Note that there are two major security flaws in Plaid when it comes to authentication:
Since banks don't provide secure mechanisms for third-party authentication and authorization, e.g. OAuth, Plaid receives you credentials in plain text and will then use them to communicate with the bank. So you really have to trust Plaid.
The second weakness is even more dangerous: Apps implementing the Plaid authentication flow will show the Plaid "login page" with bank selection in an overlay on their own sites. Since this is not a redirect again, you don't even see whether your credentials are transferred to Plaid or the third-party app. That is, you have to trust your bank (sure!), Plaid (okay!) and the app using the auth flow (dangerous!).
The lack of secure auth mechanisms is exactly why companies like Plaid (and Yodlee, and Dwolla, and Intuit) exist. Take away that constraint, and this is easy enough to package as a library and not a product.
Many "disruptive" industries like this "API on top of legacy systems" segment are merely arbitrage schemes; they profit from entrenched players' greed and apathy. Luckily, banks are starting to wake up.
As such, it's not really Plaid's responsibility to "fix" this problem, it's the banks'.
Just because this is the reason for Plaid's existence doesn't mean you should make a product where security cannot be guaranteed for the user. Some things just shouldn't be done, because they're not possible yet. Not possible because support from the banks is lacking.
This is really good news. Plaid has an amazing API, it makes it very easy to get your own financial data. I'm trying to analyze my own spending habits / make a budget-allocator using my own patterns, so it's been insanely helpful. My big fear with all small SaaS's if they just suddenly shutter, so a new round of fundraising is always good news :)
Also good news because they are currently being sued by Yodlee for patent infringement. Shameful anti-competitive bullshit on the part of Yodlee, who let their product get so bad it opened up the door for Plaid. Now Yodlee are trying to litigate instead of compete.
I'm going to be really rude here (forgive me) but I feel like every time a security question comes up you dodge the question really hard.
I want to know one thing: If I log into your service with my bank credentials. Do you store these as plaintext files (or "encrypted" files of which you have the encryption key)? Yes/No.
Furthermore, congratulations! I've been trying to start something up like this in Europe but I feel like there are way more restrictions in Europe on banking data and this kind of third-party aggregation. Sorry for being so rude.
For those interested in a European perspective, the Revised Payment Services Directive (aka PSD2) will in a similar fashion to Plaid's API, force banks to offer APIs for not only client information but payment. If implemented it will probably create radical change and opportunity in FinTech across the EU.
Was just looking at Plaid this weekend, seems really slick. The only thing that gave me brief pause was no public pricing (or indication of order of magnitude).
From my experience so far, sending an email to Charley is essentially the same as finding the info online since he answers so quickly!
Great onboarding, I was really impressed!
What do they do? The article doesn't make it clear. It just discusses them finding alternatives to screen-scraping customers bank accounts after being given the credentials.
Readit News
Since banks don't provide secure mechanisms for third-party authentication and authorization, e.g. OAuth, Plaid receives you credentials in plain text and will then use them to communicate with the bank. So you really have to trust Plaid.
The second weakness is even more dangerous: Apps implementing the Plaid authentication flow will show the Plaid "login page" with bank selection in an overlay on their own sites. Since this is not a redirect again, you don't even see whether your credentials are transferred to Plaid or the third-party app. That is, you have to trust your bank (sure!), Plaid (okay!) and the app using the auth flow (dangerous!).
You should fix this!
Many "disruptive" industries like this "API on top of legacy systems" segment are merely arbitrage schemes; they profit from entrenched players' greed and apathy. Luckily, banks are starting to wake up.
As such, it's not really Plaid's responsibility to "fix" this problem, it's the banks'.
- http://www.americanbanker.com/bankthink/a-neobanks-prognosis... - http://www.americanbanker.com/news/bank-technology/wells-far...
Just because this is the reason for Plaid's existence doesn't mean you should make a product where security cannot be guaranteed for the user. Some things just shouldn't be done, because they're not possible yet. Not possible because support from the banks is lacking.
For free?
I want to know one thing: If I log into your service with my bank credentials. Do you store these as plaintext files (or "encrypted" files of which you have the encryption key)? Yes/No.
Furthermore, congratulations! I've been trying to start something up like this in Europe but I feel like there are way more restrictions in Europe on banking data and this kind of third-party aggregation. Sorry for being so rude.
Seems like a startup-y Mint.
[1] - https://plaid.com/
Cool discovery: if you search for a financial institution, they return logos as Base64.
Super rad.