Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tharkun__ a day ago

Can you share a link that describes what exactly they do?

What I would expect to be table stakes is that they only ever have an encrypted version of the data on their end (like a password manager) and that the encryption key is stored on my machine or if on their side that it by itself is protected by a passphrase that I have to enter each time plaid needs to do something. If we are talking storing the clear text password somehow coz they use screen scraping to implement their features for some banks.

All I find on their site (casually looking) is marketing fluff.

Also really I would expect that they never even need my password at all and that instead they have a proper API between them and the bank(s) where I authorize specific scopes only (preferably read only scoping being available) and my password stays with me and if something bad were to ever be done with a write scoped token from Plaid it would be traceable to their token authorizing it and they would be liable. When I give them my password they basically get full monetary power of attorney and the bank would always fault me ("we can see you logged in with your user and password. We tell you to keep your password/PIN secure and to never share it. Sorry, money gone".

tzs a day ago | parent [-]

Here's what they say they do [1].

[1] https://support-my.plaid.com/hc/en-us/articles/4410324401047...

tharkun__ a day ago | parent [-]

Relevant section for the "we do store your password" case:

    In other cases, when you link a financial institution to an app via Plaid, you provide your login credentials to us. We store those credentials and use them to collect the data to power the services you’ve chosen and, when requested, securely share it with the app you’re using and establish a secure connection that you control. We then help keep your data safe and private with best-in-class encryption protocols.
Meaning exactly nothing. "encryption protocols" may simply mean that when they log in to screen scrape your bank's online banking they do so over HTTPS.

Sorry but this has zero meaning and I maintain: Red bloody flag. If there's any actual proof out there of them doing all this in a secure way, I'm happy to have my mind changed but this is just part of said marketing fluff.

namaria 7 hours ago | parent [-]

Like Synapse, this sounds like the "put all your eggs in our digital basket" style of fintech "disruption" is bound to blow up in the faces of everyone involved.