I’ve some friends that works there, so I’m hesitant to say this, because I’m sorry for them, but Plaid is a terrible company. Their main product scrapes financial data from unsuspecting users that simply think they’re making a bank transfer and not signing away the privacy and security of their banking, 401k and trading information.
They are getting sued by TD Bank for this very reason:
> The bank said in the court filings that the interface "dupes" consumers into believing they are entering personal information into TD Bank's trusted platform.
> "In reality, however, consumers are unwittingly giving their login credentials to the defendant, who takes the information, stores it on its servers, and uses it to mine consumers' bank records for valuable data (e.g., transaction histories, loans, etc.), which the defendant monetizes by selling to third parties," TD claimed in the court records.
Also, giving your credentials to any third party, including Plaid, voids the warranty at many financial institutions. If your account gets hacked and your money stolen, you may find out that the zero liability policy no longer applies to you.
I am sure I will be called naive, but this is shocking to me. I assumed that Plaid was integrating with the banks and not doing this sort of thing because of the people associated with Plaid. Their seed round included Spark Capital and Google Ventures. Their most recent round included Mary Meeker and Andreessen Horowitz. [1]
These investors have reputations to protect. This type of thing would certainly come out in diligence:
"How do you gain access to the customer's account data with their bank?"
"We impersonate their bank."
"Do you tell them you do this?"
"No."
"Ok, that's probably fine."
How in the hell does this conversation pass muster?
I'm surprised, because Plaid is far from the first mover in the "scraped banking data API" space. Mint (now Intuit) and Yodlee come to mind, and they use essentially the same sign-in flow and come with the same limitations.
There are organizations and companies that are trying to do this legitimately, through open standards and real incentives to both FIs and customers to share information in exchanges:
You're right, they aren't the first. That said, when I use accounting software, it's pretty obvious to me that I am going to be sharing my transaction history with the accounting software. When I connect my bank account to Venmo, it is absolutely not obvious to me that I'm sharing my entire transaction history with Plaid. Replicating the appearance of my bank's login screens is critical to the illusion.
Even if I did understand that they are storing and using my credentials, I should be able to expect from a reputable business that they are not scraping irrelevant transaction data and then using it for purposes that don't explicitly support the app I am using. Selling my transaction history definitely isn't supporting the use case I'm authorizing.
Alternative title to this thread is "Plaid fails to sell customer data to Visa" (along with code, and the rest of the company). Consumers, as well as Plaid, have no idea where this data is going to end up ultimately, depending on who winds up getting control of Plaid. What are the odds of Private Equity acquiring Plaid and "leveraging synergies" with the pay-day loan company in their portfolio? I think the odds are greater than zero.
“We may collect, use, and share End User Information in an aggregated, de-identified, or anonymized manner (that does not identify you personally) for any purpose permitted under applicable law.”
If you authenticate with <mortgage broker> via Plaid, then the broker pays plaid money and the broker gets your bank information. So I suppose in a sense that's "selling your data," but I don't think that's what people are concerned about: You explicitly sign into the mortgage broker to give them data!
What Plaid has said on record they DON'T do is take that data they provided to the broker, bundle it up, and then sell it to marketing firms or hedge funds or other random third parties for which the user didn't explicitly ask their data to be shared.
“Plaid does not sell and has never sold consumers’ personal information or data. Consumer data is obtained and used with consumer consent. Plaid believes strongly that consumers should have permission-based access to and control over their financial data, and embodies these principles in its practices."
From the press release: "Plaid is a financial services company that operates the leading financial data aggregation platform in the United States"
I love the way they are literally defined as "the leading financial data aggregation platform in the United States", rather than "the leading financial integrations platform".
Seems like Justice does know their real business. And they don't seem to care.
> There are organizations and companies that are trying to do this legitimately, through open standards and real incentives to both FIs and customers to share information in exchanges:
That is never going to work. The reason the world works the way it works is because banks dont want to give easy access, so market opportunity for companies like Plaid exists.
Open Banking is the result of the EU PSD2, so unfortunately is no longer guaranteed in the UK. UK firms have already lost passporting rights, and it's yet unclear whether the UK will align with EU regulation going forward.
