the question is "favorite color", "blue" is an unsecure answer because it's too easy to guess, "wet ice" is much better because it makes no sense. Of course you would store these non-sensical questions/answer in the password manager because you wouldn't be able to remember them -- the whole point is to make them very difficult to guess.

I disagree about random passwords. Unique per site, of course, but unless you spend a lot of time on questionable sites, no site is storing your passwords in plain text. They're salted and hashed. If their password database is leaked, having your password being one character different on another is indistinguishable from having used two randomly-generated passwords.

If your passwords have a pattern, that's still very secure as, unless you are being specifically targeted and they somehow manage to capture the plain text, all of this work is done by automated tools. No human is looking at your password of "Vanguard Horse Battery Staple Correct" and saying "aha! I know their Fidelity password is going to be 'Fidelity Horse Battery Staple Correct'".

I'd go further and say that you should use different user names and emails per site. Gmail lets you add + addresses, although many sites have developers who don't know what they're doing and treat that as invalid. You can also add one or more periods anywhere in your email name and Gmail will still deliver it to your account. E.g., someuser@gmail and s.o.meuser@gmail go to the same account.

Your email password is your most important one as that's the gateway to everything else.

I love Apple’s “hide my email” feature. It generates random emails that get relayed to your Apple iCloud email. So the site that you’re interacting with is never aware of any of your “real” email addresses

The Dept. of Treasury Office of Inspector General is responsible for auditing and ensuring treasury systems are secure. Some OIGs have their own specialized IT audit teams that do in depth audits of agency systems. Some would also hire outside consultants to help with the jobs. The OIGs usually publish their reports and also submit a semiannual report to Congress.

You can find Treasury OIG’s reports here:
https://oig.treasury.gov/reports/audit-and-evaluation

and the semiannual reports sent to Congress here:
https://oig.treasury.gov/semiannual-reports-congress

The closest report covering treasury systems I could find is this (a report of Bureau of Fiscal Services - BFS), but not sure whether this covers the TD system
https://oig.treasury.gov/sites/oig/file ... 22-001.pdf

This is not an in-depth IT audit but some kind of an “applications control audit”. If there is inadequate policies or procedures, lack of general controls etc., then these auditors will find out and report. But if there is something wrong in the coding or the systems are not hardened they may not even notice it. This audit was done by KPMG using AICPA standards. Real IT auditors don’t use AICPA standards.

In addition to these audits, the OIGs may do their own penetration testing, vulnerability assessment testing etc., to make sure their systems are secure.

The bottom line? I would think there is enough monitoring and oversight.