| ▲ | tzs a day ago | |||||||||||||||||||||||||
Storage in cleartext would indeed be a huge red flag, but Plaid says they store it encrypted and I've seen no evidence that they are wrong about that. That still might be a red flag but not as big a red flag. Cleartext means a database leak would leaks passwords. Encrypted, if done right, would mean a database leak would not leak passwords. | ||||||||||||||||||||||||||
| ▲ | tharkun__ a day ago | parent [-] | |||||||||||||||||||||||||
Can you share a link that describes what exactly they do? What I would expect to be table stakes is that they only ever have an encrypted version of the data on their end (like a password manager) and that the encryption key is stored on my machine or if on their side that it by itself is protected by a passphrase that I have to enter each time plaid needs to do something. If we are talking storing the clear text password somehow coz they use screen scraping to implement their features for some banks. All I find on their site (casually looking) is marketing fluff. Also really I would expect that they never even need my password at all and that instead they have a proper API between them and the bank(s) where I authorize specific scopes only (preferably read only scoping being available) and my password stays with me and if something bad were to ever be done with a write scoped token from Plaid it would be traceable to their token authorizing it and they would be liable. When I give them my password they basically get full monetary power of attorney and the bank would always fault me ("we can see you logged in with your user and password. We tell you to keep your password/PIN secure and to never share it. Sorry, money gone". | ||||||||||||||||||||||||||
| ||||||||||||||||||||||||||