I guess the question is what you mean by "open banking". Initially, in the UK, that phrase referred to the FCA's implementation of the PSD2 requirement for banks to allow a secure mechanism of access to third parties. I think that this definition of open banking has already regressed post-Brexit, from the absence of passporting. UK firms and banks are no longer able to interoperate with EU firms and banks, and PSD2 no longer applies to them.
Another definition may be domestic API access to bank accounts, which I agree will continue to be policy in the UK. It won't be PSD2 open banking, though.
PSD2 still applies. That was integrated into U.K. law long before Brexit. It would take an act of parliament to unwind.
Additionally the U.K. has generally been on the leading edge of open banking, which is why our standards weren’t identical to the EUs for a while. It’s going nowhere, and pass-porting will make no difference.
The only real impact of Brexit is the open banking entities will need to register separately in the U.K. and the EU, and be subject to two different regulators. But that’s just paperwork for the most part.
> PSD2 still applies. That was integrated into U.K. law long before Brexit. It would take an act of parliament to unwind.
It's not that simple. The FCA is no longer an EEA National Competent Authority and UK Third Party Providers must register with an EEA NCA to continue to operate in the EEA. Domestic legislation which put PSD2 in force is of course still UK law, and domestic TPPs and Account Servicing Payment Service Providers can continue to operate together (even using the same eiDAS certs), but they cannot engage in open banking with the rest of the EU/EEA.
PSD2 and its supporting institutions (EBA, EPC, ECJ) no longer apply to the UK.
> Additionally the U.K. has generally been on the leading edge of open banking, which is why our standards weren’t identical to the EUs for a while. It’s going nowhere, and pass-porting will make no difference.
Internally, maybe, but UK TPPs and ASPSPs can no longer interoperate with EU/EEA TPPs and ASPSPs unless they register with an EU/EEA NCA, and thus become subject to EU Directives. Again it comes back to your definition of "open banking". If you mean only UK banks and firms being able to operate an open banking scheme, then you are correct that this will continue. If you mean open banking as defined by PSD2, it has already come to an end in the UK.
> The only real impact of Brexit is the open banking entities will need to register separately in the U.K. and the EU, and be subject to two different regulators. But that’s just paperwork for the most part.
So either UK TPPs and ASPSPs have to abide by EU Directives (if possible - the UK legislature may diverge from the EU in unreconcilable ways), or the UK has to maintain alignment with the EU indefinitely. Doesn't seem like just paperwork to me.
"Open banking" and "cross-border banking" are two different things. The UK will definitely continue to have open banking. The UK-EU banking relationship is still up for negotiation. (I'm not hopeful though.)
> The UK will definitely continue to have open banking.
As discussed elsewhere in this thread, this requires a definition of "open banking" which is separate from PSD2 and not what the phrase commonly meant until now. The distinction isn't between "open banking" and "cross-border banking" - the distinction is between:
* PSD2 compliant "open banking" between TPPs and ASPSPs,
* Some banks in the UK must have APIs "open banking".
Up until January 1st, the phrase "open banking" referred to the former. The latter may become accepted as the definition in the UK, but it is materially different to the original meaning.
It doesn't really work. Open Banking doesn't seem to enforce a consistent API which means you either need to implement a client for each bank (and their data model) individually or use something like Plaid (in the UK our equivalent is TrueLayer) to aggregate all the different banks into a single API.
This is just not true, for Open Banking in the UK. API standards are published and banks must implement them.
There was a get-out, but it was a bad one for the banks - if any bank did not provide a compliant API by a specific date (IIRC sometime last year) then they would have to keep their web sites entirely unaltered in order to support scraping.
A lot of these banks never had any APIs. Plaid made its name basically scrapping the html of account pages. Companies used it because there were no alternatives (no apis)
I understand the situation. Another of Plaid's investors is Goldman Sachs. I naively assumed that Plaid's ability to build their product was likely based on access to private APIs available to them based on their relationships and backing.
If someone came to me and asked me to build what Plaid has built, I would decline the work. I would assume that impersonating a bank would be illegal. I would assume that the banks I am impersonating would treat me as a malicious actor. I would assume that I would go to jail for building a system like this.
Plaid does have real integrations with some institutions, using OAuth and the works. The list is relatively miniscule compared to the vast majority of institutions that still consider customer data their asset and not their customers'.
