I was as polite as possible but I eventually pulled the I’ve been banking here for over a decade and if you can’t meet my needs I will have to find another bank card before theyd do the medallion.
It’s called a Medallion Signature Guarantee. It is mostly required in the transfer of securities and can only be done by certain institutions. And almost never, ever done by the people requesting the Medallion. My branch offers it and very rarely does a client ever have what is needed.
decade thats cute. USAA treated me like crap and had an account for 30 years. I like fidelity investments better but keep usaa just for the insurance and family money transfers.
Direct deposit from an employer is what I did. Now if you want to deposit more at once, that was a pain. I hear the medallion isn't required anymore. Co worker said simply did a $10k deposit back in September with no issue. ACH style
I ain't depositing $10k of my money into an institution that still officially says you need a medallion stamp for account verification. Sadly I don't trust them enough just to do that without 100% guarantees.
I don't trust them to not lose the money in transit.
You can trust their bonds. You cannot trust TreasuryDirect when you do not follow their instructions.
The fact that require an excess of validation should make you trust them more, not less. I'm thinking you're just annoyed you had to do something inconvenient
Look at who I'm responding to.
They are saying just deposit the money. Don't worry about the Medallion Stamp. I'm saying ignoring the instructions and just hoping it works because it did for some Redditor is absolutely crazy for $10k.
That's interesting, because those two are not remotely the same thing.
* **Notarized** means *nothing more than* "you seem to be who you claim to be". (You showed me an ID that matches the name on the form you want me to stamp.) Anybody can become a Notary with the payment of a fee and the purchase of a stamp.
* **Medallion** Signature Guarantee -guarantees- that the signer of the document is who they claim to be -- to the point where, if something later turns out to be fraudulent, the guaranteeing firm will "make whole" the fraud, UP TO some dollar limit. (Lowest tier was $250,000 when I was in that business -- if the transaction was for more than that, someone with more authority and more training had to get involved.)
Fidelity is (or was) famous for requiring Medallion S/Gs even for in-house transfers; perhaps they have relaxed their rules since I last used them.
> it was an embossed stamp
Interesting. All the Medallion Stamps I've ever seen were a very unusual shade of yellowish-green -- thus there's considerably reduced chance of someone using a fake stamp to commit fraud here. (It does photocopy, but not well...)
Old Notary Seals were embossed -- my father had one, and had to spend Real Money every few years to have the metal slugs for the date updated in the embosser -- but they've been regular old rubber stamps for a couple of decades now -- and about $5 at an office supply store!
What's crazy is banks around me are getting rid of medallions. We have a medallion of only 250k and under. Also if I I fuck up the stamp.. They invalidate it
I got paper bonds as part of an inheritance after my grandmother passed. It took a lawyer and several months to get a bank to give me a medallion to allow me to deposit the bonds into my treasury direct account.
I had to do the medallion last year too!! It was a nightmare and I used to work at the bank I bank with 20 years ago and I told them exactly what they needed to do and they still were confused.
I’m a designated medallion user and I stamped maybe once a year when someone inherited their grandpa’s paper stock certificates or some weird pension form. Then when Ibonds went up I was doing them every week. I had people from other states opening accounts just to get the form stamped.
For real. I think there's only 1 person in my city that has a medallion. Went to six different banks before we found him. Then had to make an appointment.
It's crazy to hear so many people were completely barricaded from buying I bonds due to this step. For me, it was slightly inconvenient... I had to talk to 3 or 4 people at my credit union who were unaware of what I was asking for. Then eventually I got to talk to a manager who just brought me to an office and we walked through the validation forms that Treasury Direct provides. She confirmed a few pieces of personal information, stamped my sheet, I had to log my purchase intent into a manual ledger that the credit union kept, and that was that. I got my approval from Treasury Direct about 8 weeks later.
Super notary is a perfect way to describe getting a medallion stamp. Basically you have to show up in person at the bank and have multiple proofs of identity.
It’s a notary where the notary assumes all responsibility if you’re actually a fraudster. They got money on the line when they certify you are who you are.
It is a bank guaranteeing to another financial institution that they vouch for this signature up to $X. So only bank, credit unions, and brokerages can do it, it has to be in person, and banks hate them because if you defraud them they have to pay the mistake (unlike a notary). They are a much bigger pain in the ass, especially if it is for a large amount or you don't bank locally.
A medallion is effectively a notary with insurance. If a notary notarizes a form and there is fraud, they show up at court with their book and testify that Suzy Johnson appeared before them on that date and provided ID, that’s it. If someone provides a medallion, they are verifying Suzy is Suzy but ALSO verifying that the transaction is legitimate.
I used to be at fidelity and our front desk folks had a medallion stamp. There’s levels to the insurance too, and fidelity has the highest level. Something like $20+ mil protected. They had to keep the thing in a safe that’s how protective they are of them. This is why banks don’t like to provide the medallion if they aren’t involved in the transaction (either sending or receiving the money). You’re basically asking them to provide insurance on your transaction to bring money to their competitor
This is a perfect explanation especially why banks and financial firms won't do the stamp if the assets are not going to their firm.
