[dpifke]

TreasuryDirect doesn't have an API, so there's no way to implement this without storing your users' TreasuryDirect passwords. How do you protect those passwords?

With reference to https://www.law.cornell.edu/cfr/text/31/363.17, what recourse would I have if I use your service and my TreasuryDirect account is compromised as a result?

Your other products include FDIC insurance via Evolve Bank & Trust. I can't imagine the FDIC would cover losses related to this product—i.e. funds are only FDIC-insured up until they're used to purchase an I-Bond. The FDIC recently sent a cease-and-desist to FTX in relation to a similar scheme (in FTX's case, funds are only FDIC-insured at Evolve up until they are used for cryptocurrency purchases); see https://news.ycombinator.com/item?id=32524527. In light of that action, what have you done to clarify the limits of the FDIC insurance to your customers and potential customers?

[PaywallBuster]

> If anyone wants to control their Treasury Direct directly without Yotta, they can request it, and we will transfer over their account to no longer be managed by Yotta.

This implies the bonds are stored on their account, not the end users

[itake]

Can you buy Ibonds on behalf of others? My understanding was they cap the amount per SSN to $10k/yr. How could one account have more than that?

[cozos]

My guess is that they have 2 passwords. One password for access to Yotta which is provided by the user and stored securely/irrecoverably (i.e. hashed, salted, and peppered - yum), and another password for actually accessing TreasuryDirect is generated and stored by Yotta.

[matthewwolfe]

You wouldn’t necessarily need to store passwords in plaintext. You could keep a password encrypted and then when a user logs in their password is sent along on a request that does the automation and then discarded at the end. Of course that would mean you could only do a read operation on the website once, or else keep the session with the site open internally.

[LastTrain]

Why are we guessing when the person that could clear it all up is lurking in these very threads.

[codingdave]

That person went really quiet once people starting truly poking at the security and legality of this idea. I'm sketched out by their communication patterns, and won't touch this with a 10 foot pole.