On the other hand, Plaid’s behaviour means that your data is not yours either, but is up for grabs by a 3rd party for which you may not have given consent to. Plaid is no Robin Hood (the story not the app) here.
Plaid is equivalent to a carrier, right? They merely provide the data to their client (whatever service/app you're signing into) and it's up to that client to decide how to use it.
Back when I used to run a web scraping shop, we had this exact request. I didn't know it was illegal at the time but we ultimately didn't do it because lot of people just want to pay as little as possible for scraping without considering the amount of work that goes behind it.
You are misremembering. CFAA defines criminal acts not civil, so Craigslist could not sue someone under the CFAA. The DA would have to bring charges first and then the civil suit by Craigslist would reference the criminal suit.
fraudulently obtaining people's banking information can be described many ways. The prosecutors won't call it web scraping and the judge hasn't seen that although he has heard of people who steal users information to hack their banks.
Let’s not forget the companies that enabled Plaid to do this. One of the worst offenders was Carta. They made you use Plaid to exercise your stock options. So you had to let Plaid scrape your account info to get the stock you worked so hard for. Most people had no idea they were allowing this.
They do integrate natively with some banks, like JPMC:
> When this is implemented, Plaid will access customer information through the bank’s secure API (application programming interface) connection. That will allow customers to share their information more safely and quickly with Plaid and the financial apps it supports while protecting their bank username and password.
and also Wells Fargo:
> The API used in the agreement will utilize a more secure, tokenized “handshake” between the companies’ servers through which customers’ financial data will be shared. Once integrated, the API will allow customers to share their financial data, while also maintaining the privacy of their user credentials. The enrollment process will be easy and designed to work seamlessly within Plaid-supported apps’ user experiences.
I think it would be good to do some quick Google searches before getting (all of) the torches out.
From their website [1]: "When you choose to connect your financial accounts to an app using Plaid, you will be prompted to enter the username and password associated with those accounts. Plaid then links your accounts to the app you want to use so you can share your data."
Disagree, they are hiding the fact by assuming ignorance of most users. A true “link” , would use something like OAuth to have the bank handle authentication and provide explicitly scoped subset of consumer data to Plaid. Instead they are taking the plaintext password and getting total access. Just taking that passwords itself is a security vulnerability. Google doesn’t even know your Gmail password, just the hash, but since Plaid can’t use a password hash to login, it must store your plaintext password to your financial accounts, some of THE most sensitive data. Furthemore they have access to way more data than they should rather than clearly defined scoped subsets of it.
The whole company is a privacy and security disaster. Of course it’s annoying that banks don’t provide reasonable OAuth APIs, but Plaid “disrupts” that by deceiving consumers into dangerous security vulnerabilities with their most sensitive personal data.
You speak idealistically, but the reality is that many of these banks did not having open banking standards nor APIs before. The scraping led to this movement and FSAs all over the world are starting to push for no scraping while financial institutions create APIs and contracts with these platforms.
The fact is pretty much hidden. I tried to link my Toshl (a budget app) account to my bank, to import automatically my movements. I saw that they were using Plaid, and I found that weird. I went to search the page you linked, and I still didn't know how was it connecting to my bank. I used an "application password" with limited permissions from my bank to use with Plaid, and funnily enough it didn't work. In fact, my bank locked my account because Plaid tried to login through the regular user interface with a wrong password several times. It was only then when I saw in forums and such that what Plaid does is to scrape HTML.
When you use Plaid, you don't get the impression that's what they're doing. We're used to dialogs to "give permissions to an app" that don't share our user/password with anybody. Plaid purposefully emulates those dialogs and gives you the impression that you're just logging in with your bank, instead of explicitly telling you "we will store your user and password and use that to log-i with your bank".
"link" to me implies something along the lines of a FB/Google/GitHub OAuth login, not that they steal my credentials.
I guess technically they just say, "you will be prompted to enter the username and password associated with those accounts" and don't specify that they (Plaid) will be using your credentials, but I don't think it's clear enough that you are giving your credentials away!
In the “startup” world, this is simply the only way to do it when your goals are to be everyone’s service. Banks rarely create open APIs, and even when they do they are fragile and subject to whims as the banks are optimizing for security first (plus: they need strong incentives to maintain APIs since it’s not even in their core business).