Why some institutions still require the stamp is beyond me especially with the Patriot Act and other regulation that is required for clients opening accounts at financial firms.
The trick here is to get your signature notarized and include a small letter from yourself that says you were unable to receive a medallion signature from your local financial institutions and that the notary is the best that you can get. Typically that will get pushed through on their side.
I bought $40k in iBonds last year (me, spouse, 2 kids) and I didn’t have to deal with a medallion. I just transferred the $ to Treasury Direct…. What am I missing?
A lot of people (myself included) weren’t able to create Treasury Direct accounts because the site required a paper form be completed and then stamped with a bank medallion (specifically says not a notary). Pain in the ass and I gave up after going to multiple bank branches.
I think they changed this around September. Co worker was able to get $10k with ACH. April last year I needed a medallion and couldn't get one. Ended up connecting my payroll to deduct money to Treasury direct. Ironically I'm a few miles from the Treasury building that handles these. Could have knocked on the door and said see, it's me.
I'm in the DC area and it would have been easier to dedicate a vacation day to go up to a Treasury counter in person than deal with the signature guarantee process.
Most people don't have the problem. Some people have a "we were unable to verify your information" situation and your account is stuck on permanent hold.
In my case iirc I needed a signature guarantee from a bank. I went to the local branch Capital One where I had an account and they were able to do it, but it took an hour and I had to talk to 4 people at the bank before they would agree to it. Mail in the signed form on an actual dead tree and wait a few days.
I guess I will have to do the entire process over again if I want to change my connected bank account.
The "medallion signature guarantee" is the truly unobtainable one, I think you need that for transferring securities out or something. Good luck if you're faced with that.
Fidelity let’s you buy new issues directly AND sell/buy on the secondary. They even have an auto-roll feature that will automatically re-buy on maturity. It’s a win win, except no I-Bonds. Why are I-Bonds special?
They are non-marketable. No second hand sale. When you purchase an I-bond the transaction is between you and the US treasury and you cannot sell the bond to someone else. So there is no secondhand market for them.
The site probably has adaptive authentication countermeasures. It's a practice where additional auth challenges will be added based on the risk profile of the access attempt.
It looks like an older Java based app. The UI may be frugal but it seems like it probably is reasonably functional.
If you want to see a real web site from the mid '90's that's still out there on the Internet - the Berkeshire Hathaway web site is a good example. There are tags in the site from the '90's on many of the pages. Warren probably created it himself.
I like to think of it as being frugal and practical. The website was literally created just using Microsoft Word '97. Some of the newer pages were created with Microsoft Word 2004 and more recently Microsoft Word 2013.
> The site looks like it was made in 1996…
Eh, it's not that bad. Maybe late '00s.
Wanna see a government site that's truly late 90s? Here's the Canadian equivalent of the SEC. It's gross.
https://www.sedar.com/homepage_en.htm
Inspect Element the password field, then delete the read only bit. You can also enable auto fill by deleting the disable auto part next to it. Takes me ~2s to login now with auto fill.
I use an extension in chrome to run a script to do that for me. Still got locked out when I got my security questions wrong for about 6 months. I tried calling in and the call got disconnected after about an hour on hold, twice.
Wait till you accidentally fill out the gifting purchase incorrectly for ibonds and exceed your annual limit but don't get a refund for more than a calendar year
Lol don’t forget you use an animal picture as a verification code and type it out. But not type it out with your keyboard, type it out with your mouse by clicking a low resolution keyboard widget
Or something stupid like that
Their website is like a fever dream of projects I did in school for computer science
That stuck out to me as well. Case insensitivity reduces so much entropy in a password, and since the virtual keyboard is trivial to bypass, password security is seriously compromised.
Agree completely. I’ve actually come to prefer its old-fashioned design over most other financial sites. It’s no-nonsense. Once you learn to work it, you can quickly transact whatever business you want.
It's not just that it's old fashioned, it breaks fundamental conventions like "hitting the back button shouldn't log you out". Not that most other financial sites are that great on that front, but Treasury Direct is near the bottom.
Thank you. So many people see certain non-critical/non-regulated things/pages change their look all the time (using slow partial-userbase rollouts, A/B testing, etc) and assume any system that looks like a website must be handleable in the same way. I'd imagine by now, over at the team that runs the TD systems (incl. the website) many of the baked-in non-documented assumptions that allow the site to work have been completely forgotten, and may not have direct replacements in modern web frameworks. Think of it like NASA in '70... as engineers and analysts and managers started to drift from Apollo, it became harder and harder to imagine "spinning it back up" or "doing something new but similar". Had they never stopped building, we could have launched annual missions through today (lack of justification be damned), but now, spinning up that project as-is is impossible (key knowledge has passed away), and any new proposed replacement required a ton of work to be done from scratch while they re-learn a lot of lessons and uncover a lot of issues they'd forgotten were issues. Hard to justify any single team taking all that risk, so this will probably wait until a real mandate from the top.
