I would add that folks should have a bank account connected to PayPal (etc) that is separate from your day to day accounts.
Not only will it localize any problems[0] but it will limit snooping[1].
[0] If PayPal wrongly deducts money from an account that has basically no funds in it you’ll be able to deal with the problem without having your actual funds locked up.
[1] Seems like basically every non-bank is switching from ACH deposit verification to a service called Plaid that requires your bank username & password, which then screen scrapes your financial details. There’s no reason to hand over your real life financial data when you can just use a dummy account.
> Seems like basically every non-bank is switching from ACH deposit verification to a service called Plaid that requires your bank username & password,
Why would anyone EVER do this. That has to be the most insecure and possibly catastrophic possible way to verify information.
I've been wondering about this as more and more services are asking me to do it via this same "Plaid" service. (I don't do it. I can't use some services. Cashapp mobile didn't want to let me withdraw cash without it; I figured out a way to on cashapp desktop).
Plaid is a company/service literally built around asking people to supply their bank username and password to a third party. (who then stores them (in cleartext, right?) for continued use!) I find it pretty astonishing.
(It's also literally training users to be phished, no?)
I'd be curious to see an article about it, with some details and context.
This method is sometimes allowed, sometimes not. I'm not certain if it's an option the client who is using Plaid sets or if it's sometimes available based on the financial institution.
Not if it’s not otherwise illegal and disclosed in the terms you agree to. As part of a settlement they now have a “privacy-centric” portal so you can manage what they know about you, ostensibly. But it’s difficult to find, and I would wager that most people who use the service don’t understand what they’re getting into.
Everyone seems to use it now, and it’s increasingly difficult to link accounts using ACH micro deposits because Plaid can be configured to disallow manual linking if the routing number corresponds to a bank they support logging into.
I simply don’t do business with companies that use Plaid in that manner, it’s a hard stop for me. My bank’s customer agreement specifically prohibits disclosing user credentials to any other party, and when support is confronted by that, they typically have no idea what to do with that other than say “Plaid is secure”.
I’m not sure if they’re in other countries, but I’m referring to the US. As for who uses them: off the top of my head, for well known services: PayPal, Coinbase, YNAB, Truebill, Acorns, Venmo, Stripe has an integration, I think Mint?, the list goes on.
More often than not I encounter them when trying to link bank accounts to anything now, except with other banks.
They have a history of imitating bank login screens and not disclosing that they’re not your bank. They settled a few lawsuits about that in the past few years and are a little more upfront, but I wouldn’t expect the average user to reasonably understand the situation.
Visa tried to acquire them back in 2020 but dropped the plan.
Not only will it localize any problems[0] but it will limit snooping[1].
[0] If PayPal wrongly deducts money from an account that has basically no funds in it you’ll be able to deal with the problem without having your actual funds locked up.
[1] Seems like basically every non-bank is switching from ACH deposit verification to a service called Plaid that requires your bank username & password, which then screen scrapes your financial details. There’s no reason to hand over your real life financial data when you can just use a dummy account.