And since you can’t rely on an API, “there’s no other option” which compounds with the fact that coding up a web scraper for a specific bank takes maybe a dozen programmer-hours. Then throw on a disclaimer to cover legal, and start counting your billions of unhatched eggs.
> Also, giving your credentials to any third party, including Plaid, voids the warranty at many financial institutions. If your account gets hacked and your money stolen, you may find out that the zero liability policy no longer applies to you.
The trouble is, giving someone your account number also makes it not the bank's problem what they do with that number, even if it was clearly unauthorized by you. There's no good way to do ACH transfers without a high degree of trust in the recipient.
That's what OFX was supposed to provide, but realistic support never arrived. Even banks which allow you to download OFX format searches fail at complying with basics of the standard. (https://www.ofx.net/)
Not really, considering it doesn't enforce a single, consistent API, so most companies will still use something like TrueLayer (our local equivalent of Plaid) to aggregate all these separate APIs into a single consistent one.
Furthermore, "open" banking is very misleading because it's only open to corporations with deep pockets to obtain an AISP license/certification*, but doesn't even allow the account holder to gain API access to their own account. Unless you're lucky enough to be with a modern bank that provides that as a feature (which is legally separate from Open Banking, though often it's the same API), your only workaround is to sign up for TrueLayer yourself just to access your own account through them.
* given the "deep pockets" requirement, it almost forces all the account aggregator apps/services (Emma, Yolt, etc) to have a somewhat scummy business model and monetize the captured data. Wouldn't it have been nicer that you didn't need deep pockets to gain read-only access, so that an indie developer could make such an account aggregator and not have to resort to a scummy business model to fund the certification/compliance expenses?
> Not really, considering it doesn't enforce a single, consistent API, so most companies will still use something like TrueLayer (our local equivalent of Plaid) to aggregate all these separate APIs into a single consistent one.
That's not quite true. The CMA9 have to follow the Open Banking spec, and some other non-cma9 banks have decided to follow the same spec. In practise, there's some deviation from the spec between the banks (in part, due to ambiguity in the spec), but it's not like they're all pulling their own spec out of the air.
> Furthermore, "open" banking is very misleading because it's only open to corporations with deep pockets to obtain an AISP license/certification*, but doesn't even allow the account holder to gain API access to their own account. Unless you're lucky enough to be with a modern bank that provides that as a feature (which is legally separate from Open Banking, though often it's the same API), your only workaround is to sign up for TrueLayer yourself just to access your own account through them.
The 'deep pockets' don't need to be as deep as implied. I think it's <~£3k. It's not something that only big companies can afford, but I agree, it's not something that an individual would use to test out an idea, which would push them towards something like TrueLayer.
Do you have any more details? If this is indeed the price and it's a one-time cost without costly maintenance overheads (such as ongoing audits) I might just pay that to be able to release simple money management or just better UIs than the existing banks (even modern bank's apps have gotten worse lately as they try to push their "premium" offerings - looking at Monzo specifically here).
Yes, it's only 'open' to FCA registered entities, which is an entirely reasonable requirement given how easy it is for scammers to get people to give away the keys to the kingdom.
So no, it wouldn't have been nicer, it would have been a scammers delight.
And yes, it does require a consistent API, thought it's perhaps open to a bit too much interpretation.
> given how easy it is for scammers to get people to give away the keys to the kingdom
Restricting API access doesn't help. There are plenty of idiots out there who willingly install remote access software on their computers/phones, fall for "authorized push payment" fraud when scammers tell them to move their money to a "safe account" or to pay overdue "taxes" (gullibility taxes?) over the phone and even use the two-factor card readers despite the "do not use over the phone" text being printed right on them.
I'm not sure how read-only API access would benefit scammers (if people can be tricked into granting API access, they will usually just as well install remote access software or just do the payments manually) but it would open up a nice field of self-contained, on-device money management apps that don't need significant corporate (most likely VC) backing with all the (usually) nasty ramifications that entails.
> I'm not sure how read-only API access would benefit scammer
Information leaks are always useful to scammers, extortionists, blackmailers etc. It's one reason we protect financial info.
Like the other poster said, VC money isn't really needed, though the process of getting accredited with the FCA is more than just paying for a license. The Open Banking Implementation Entity (or just Open Banking Ltd, whatever they're calling themselves at the moment) may be able to help you go through the accreditation process if you approach them, they were certainly talking about doing that for people a couple of years back.