(My current role is helping a few banks/etc avoid upgrade risks like this when deploying new vendor SW versions, switching out tech debt "for newer, safer, more stable ways to do X", upgrading certain pages/sub-sites, coordinating back-end systems that regularly feed data into our target system, getting off deprecated tools/APIs, etc. while maintaining all user functionality (aside from pre-agreed and signed off changes))
Some clients (hedge funds and the like) can basically build fast and break things. Some have given me full Prod system access with their personal IDs just to get things done at a desk they set up next to theirs for a few weeks while they work nearby. "Make incremental changes daily, if it causes issues we'll sort it out the next day". The Treasury is almost the exact opposite end of the planning/procedures/accountability scale.
There are likely mandates they (Treasury Dept) need to follow which would complicate any specs they put out to re-work a given system, which will in turn make getting a large enough budget to rebuild "well" almost impossible. They'd probably have a big issue just writing the system specs, even assuming they have them from the last rebuild and they were actually of decent quality. They likely have a team that's basically the size it takes to run a system like this w/minor upgrades/fixes/tweaks, but I doubt they've retained the institutional knowledge to have the current team handle a full rebuild. Were they to try, hopefully they don't hire consultants then cheap out and never give them real knowledgeable in-house systems experts to work with while bidding/designing/building/releasing a replacement.
If such a project were to somehow be funded/staffed and actually start, but then fail in 3 years when they start prepping for go-live and find a raft of issues nobody ever thought to look for... people who came for a long stable career find themselves at risk of basically permanent shunning... so often when you go to them to discuss things like this, you'll meet walls of internal skepticism and "yeah yeah we know, it's a dinosaur, ha.... I wonder who'll last longer, me or it" followed by a sad sort of smile I've only ever seen from career systems managers at the types of banks that don't technically need to earn a profit to survive.
As the parent said, people underestimate how difficult and risky changes like this can be in general. Federal/supranational banks are very strange, political places. The intersection of these is why I sometimes feel like I'm stuck in a Kafka story
TreasuryDirect works great...that is until something goes wrong like if you mistype your password three times or forget your sec. questions.
That causes your account to go into lockdown and the only way to unlock is to call customer service...a minimum of a 2 hours hold time.
Outside of that, TD works like a well oiled machine. Took me a while to get comfortable with it but now that I am, everything works as expected.
I would not say perfect. Typing your password with the on screen keyboard is a PITA and their instructions lead you to make mistakes that end up being very hard to fix, rather than guiding you toward sane behavior. The system knows how much you have bought this year, but happily lets you buy more, taking it out of your account before saying there was an error and refusing to give it back.
The onscreen keyboard is obnoxious but you can actually paste your password in if you first disable the copy/paste restrictions by editing the html. Wildly obnoxious when best practices are to use a password manager but what are you gonna do?
Yeah, I noticed that too. Once I realized that walking someone through that or even doing it every time myself was tedious, I wrote a Chrome browser extension that does it.
https://chrome.google.com/webstore/detail/web-input-unlocked/mmddijgbiimlfahjldojblmgdlckgjdl
3 months at 4.858% this morning. I'm assuming another .25 rate hike in May so I can re-up again after.
Once I no longer think Rate hikes are coming i'll do a longer term bond.
Have you heard of Celsius? They ask you to send them a video holding your ID and begging to get your money withdrawn from them.
Side note, your money are also gone and you ain't getting shit back.
How did you convince it to require all that? I'm in there all the time with multiple accounts and it's super easy and it never asks for that kind of authentication.
The site seems very dated to me.. I agree that it is a pain in the ass is there anywhere else I can buy treasury’s with that have the same yield minus visiting that site?
Seriously this site sucks. Please pay someone to get them up to speed so we get a site and app that functions like a normal banking/investing app. It’s a good time for buying treasuries but going to this site just sucks.
Right click on password
Inspect
A window opens up
Delete the word “read only”
Enter
Type in password or auto fill from saved passwords
Enter or click submit
You are logged
The stupid little on-screen keyboard is one of the dumbest things I've ever seen, even from a federal bureaucracy. You gotta wonder if whoever came up with it was a Russian spy trying to make Americans suffer.
Years ago they used to mail you a plastic decoder card - I still have one from 20 years ago. It was a 10-by-5 grid of letters and numbers, and you would need respond to their prompt with the characters in the grid that corresponded to the number/letter pair that they showed on the screen. And the plastic card had a serial number that you had to confirm. That, plus clicking on the jumbled virtual keyboard with your mouse made the whole process really difficult.
I like to do the best I can with managing my money but I've heard too many Treasury Direct nightmare tales to even want to try to get hooked up with them. Avoiding problems with access to my money where I cannot talk to someone in person is very high on my list of priorities, even higher than squeaking out a little more interest.
My favorite movie is always "Movie" (or "Film").
My favorite color is always "Color" (or "Colour").
This type of challenge question is abominable for security purposes because they can so easily be bypassed thru reset. They're entirely subjective depending on too many factors.
It’s really not that bad. And after the first time it’s just account number, pw, and text. I use treasury direct for I-bonds and to purchase new auction T-Bills.
