| ▲ | lxgr 6 hours ago |
| It’s worse than keys, it’s a persistent read-only view of all account data. At least there is a process for unauthorized ACH debits. For this blatant breach of privacy, there is nothing. |
|
| ▲ | robhlt 5 hours ago | parent [-] |
| Plaid requires your bank username and password, so they have full read-write access to your account. They can do anything you can do when logged in to the bank's website, and so can anyone else who gains access to Plaid's database. |
| |
| ▲ | lxgr 5 hours ago | parent [-] | | > They can do anything you can do when logged in to the bank's website Which is hopefully nothing beyond looking at transaction data without 2FA. | | |
| ▲ | robhlt 4 hours ago | parent [-] | | Plaid's login flow also requires a 2FA code if your bank requires it. The same 2FA code that banks say to never provide to anyone else. They're literally proxying the bank's login page just like a phishing site would, and I assume they're also selecting the "trust this computer" option so their access is more persistent. My bank does require re-2FA for larger transfers, but there's still a lot of damage I can do on a "trusted" computer without triggering another 2FA prompt. | | |
| ▲ | lxgr 4 hours ago | parent [-] | | To be honest, that's on the bank then. Doing re-2FA for every outbound transfer, and mentioning the consequences of entering the 2FA code out of band (e.g. "enter code 123456 to confirm transfer of x$ to y" or "press OK to confirm transfer..." in a mobile app) should be the bare minimum these days. |
|
|
|