And before that you can sign up to their public sandbox service as a "Technical Service Provider" to start developing against the ecosystem, for nothing (I've done this though I've not really used the capability for anything).(You may need a Ltd company for this, can't remember off the top of my head)
I don't buy this. If I give someone a check (which has an account number on it) that doesn't mean they get to withdraw whatever they want from my bank account. What bank in the U.S. wont reverse fraudulent ACH debits?
It says on page 35 of my Bank of America Deposit Agreement and Disclosures:
> If you voluntarily disclose your account number to another personal orally, electronically, in writing or by other means, you are deemed to authorize each item, including electronic debits, which result from your disclosure. We may pay these items and charge your account.
It may be that there is some rule that says just giving someone a check doesn't count as "voluntarily disclosing" your account number.
handing out your login credentials is like giving a blanko check with your signature on it already.
> What bank in the U.S. wont reverse fraudulent ACH debits?
If you admit to handing out signed blank checks, I would hope that most if not all banks would at least have a discussion with you about how you may be not the customer they are looking for.
They are selling the data to marketing companies to build a dossier on you, and this could be used for any number of purposes once it is in the hands of data brokers.
They're tricking people into handing over the information, and then they're using it for purposes that may harm the victim, so like I said, it's hard to draw a line.
They do not make such an explicit claim in their privacy policy. There is a carve-out for "affiliates", although what constitutes an affiliate is not defined. They also say:
"We may collect, use, and share End User Information in an aggregated, de-identified, or anonymized manner (that does not identify you personally) for any purpose permitted under applicable law. This includes creating or using aggregated, de-identified, or anonymized data based on the collected information to develop new services and to facilitate research."
This is a cop-out used by a lot of services these days. De-identified data can be and is routinely re-identified. For financial transaction data this is fairly easy. For example, if you buy location data, it's trivial to determine where someone's home is, and therefore their likely identity.
Once you have a set of locations a person visited, you can correlate them with financial transactions. Even just a couple of retail transactions are often unique. You were probably the only person who was at your neighborhood Starbucks on Monday at 6:37am and also at Starbucks on Friday at 7:32am. Your credit card transactions provide a time and a location for every retail transaction.
Plaid can very well not use the data in this way, but any company using Plaid's APIs and gaining access to the end-user bank account can do whatever they want with the data.
There are no restrictions on potential bad actors who will do this, and no consumer protections.
Sure, and that would be true however a partner collected this data. It’s true whenever you apply for a credit card or a mortgage.
I believe that Plaid doesn’t work with just anyone, and they do attempt to put some limited controls in place to block bad actors - just like any other platform in the world.
All that said, the parent were suggesting that Plaid itself bundled and resold data for marketing purposes which it does not do (though I believe some of its competitors might).
You should hold their feet to the fire for real issues (potential for misuse by companies that use Plaid to gather info, security concerns), not imaginary ones
Doing it on purpose vs via black/grey market trickery is often treated as separate matters. Even if the legal mode is still full of moral issues that society has yet to fully confront.
Phishing people's bank credentials has been fully established as a computer crime (not even just bad within civil law).
I adore the idea of the Plaid founders, and everyone else deemed complicit in a court of law (I think this should likely include investors), going to fuck-you-in-the-ass prison instead of becoming billionaires.
Alas, I've lived in Silicon Valley too long to believe that anything moral will ever occur when there's money to be made.
It makes me sad that people actually admire this place for anything other than the geography.
That's true, and perhaps the real reason this really is a very valid anti-trust action is that Visa would be removing their only real competitor for providing this type of data.
> takes the information, stores it on its servers, and uses it
So does, for example, Yodlee, when you use them to have an API for bank statements. I cannot say if they too monetize the data that opens up to them for grabs.
It took legislation and years of preparation to enforce APIs and interoperability onto European banks (yes, I can now use bank A's app to view my account balance in bank B, while maintaining control over what kind of access I'm giving). Can't see it happening in the US, though, although the demand for such APIs is clearly there, given that companies like Plaid and Yodlee prosper.