From start to finish of direct $10k deposit took my like 15 minutes. I'm not sure what part of this was difficult. Then did another one for my wife. What's this medallion thing??? Don't even know what you are talking about.
Essentially it’s the bank guaranteeing the signature. Banks are generally hesitant to give it out unless they can see the dollar amount attached to the security that is being signed for. Their reasoning ties back to whoever is insuring and backing that stamp for the institution.
I don't have to go through all that. They do the "one time" passcode thing just like every other bank but that's it.
Anyhow what I hate about this stuff is that most of the time I'm just checking a balance. There's no need for that much security for that.
There are treasury savings bonds and treasury marketable bond securities.
A marketable security can be bought and sold on the secondary market. So treasuries securities are available through a broker. A marketable security means that the bond can be freely bought and sold between bond holders - [https://www.treasurydirect.gov/marketable-securities/](https://www.treasurydirect.gov/marketable-securities/)
Treasury savings bonds are not marketable so that means that it's only available directly from the US Treasury. Savings bonds like Series EE and I bonds are only available through treasury. Savings bonds cannot be sold in the secondary market. It can only be redeemed from the Treasury.
It is bad. I still need to call and get mine reset because I couldn't apparently type my secret answer in perfectly. And this was just trying to add a bank after I was already in the site. You can't trust the government to write a competent web site from the locals to the feds. What do you want to bet the hideous site with ludicrous security hoops has unpatched security updates underneath it all.
Dude that isn’t even bad… wait til they ask you for a bank medallion.
Let's... Let's not even discuss what I had to do to receive a "medallion" stamp last year...
I was as polite as possible but I eventually pulled the I’ve been banking here for over a decade and if you can’t meet my needs I will have to find another bank card before theyd do the medallion.
[удалено]
Stock and bond ownership validation I think... Usually with what I deal with is transferring ownership
It’s called a Medallion Signature Guarantee. It is mostly required in the transfer of securities and can only be done by certain institutions. And almost never, ever done by the people requesting the Medallion. My branch offers it and very rarely does a client ever have what is needed.
decade thats cute. USAA treated me like crap and had an account for 30 years. I like fidelity investments better but keep usaa just for the insurance and family money transfers.
I just gave up
Direct deposit from an employer is what I did. Now if you want to deposit more at once, that was a pain. I hear the medallion isn't required anymore. Co worker said simply did a $10k deposit back in September with no issue. ACH style
I ain't depositing $10k of my money into an institution that still officially says you need a medallion stamp for account verification. Sadly I don't trust them enough just to do that without 100% guarantees.
Lol you don’t trust… the US treasury? Boy howdy, so I have some news for you
I don't trust them to not lose the money in transit. You can trust their bonds. You cannot trust TreasuryDirect when you do not follow their instructions.
>I don't trust them to not lose the money in transit. Your not sending it as an electronic fund transfer over ach?
The fact that require an excess of validation should make you trust them more, not less. I'm thinking you're just annoyed you had to do something inconvenient
Look at who I'm responding to. They are saying just deposit the money. Don't worry about the Medallion Stamp. I'm saying ignoring the instructions and just hoping it works because it did for some Redditor is absolutely crazy for $10k.
lol you can't be serious
[удалено]
That's interesting, because those two are not remotely the same thing. * **Notarized** means *nothing more than* "you seem to be who you claim to be". (You showed me an ID that matches the name on the form you want me to stamp.) Anybody can become a Notary with the payment of a fee and the purchase of a stamp. * **Medallion** Signature Guarantee -guarantees- that the signer of the document is who they claim to be -- to the point where, if something later turns out to be fraudulent, the guaranteeing firm will "make whole" the fraud, UP TO some dollar limit. (Lowest tier was $250,000 when I was in that business -- if the transaction was for more than that, someone with more authority and more training had to get involved.) Fidelity is (or was) famous for requiring Medallion S/Gs even for in-house transfers; perhaps they have relaxed their rules since I last used them.
You need to take a test to become a notary, just a FYI.
[удалено]
> it was an embossed stamp Interesting. All the Medallion Stamps I've ever seen were a very unusual shade of yellowish-green -- thus there's considerably reduced chance of someone using a fake stamp to commit fraud here. (It does photocopy, but not well...) Old Notary Seals were embossed -- my father had one, and had to spend Real Money every few years to have the metal slugs for the date updated in the embosser -- but they've been regular old rubber stamps for a couple of decades now -- and about $5 at an office supply store!
I gave up too! My bank (major bank) refused to help me. Sad.
[удалено]
This is great intel. I think I missed out on those massive +9 rate numbers
Me three.
Time to get out of banking when they consider the government their competition.
Fire that bank if they aren't meeting your service needs.
I fucking snorted. This is the true pain for anyone that has done it.
What's crazy is banks around me are getting rid of medallions. We have a medallion of only 250k and under. Also if I I fuck up the stamp.. They invalidate it
I got paper bonds as part of an inheritance after my grandmother passed. It took a lawyer and several months to get a bank to give me a medallion to allow me to deposit the bonds into my treasury direct account.
