Actually, it's deterministic -- our product doesn't move money, so when the user gives us access through Plaid, we're only getting read-level permissions. We actually don't even get full account numbers.

A company working with Plaid has to request separate product "scopes" through Plaid in order to be able to move money.

▲

ForHackernews 2 days ago | parent [-]

I'm not that familiar with Plaid, but if it works like Yodlee, users have to hand over their credentials so there's no real security, it's just that their scraper is designed to be look not touch.

	▲	mbm 2 days ago \| parent \| next [-]
		Plaid has OAuth-based access for most of the big institutions now, but yes, for smaller institutions, they do scraping. Thankfully, Plaid's been around for a while now and has a good track record. It would be a non-starter to give your credentials to a small startup directly.
	▲	fsckboy 2 days ago \| parent \| prev [-]
		the question isn't whether the user is trusting Plaid with too much access, the question is whether Plaid is trusting these apps with too much.