I would wager that 90% of the business for Plaid, Yodlee, and Intuit is account verification; the thing that you used to do by having small ACH transfers of random amounts that you verify. The fact is that 90% of running a fintech business is identifying and bounding fraud risk, and these "banking API" companies are able to move the needle down a couple of basis points.
edit It's shit like this that just screams for the Fed to force FIs to implement a standard API for verifying accounts and making transfers. I bet half of fintech would collapse overnight, but the collective cost savings would be in the billions.
No, that's not the problem at all. The problem is that Plaid falsely used TD Bank without having a relationship with the bank. The company literally has a bank partnerships team so that "void warranty" argument doesn't even make sense.
> Also, giving your credentials to any third party, including Plaid, voids the warranty at many financial institutions.
Funny enough, I've seen that be the case at some banks that simultaneously integrate Plaid into their online account application flow for the initial/funding deposit but. Pretty ironic that users are implicitly coerced into voiding their liability protection at their existing bank during the course of opening an account at a new one. Who wouldn't hesitate to turn around and also invalidate your liability protections themselves if you
used your new bank's credentials with Plaid elsewhere.
That´s interesting, and it is an important "stick". On the other side, I know some banks are giving a "carrot" to these types of companies by providing a "portal access" that allows these companies to connect their customers with their bank accounts so that the customer can select what to share with these sites.
Of course, once those portals are enabled we enter the Facebook game: Where a lot of customers will blindly give all access to Plaid like companies, and then consumer group advocates will criticize for the amount of information that they are (still) mining from ignoring customers.
I think BofA does this, which I like. When I linked my account to Robinhood through Plaid, it asked for 2FA (text or phone call, BofA doesn't support TOTP codes) and verified in, then asked me to select which accounts to grant access to. Since it doesn't need the 2FA subsequently, it must be doing some kind of OAuth style authentication when it passes that token to the bank and then gets a long-term access token for that specific account.
From an HTTPS perspective this is still pretty concerning though. AFAIK browsers would block the Plaid widget if someone tried to load it insecurely and the page was HTTPS (what users have been trained to look for). But without going into devtools there is no easy way to verify that the widget is actually a real Plaid widget, thus POSTing your password directly to their server and not the merchant's, and no way at all to verify that they have such a partnership with your bank sanctioning them to collect your password.
Oh man I can't believe they actually pulled this on a Canadian Bank.
I tell my founders to always always fly straight or don't fly at all because if you cut corners or deceive, it will come back to you.
Had they been honest and played by the rules they could be sitting on a massive windfall.
Unfortunately, some VCs and founders think like gangsters and get surprised when things dont plan out. Just because it worked for someone in your circle doesn't mean its gonna work for you. It is a horrible behavior to emulate.
Yeah. TD is so tired of them they have a page warning customers about them, without naming names:
> When using a fintech app, you may be providing your confidential TD username and password directly to third parties over whom TD has no control. Please be aware that the sharing of your TD credentials is contrary to the terms of our agreements, and TD will not be responsible for any harm that results from the sharing of your credentials.
As someone who's worked in fintech for 10 years, I think this is a bad take. Out of all aggregators (what this is called), Plaid is by far the most open and privacy-forward.
First, they're transparent about being a 3rd party that's part of the flow (see https://plaid.com/blog/the-all-new-plaid-link/). It's clear it's Plaid, they use neutral colors and not the bank's, etc. They have a portal where you can manage your data (https://my.plaid.com/).
Second, they are very open about not selling data (unlike most of the their competitors). It's in their terms and their website (see https://plaid.com/how-we-handle-data/). I guess that could change, but from working with them I know it's part of their positioning so I'd be surprised if that changed.
Third, they've announced bank integrations and afaik they're moving to OAuth where the banks support it (I've seen this in the wild, but can't replicate right now). The key here is where banks support it. I think you have to look at the historical context: the banks do not want you to own your data as a consumer. They don't want fintech apps to exist. Having talked to banks about integrating directly with them, it's onerous and only the big players can do it. Plaid's fighting the good fight for fintech startups.
But yeah it's a less-than-ideal solution and it sucks that it doesn't work without creds flowing through and it's not clear regulators or banks will work to make it better. That sucks. I just think bashing on Plaid here is one-sided.
> It's clear it's Plaid, they use neutral colors and not the bank's, etc.
Every time I've been confronted with a Plaid-backed bank login prompt, they use the bank's colors and logo, the word "Plaid" or their logo is either nowhere to be found or is in tiny fine print, and I run away screaming from that service.