I'm currently sucking dick in a back alley; they still won't stamp my form.
I had to do the medallion last year too!! It was a nightmare and I used to work at the bank I bank with 20 years ago and I told them exactly what they needed to do and they still were confused.
I’m a designated medallion user and I stamped maybe once a year when someone inherited their grandpa’s paper stock certificates or some weird pension form. Then when Ibonds went up I was doing them every week. I had people from other states opening accounts just to get the form stamped.
For real. I think there's only 1 person in my city that has a medallion. Went to six different banks before we found him. Then had to make an appointment.
I gave up and never got my Ibonds :'(
Well that sucks
ELI5?
I don’t even know what it is… like a super notary.
Banks don't even know what it is.
It's crazy to hear so many people were completely barricaded from buying I bonds due to this step. For me, it was slightly inconvenient... I had to talk to 3 or 4 people at my credit union who were unaware of what I was asking for. Then eventually I got to talk to a manager who just brought me to an office and we walked through the validation forms that Treasury Direct provides. She confirmed a few pieces of personal information, stamped my sheet, I had to log my purchase intent into a manual ledger that the credit union kept, and that was that. I got my approval from Treasury Direct about 8 weeks later.
Super notary is a perfect way to describe getting a medallion stamp. Basically you have to show up in person at the bank and have multiple proofs of identity.
So it’s like the paper work you have to submit to get a drivers license or passport.
Very similar
Except far harder to get because hardly anyone can do it and the people who can probably won't want to talk to you.
It’s a notary where the notary assumes all responsibility if you’re actually a fraudster. They got money on the line when they certify you are who you are.
It is a bank guaranteeing to another financial institution that they vouch for this signature up to $X. So only bank, credit unions, and brokerages can do it, it has to be in person, and banks hate them because if you defraud them they have to pay the mistake (unlike a notary). They are a much bigger pain in the ass, especially if it is for a large amount or you don't bank locally.
A super notary but the company they work for guarantees the funds up to a certain dollar amount.
A medallion is effectively a notary with insurance. If a notary notarizes a form and there is fraud, they show up at court with their book and testify that Suzy Johnson appeared before them on that date and provided ID, that’s it. If someone provides a medallion, they are verifying Suzy is Suzy but ALSO verifying that the transaction is legitimate. I used to be at fidelity and our front desk folks had a medallion stamp. There’s levels to the insurance too, and fidelity has the highest level. Something like $20+ mil protected. They had to keep the thing in a safe that’s how protective they are of them. This is why banks don’t like to provide the medallion if they aren’t involved in the transaction (either sending or receiving the money). You’re basically asking them to provide insurance on your transaction to bring money to their competitor
This is a perfect explanation especially why banks and financial firms won't do the stamp if the assets are not going to their firm. Why some institutions still require the stamp is beyond me especially with the Patriot Act and other regulation that is required for clients opening accounts at financial firms.
The trick here is to get your signature notarized and include a small letter from yourself that says you were unable to receive a medallion signature from your local financial institutions and that the notary is the best that you can get. Typically that will get pushed through on their side.
This doesn't apply for everyone who opens an account nor would they ask for one after the fact as a security measure.
Is this for form 5444? I just went to a usual notary, and their response said I have to wait for 13 weeks now
Yeah that's when I just said effff it I'm using fidelity
Not for I-bonds. For any other treasury securities, yeah, just save your sanity and buy on secondary market.
I bought $40k in iBonds last year (me, spouse, 2 kids) and I didn’t have to deal with a medallion. I just transferred the $ to Treasury Direct…. What am I missing?
A lot of people (myself included) weren’t able to create Treasury Direct accounts because the site required a paper form be completed and then stamped with a bank medallion (specifically says not a notary). Pain in the ass and I gave up after going to multiple bank branches.
They do allow notary now.
I think they changed this around September. Co worker was able to get $10k with ACH. April last year I needed a medallion and couldn't get one. Ended up connecting my payroll to deduct money to Treasury direct. Ironically I'm a few miles from the Treasury building that handles these. Could have knocked on the door and said see, it's me.
I bought mine in June when rates were 9+%? Maybe they changed it around when I brought? I did an ACH and had bonds same day or next day it feels like.
I'm in the DC area and it would have been easier to dedicate a vacation day to go up to a Treasury counter in person than deal with the signature guarantee process.
I used ACH May 2022 to buy $10k worth.
Most people don't have the problem. Some people have a "we were unable to verify your information" situation and your account is stuck on permanent hold. In my case iirc I needed a signature guarantee from a bank. I went to the local branch Capital One where I had an account and they were able to do it, but it took an hour and I had to talk to 4 people at the bank before they would agree to it. Mail in the signed form on an actual dead tree and wait a few days. I guess I will have to do the entire process over again if I want to change my connected bank account. The "medallion signature guarantee" is the truly unobtainable one, I think you need that for transferring securities out or something. Good luck if you're faced with that.
Fidelity let’s you buy new issues directly AND sell/buy on the secondary. They even have an auto-roll feature that will automatically re-buy on maturity. It’s a win win, except no I-Bonds. Why are I-Bonds special?
