| ▲ | cantrevealname 2 days ago |
| To everyone who doesn’t know how Plaid works: You give your banking username and password directly to Plaid, and it keeps it (so it can continue to login). I don’t understand how anyone is OK with this. It goes against every security principle and it’s against the terms and conditions of every bank. I realize that almost no bank provides a secure and proper API to get info and/or to transfer funds, but Plaid’s solution is a disaster waiting to happen. |
|
| ▲ | mbm 2 days ago | parent | next [-] |
| Hear you 100%. It felt very uncomfortable for me the first time I used it, as well. The problem is that there sort of isn't a better way right now in the US, and for now, Plaid or a Plaid-like competitor is the safest way. Eventually, it would be awesome if there were clean, open APIs, and standards around this, but for now, it's the best we have. The alternative of course for the DIY-er is some sort of browser automation, which honestly, is what I tried first. I really wanted it to work, but it didn't - which led us to Plaid. |
| |
| ▲ | angoragoats 2 days ago | parent [-] | | > The problem is that there sort of isn't a better way right now in the US, and for now, Plaid or a Plaid-like competitor is the safest way So then the correct thing to do is to not automate this, until there is a better way. Why would you willingly give your bank credentials to a third party just so you can get some summary emails?? It doesn’t make any sense. | | |
| ▲ | ryandrake 2 days ago | parent | next [-] | | It's total insanity. Can't banks detect and ban Plaid? They should suspend/cancel customers' online access as "compromised" if they detect someone other than the user using the user's credentials to log in. All the security theatrics banks put users through and they don't check for obvious credential leaks? | | |
| ▲ | mbm 2 days ago | parent [-] | | Just to share -- Most of the largest banks/FIs actually work directly with Plaid. Here's a quick list of some of the major ones: JPMorgan Chase, Bank of America, Wells Fargo, Citibank, U.S. Bank, PNC, Capital One, Truist, TD Bank, Charles Schwab, Vanguard, Marcus by Goldman Sachs, Goldman Sachs Private Wealth, Morgan Stanley, E*TRADE, USAA, M&T, RBC, American Express, Fifth Third, Citizens, KeyBank, Huntington, Ally, Discover, BMO | | |
| ▲ | wrs 2 days ago | parent | next [-] | | Yes, Plaid clearly has different levels of integration with different banks. When I connect something to Chase with Plaid it is clearly a cooperative system with an OAuth-like permission dialog, and the Chase side even mentions they're tokenizing the account numbers so Plaid can't see them. When I connect to the little bank down the street I just get a username/password dialog. Their web banking system is so primitive I'm pretty sure Plaid is just scraping it. When they introduced 2FA, Plaid became quite flaky. | | |
| ▲ | mbm 4 hours ago | parent [-] | | Correct. They’re incentivized to try to make it as seamless and secure as possible for the 95%, but it’s challenging to build custom integrations for thousands of institutions. Wouldn’t open standards be nice? |
| |
| ▲ | cantrevealname 2 days ago | parent | prev [-] | | > TD Bank Quite the opposite in the case of TD Bank. They sued Plaid in 2020. “The bank said in the court filings that the Plaid interface dupes consumers into believing they are entering personal information into TD Bank’s trusted platform.” (They settled in 2021 without explaining the terms of settlement.) https://financialpost.com/news/fp-street/td-bank-files-lawsu... | | |
|
| |
| ▲ | mbm 2 days ago | parent | prev [-] | | Hear you 100%. It's certainly not for everyone, and I respect your position. | | |
| ▲ | angoragoats 2 days ago | parent [-] | | I appreciate it, but by giving horrible companies like Plaid your business you are encouraging and normalizing poor security practices. My parents are almost 80 and use a local bank that I’m pretty sure would just be scraped by Plaid. Do you think they’re going to understand the difference between OAuth and storing their credentials? Plaid and any company like it should be shut down. |
|
|
|
|
| ▲ | kylecazar 2 days ago | parent | prev | next [-] |
| I don't think this is still the case? When we built our Plaid integration it used OAuth and a redirect. Plaid just got an access token, you enter your user/pass at bank side. Edit: Seems like smaller/local banks are probably the ones that won't support OAuth. We didn't support those. |
| |
| ▲ | mbm 4 hours ago | parent [-] | | Correct. That’s interesting — so you explicitly opted out for any non-OAuth institutions? |
|
|
| ▲ | thebruce87m 2 days ago | parent | prev [-] |
| I thought that’s what Open Banking was supposed to solve: https://en.wikipedia.org/wiki/Open_banking |
| |
| ▲ | jimmcslim 2 days ago | parent | next [-] | | And indeed it does, in some markets. I'll speak to Australia... here we have the legislated Consumer Data Right [1]. This currently puts obligations on banks and energy retailers to make consumer data accessible via an API, via Authorised Data Holders (ADH - the banks and retailers) and Authorised Data Recipients (ADR). However! The major criticism I have of this scheme is that as an individual power user I do not have direct access to these APIs myself. I believe there was originally an intent to support this under the scheme, however due to somewhat legitimate security and access concerns, but also I expect pushback from anyone falling into the ADH category, this is not possible. Setting up an ADR has a not insignificant compliance burden. However I have recently come across Redbark [2] which is a simple service that has taken on the mantle, and provides a simple sync mechanism for any Consumers that believe they have a Right to their Data. Not affiliated, just a happy customer and I hope that they can make the economics work over the long term. [1] https://www.cdr.gov.au/ [2] https://redbark.co/ | |
| ▲ | mbm 2 days ago | parent | prev [-] | | Yup, it would be really awesome if this concept was deployed in the US. Unfortunately, open standards don't seem to gain as much traction here outside of the tech industry. |
|
