> They can do anything you can do when logged in to the bank's website

Which is hopefully nothing beyond looking at transaction data without 2FA.

Plaid's login flow also requires a 2FA code if your bank requires it. The same 2FA code that banks say to never provide to anyone else.

They're literally proxying the bank's login page just like a phishing site would, and I assume they're also selecting the "trust this computer" option so their access is more persistent. My bank does require re-2FA for larger transfers, but there's still a lot of damage I can do on a "trusted" computer without triggering another 2FA prompt.

	▲	lxgr 4 hours ago \| parent [-]
		To be honest, that's on the bank then. Doing re-2FA for every outbound transfer, and mentioning the consequences of entering the 2FA code out of band (e.g. "enter code 123456 to confirm transfer of x$ to y" or "press OK to confirm transfer..." in a mobile app) should be the bare minimum these days.