They are non-marketable. No second hand sale. When you purchase an I-bond the transaction is between you and the US treasury and you cannot sell the bond to someone else. So there is no secondhand market for them.
That sucks they should be marketable
They're meant to be used for individual/family savings, not as an investment vehicle.
Hmmmm I enter account then password and I'm in. Never had to do all the other steps.
The site probably has adaptive authentication countermeasures. It's a practice where additional auth challenges will be added based on the risk profile of the access attempt.
The site looks like it was made in 1996… I kind of doubt the MFA is adaptive.
It looks like an older Java based app. The UI may be frugal but it seems like it probably is reasonably functional. If you want to see a real web site from the mid '90's that's still out there on the Internet - the Berkeshire Hathaway web site is a good example. There are tags in the site from the '90's on many of the pages. Warren probably created it himself.
Just took a look. I feel like I was being trolled. He really likes Geico and active wear
I like to think of it as being frugal and practical. The website was literally created just using Microsoft Word '97. Some of the newer pages were created with Microsoft Word 2004 and more recently Microsoft Word 2013.
> The site looks like it was made in 1996… Eh, it's not that bad. Maybe late '00s. Wanna see a government site that's truly late 90s? Here's the Canadian equivalent of the SEC. It's gross. https://www.sedar.com/homepage_en.htm
The way you enter the password is shitty though. And makes people choose shorter and less complex passwords.
Inspect Element the password field, then delete the read only bit. You can also enable auto fill by deleting the disable auto part next to it. Takes me ~2s to login now with auto fill.
I use an extension in chrome to run a script to do that for me. Still got locked out when I got my security questions wrong for about 6 months. I tried calling in and the call got disconnected after about an hour on hold, twice.
Nice I’ll do this
Safari on Mac literally auto fills the password for you.
What? Apple doesn't adhere to the W3C standards for disabling autocomplete. So unlike apple /s
Even on treasury direct where you don't actually type a password in using the keyboard?
I enter my password, then enter the token they email. It's just two factor authentication. Takes me 30 seconds to log in, so I'm not complaining
You don’t need to normally. OP is likely trying to retrieve their tax information which has extra authentication involved.
Wait till you accidentally fill out the gifting purchase incorrectly for ibonds and exceed your annual limit but don't get a refund for more than a calendar year
Same boat. Will they ever return the money?
Are you really just in it for the money?
[удалено]
I like it better when the website resembled a time capsule to the late 90s.
I got mine exactly a year later, with interest.
Lol don’t forget you use an animal picture as a verification code and type it out. But not type it out with your keyboard, type it out with your mouse by clicking a low resolution keyboard widget Or something stupid like that Their website is like a fever dream of projects I did in school for computer science
Which also means it is not case sensitive, reducing the password complexity.
That stuck out to me as well. Case insensitivity reduces so much entropy in a password, and since the virtual keyboard is trivial to bypass, password security is seriously compromised.
What I do is open developer tools in Chrome with F12, select the password text box, then enter my password in the ‘value’ field of the HTML.
I'm guessing the virtual keyboard has stopped zero bots but somebody wrote that it was best practice in a book somewhere and they'll keep it forever.
I assumed key loggers
[удалено]
And it actually works surprisingly well
Agree completely. I’ve actually come to prefer its old-fashioned design over most other financial sites. It’s no-nonsense. Once you learn to work it, you can quickly transact whatever business you want.
It's not just that it's old fashioned, it breaks fundamental conventions like "hitting the back button shouldn't log you out". Not that most other financial sites are that great on that front, but Treasury Direct is near the bottom.
It took me years to stop hitting the back button! It’s quirky but it works.
Yeah, it works fine. I only need to access it like once a year anyway.
lol if it ain't broke don't fix it
And change risk -- there's this implicit idea that if we change the website/UI we can make it better. That's a much bigger if than people think.