> But yeah it's a less-than-ideal solution and it sucks that it doesn't work without creds flowing through
I can appreciate that Plaid is trying to push stuff forwards, but (Presumably) storing your bank credentials in plain-text is a far worse than a "less-than-ideal solution".
I once went to use plaid to apply for a mortgage on one of the new fancy broker platforms. It asked me to type my login credentials.. sketchy , but alright banks and mortgage companies seem to trust them? Then they asked me to disable 2FA on my account and at that point it was indistinguishable from a phishing attack to me. I noped out and changed my bank password immediately.
This is why a standard API is needed, like Open Banking in the UK. When I use a third party app, the access request is redirected to my bank app and authorisation is granted there. At this point it is explicit what data the third party will require. Once authorised, I’m redirected back to the third party’s app. At no point have I given my credentials. This must be renewed every 90 days. Furthermore I can view what apps have access to my account and can revoke this access at any time.
PS Yes I know people like Ben Thompson [1] and even the US Treasury (mentioned in the same link) advocated for a private solution like Plaid (and nearly by extension Visa), but seriously this seems like something that needs to be government regulated to prevent incentives for selling user data.
I tried to use their API for a personal project and found starting one month a bunch of transactions were missing from my bank account. It turned out Chase included a promotion on the pdf statement that month which threw off their scraping algo. Really woke me up to their "tech", I changed passwords and avoid them now.
I can confirm this as I currently use Plaid in a few projects. People have no idea what they are signing up for when they authorize this. It's possible to get near real time transaction data from somoene's bank account as well as monitor their account balances for any linked account essentially in perpetuity. With this data it's possible to back in to a lot of behaviors about someone's life. All of that is handed to any firm you authorize to link your bank account.
Now I know why I can never think of good ideas for a business, I'm thinking about what I can build to help my customers, but in today's SV I need to be thinking how can I more easily steal user data at a lower cost than my competitors.
FWIW their competitor Teller uses the bank's own native APIs.
The idea is the bank can't shut off Teller clients without shutting off their own customers. This involves a lot of iOS reverse engineering.
So things like Plaid's Capital One integration breaking for months have never happened with Teller - who've been running for something like 5 years now.
They really do need an OAuth rather than save-and-forward-credentials approach to account access. Hopefully the new FedInstant platform will have improvements in this area.
That said, I personally wasn't surprised to see they have this access. It makes sense that if you give them your bank password, they will have full access to your account unless they clearly convince me otherwise.
Yes, awhile back my bank account was decoupled from Venmo for reasons unknown. I unwittingly used Plaid to sign into my bank account instead of the usual wait a couple days procedure. No indication whatsoever - only found out because I saw an article, probably on here, about this company and their basically fraudulent practices.
Nice to see somebody respecting the law. Atlassian is still claiming that if they give my account to somebody else then they can ignore my CCPA claims.
IIRC, they have basically an instance of a scraper for every different bank web site, which to me doesn't seem very scalable. I'm not sure if this is still the case, but when I interviewed a few years ago, it definitely seemed that way.
I am sorry to say this but your friends should really give a thought to why they are still working there. I understand that people have families to feed and mortgage, but they should at least consider changing jobs if they are software engineers.
Pretty much how 99% of this data robbery happens by all surveillance companies.
This is why Facebook is so pissed off at Apple that it dares to ASK users first.
"Most users aren't aware what data is gathered about them" is about 10x more accurate than "users don't care about privacy", even though it's the latter that gets repeated all the time (with some help from the surveillance companies themselves spreading this propaganda).
Even if the government bans XMR from exchanges, BTC to XMR atomic swaps are coming.
You can then
1. Use XMR as an anonymizing bridge to pseudonymous ETH or ADA wallets
2. Grow wealth with ETH or ADA smart contracts/decentralized finance
3. When you want to spend, transfer funds from your ETH/ADA wallets over the XMR bridge to newly generated spend wallets. (There's potential for a chain-analysis correlation attack at this point if you aren't careful with how you are withdrawing.)
---
Really, it's all a nightmare and very difficult to do it now, but I'll be damned if someone doesn't develop an app or program that does this all seamlessly in a few years.
https://twitter.com/seanieb/status/1298871471645761537?s=20