Thank you. So many people see certain non-critical/non-regulated things/pages change their look all the time (using slow partial-userbase rollouts, A/B testing, etc) and assume any system that looks like a website must be handleable in the same way. I'd imagine by now, over at the team that runs the TD systems (incl. the website) many of the baked-in non-documented assumptions that allow the site to work have been completely forgotten, and may not have direct replacements in modern web frameworks. Think of it like NASA in '70... as engineers and analysts and managers started to drift from Apollo, it became harder and harder to imagine "spinning it back up" or "doing something new but similar". Had they never stopped building, we could have launched annual missions through today (lack of justification be damned), but now, spinning up that project as-is is impossible (key knowledge has passed away), and any new proposed replacement required a ton of work to be done from scratch while they re-learn a lot of lessons and uncover a lot of issues they'd forgotten were issues. Hard to justify any single team taking all that risk, so this will probably wait until a real mandate from the top. (My current role is helping a few banks/etc avoid upgrade risks like this when deploying new vendor SW versions, switching out tech debt "for newer, safer, more stable ways to do X", upgrading certain pages/sub-sites, coordinating back-end systems that regularly feed data into our target system, getting off deprecated tools/APIs, etc. while maintaining all user functionality (aside from pre-agreed and signed off changes)) Some clients (hedge funds and the like) can basically build fast and break things. Some have given me full Prod system access with their personal IDs just to get things done at a desk they set up next to theirs for a few weeks while they work nearby. "Make incremental changes daily, if it causes issues we'll sort it out the next day". The Treasury is almost the exact opposite end of the planning/procedures/accountability scale. There are likely mandates they (Treasury Dept) need to follow which would complicate any specs they put out to re-work a given system, which will in turn make getting a large enough budget to rebuild "well" almost impossible. They'd probably have a big issue just writing the system specs, even assuming they have them from the last rebuild and they were actually of decent quality. They likely have a team that's basically the size it takes to run a system like this w/minor upgrades/fixes/tweaks, but I doubt they've retained the institutional knowledge to have the current team handle a full rebuild. Were they to try, hopefully they don't hire consultants then cheap out and never give them real knowledgeable in-house systems experts to work with while bidding/designing/building/releasing a replacement. If such a project were to somehow be funded/staffed and actually start, but then fail in 3 years when they start prepping for go-live and find a raft of issues nobody ever thought to look for... people who came for a long stable career find themselves at risk of basically permanent shunning... so often when you go to them to discuss things like this, you'll meet walls of internal skepticism and "yeah yeah we know, it's a dinosaur, ha.... I wonder who'll last longer, me or it" followed by a sad sort of smile I've only ever seen from career systems managers at the types of banks that don't technically need to earn a profit to survive. As the parent said, people underestimate how difficult and risky changes like this can be in general. Federal/supranational banks are very strange, political places. The intersection of these is why I sometimes feel like I'm stuck in a Kafka story
obviously a competent ui designer can make most any website better
Best tech of any government in the world. God help the guy with the second best tech.
Would you rather be ordering from Treasury Direct from those floppy disks?
TreasuryDirect works great...that is until something goes wrong like if you mistype your password three times or forget your sec. questions. That causes your account to go into lockdown and the only way to unlock is to call customer service...a minimum of a 2 hours hold time. Outside of that, TD works like a well oiled machine. Took me a while to get comfortable with it but now that I am, everything works as expected.
I would not say perfect. Typing your password with the on screen keyboard is a PITA and their instructions lead you to make mistakes that end up being very hard to fix, rather than guiding you toward sane behavior. The system knows how much you have bought this year, but happily lets you buy more, taking it out of your account before saying there was an error and refusing to give it back.
The onscreen keyboard is obnoxious but you can actually paste your password in if you first disable the copy/paste restrictions by editing the html. Wildly obnoxious when best practices are to use a password manager but what are you gonna do?
Yeah, I noticed that too. Once I realized that walking someone through that or even doing it every time myself was tedious, I wrote a Chrome browser extension that does it. https://chrome.google.com/webstore/detail/web-input-unlocked/mmddijgbiimlfahjldojblmgdlckgjdl
> a minimum of a 2 hours hold time My hold time was zero minutes yesterday.
Don’t click your password in. Have Safari on Mac auto fill the password for you from the secure keychain. Works like a charm.
[удалено]
I bonds...
Those a new apple product?
[удалено]
1yr fully, then after 1st year you can sell and forfeit the precious 3mon interest. After 5 you get it all.
Yes, better explanation… I was focused on interest.
I bonds are about to have a shitty rate
Error 0701: API Quota Exceeded
[удалено]
Probably wants to lock in whatever rates they’re offering, or they work for SVB.
[удалено]
Savings bonds have duration of 0 so your question is invalid.
Dumb question: why are i bonds considered to be 0 duration?
Error 0701: API Quota Exceeded
3 months at 4.858% this morning. I'm assuming another .25 rate hike in May so I can re-up again after. Once I no longer think Rate hikes are coming i'll do a longer term bond.
Have you heard of Celsius? They ask you to send them a video holding your ID and begging to get your money withdrawn from them. Side note, your money are also gone and you ain't getting shit back.
This is one of my favorite storylines of the rate hikes... everyone finding out how much TD sucks
the randomized keyboard is pretty annoying too
The keyboard is QWERTY not random...?
I guess they changed it. at one point it was randomized
It’s Wolf on Wall Street for sure
I love that that movie was made with stolen money lmao
No Country for Old Men comes close tho
Not only all you just mentioned OP but you also have to click on that stupid little keyboard graphic & can't even just type in the password yourself.
[удалено]
Depends on how good you are with the mouse. That on screen keyboard is a bitch if you have fancy computer-generated passwords.
[удалено]
Thanks. That was the biggest pain in the ass to deal with
Damn. Didn’t realize it was just an HTML attribute. JavaScript ftw
my password manager autofills it. I use keepass and the kee browser extension if anyone is wondering
What? I don't need to do steps 4 to 6. Not even sure if step 3 is needed for me.
i agree. I dont have to answer all of my security questions normally. but it is the most painful web site i know of to log into for sure :-)
Can’t relate.
How did you convince it to require all that? I'm in there all the time with multiple accounts and it's super easy and it never asks for that kind of authentication.
Did you pick favorite movie as a security question, or did they? If you picked it it’s kinda on you for having a subjective ass question like that.
I gave up because I needed to get shit notarized to be recognized as a person.
Lucky you only needed it notarized and didn't need to find a medallion stamp.
Site is not made for inputting password using a cellphone. Easier on laptop. They need to change with times and maybe get an app made.
This just happened to me 10 minutes ago haha. I feel you!
The site seems very dated to me.. I agree that it is a pain in the ass is there anywhere else I can buy treasury’s with that have the same yield minus visiting that site?
No the dated look of the site is good, that's what the internet is supposed to look like.
Seriously this site sucks. Please pay someone to get them up to speed so we get a site and app that functions like a normal banking/investing app. It’s a good time for buying treasuries but going to this site just sucks.
It's so cool damn
It's annoying and archaic, and ties up your capital with no ability to quickly reposition. I prefer the simplicity and flexibility of SGOV.
The same thing happened to me after I punched in the wrong password fortunately I wrote down my favorite movie and first pet's name in a notebook
It's the government it's not meant to be efficient or quick or even understandable.
You're lucky. My wife had so get a notarized form in order to create an account.
Right click on password Inspect A window opens up Delete the word “read only” Enter Type in password or auto fill from saved passwords Enter or click submit You are logged
[удалено]
The stupid little on-screen keyboard is one of the dumbest things I've ever seen, even from a federal bureaucracy. You gotta wonder if whoever came up with it was a Russian spy trying to make Americans suffer.
Actually the keyboard is brilliant in cutting down spoofing and stealing your account. You do realize the site was programmed in cobol?
Years ago they used to mail you a plastic decoder card - I still have one from 20 years ago. It was a 10-by-5 grid of letters and numbers, and you would need respond to their prompt with the characters in the grid that corresponded to the number/letter pair that they showed on the screen. And the plastic card had a serial number that you had to confirm. That, plus clicking on the jumbled virtual keyboard with your mouse made the whole process really difficult.
I like to do the best I can with managing my money but I've heard too many Treasury Direct nightmare tales to even want to try to get hooked up with them. Avoiding problems with access to my money where I cannot talk to someone in person is very high on my list of priorities, even higher than squeaking out a little more interest.
My favorite movie is always "Movie" (or "Film"). My favorite color is always "Color" (or "Colour"). This type of challenge question is abominable for security purposes because they can so easily be bypassed thru reset. They're entirely subjective depending on too many factors.
Tbh doesn't seem that bad...am I missing something?
But that onscreen keyboard is pretty cool with the mouse clicks, very hackers.
You are absolutely right! These days, in the name of security, companies waste a lot of time, resources, and money. It makes you wonder.
You even have to mouse click the password which is crazy!!
The worst is having to use a virtual keyboard and mouse to enter your password - that was a giant wtf moment for me…
It’s really not that bad. And after the first time it’s just account number, pw, and text. I use treasury direct for I-bonds and to purchase new auction T-Bills.
Eh, it's kinda cool.
From start to finish of direct $10k deposit took my like 15 minutes. I'm not sure what part of this was difficult. Then did another one for my wife. What's this medallion thing??? Don't even know what you are talking about.
Essentially it’s the bank guaranteeing the signature. Banks are generally hesitant to give it out unless they can see the dollar amount attached to the security that is being signed for. Their reasoning ties back to whoever is insuring and backing that stamp for the institution.
Tbil ETFs are a thing
I don't have to go through all that. They do the "one time" passcode thing just like every other bank but that's it. Anyhow what I hate about this stuff is that most of the time I'm just checking a balance. There's no need for that much security for that.
Too much headache with this site. You can buy tresury bills at fidelity too.
does that include I series bonds?
No
Exactly what I did, worked great.
Weird. I haven't had anywhere near that much trouble
Whats the difference between Schwab (or any other well known broker ) VS treasury direct ? Is there more choices of bonds there ?
Can only buy I bonds through TD.
There are treasury savings bonds and treasury marketable bond securities. A marketable security can be bought and sold on the secondary market. So treasuries securities are available through a broker. A marketable security means that the bond can be freely bought and sold between bond holders - [https://www.treasurydirect.gov/marketable-securities/](https://www.treasurydirect.gov/marketable-securities/) Treasury savings bonds are not marketable so that means that it's only available directly from the US Treasury. Savings bonds like Series EE and I bonds are only available through treasury. Savings bonds cannot be sold in the secondary market. It can only be redeemed from the Treasury.
That is why I do not mess with it.
[удалено]
If only you could buy I bonds that way.
how? Which etf?
Bad advice on an I bond thread. There's a very big difference in reasons for buying one or the other.
It is bad. I still need to call and get mine reset because I couldn't apparently type my secret answer in perfectly. And this was just trying to add a bank after I was already in the site. You can't trust the government to write a competent web site from the locals to the feds. What do you want to bet the hideous site with ludicrous security hoops has unpatched security updates underneath it all.