The article describes how Plaid is designed to replace the micro deposit / verify flow used by many sites to validate that you own a checking account before they deposit/withdrawal to/from that account.
I’m sure this is a reasonably common flow, but it’s only a slice of what Plaid does. They additionally do transaction parsing/normalization across a wide variety of accounts. I’ve been using Plaid for years as part of my ledger-cli workflow, to automate importing of account transactions.
The security flow is horrible, but the security flow for banks was already horrible: the reason I trust banks with my money is because of strong ability to reverse malicious activity, and regulatory oversight, not because I trust their infosec practices.
Pre-Plaid, I had some local scraping tools to pull transactions, and ran into several instances where the “MFA” step for banks allowed my “browser” to pick its own unique identifier. If I set it to “hahalol”, that was fine, and as long as I kept sending that ID, I never had to MFA again.
If we somehow had a world where there was an actual standard way to fetch data from my banks, I’d love that. I’d switch immediately. But in the current world, Plaid is pretty far down my list of financial-service-related risks.
> the reason I trust banks with my money is because of strong ability to reverse malicious activity
Note that most banks will not reverse transactions made using your username & password. Plaid's security flow gets rid of the ability to reverse malicious activity.
Plaid does not sell any user data to third parties. It's entirely funded by developers that pay to use the data, and who are also prevented from selling or otherwise sharing data.
Your credentials also don't touch Plaid servers for the majority of traffic now; there are still legacy screen scraping extractors but Plaid can't exactly put a gun to a financial institution's head and force them to provide an API.
It's only been recently that Plaid got to a size that players like Capital One or Wells Fargo are forced to play nice and sign a data access agreement or tell their users why they can't use Venmo.
I’m sure they’d claim they sell metadata or aggregates or something. But even if they’re selling more than they claim, I’ve accepted that as OK for my personal financial threat model.
To say the obvious, other people’s risk/reward tradeoffs will be different, and I know plenty of people who’d never consider using Plaid. But I don’t think that makes them an “evil nightmare product from security hell”.
All of this sounds really familiar. Isn't this exactly what Facebook used to do ~15 years ago with their "friends collector"?
I remember that at one time, Facebook had a big screen where you could enter your credentials for a variety of email providers. Facebook would then login with your credentials via IMAP, scrape all email addresses in your mailbox and match them with Facebook contacts. (Note that this was an official feature back then).
Apparently people were perfectly fine with giving Facebook all their contacts and also the full credentials to their mailbox.
Who wasn't fine with it though were the mail providers - which in the end led to the creation of OAuth, I believe.
> Facebook had a big screen where you could enter your credentials for a variety of email providers
Are people just making up wild conspiracy theories about Facebook now? They read your contacts but I’m virtually certain they never released any kind of email scanner like you described. I searched for this and came up with nothing.
EDIT: if I’m wrong please show me a source and I’ll happily retract this statement.
EDIT 2: I was wrong. See e1g’s comment below that displays this functionality.
Back when I worked at a FinTech company there was a push to use Plaid to dramatically simplify parts of our process. I couldn't get over how terrifying this service was though. Honestly, it was a part of what made me quit that job.
There were alternative ideas like the EU's Open Banking initiative (IIRC) we could have tried to look at, but nothing was anywhere near implemented. Nothing is forcing the banks in the US (where I worked) to implement anything like this. I'm not even sure it's working in the EU yet?
Anyway, this brings back nightmares. Glad I haven't been plagued with plaid since then... yet. knocks on wood
It's called PSD2 and it applies EU-wide since September 2019. Banks have to make _some_ form of API available to third parties. However, these third parties must meet certain criteria and get a license in one of the member states. This makes sense since they can access financial data, and they only have to do it once. So a fintech licensed in e.g. Belgium can access the APIs of a bank in France and vice versa. Since banks already have most of the necessary rules and paperwork in place, I've seen many banks themselves become PSD2 clients as well, offering customers the ability to manage "foreign" bank accounts through their app as well.
First, today a majority of all bank connections are on APIs or OAuth. This is mostly for the biggest banks in the U.S., but we also support some of the biggest platforms on top of which smaller banks & credit unions operate. We don’t want to be in the business of handling credentials in the long-term, for many of the reasons the author of the post pointed out. However, it will take years for this transition to happen with more than 11k banks in the United States. This is something we’ve been pushing for and we’ve worked closely with a lot of financial institutions to support OAuth and even App2App (which is a win not just for security, but also for convenience).
Second, the author focuses on what we call payment authentication (verifying account and routing information), but Plaid is used to power a lot of other use cases across fintech: lending, financial management, identity verification, brokerage, neo banking, etc. So although micro-deposits support verifying payment authentication, they do not support any of these other use cases.
Every day there are tens of millions of people who were not served by the traditional financial system who get access to better financial services because of Plaid. And that would not be possible without what we do.
Third, there are a few insinuations in this thread that we sell user data. We do not: the data goes from you to the app you authorize, through Plaid. We do provide some enhancements to the data for that app – e.g., fraud protection, transaction categorization, normalization of data (which is different for each financial institution).
(I can’t speak much to the lawsuit settlement for obvious legal reasons.)
Fourth, I do appreciate keeping companies honest about security practices. We invest a lot in security and privacy, and look forward to the day a post like this cannot be written because every bank is on OAuth. In the meantime, though, we’re actually the ones pushing for this – OAuth would not be happening at any banks if it weren’t for Plaid (there were companies that did what Plaid did for nearly a decade before we started and made zero progress in improving the technological foundation on top of which financial services are built). You may not believe in the current experience, but we view it as a key and necessary part to transitioning to better financial services and infrastructure for everyone.
CTO or not, that which is described here is nothing but predatory, and if you think there is anything ethical about it, or that the ends justified the means, you're not looking far enough down the road.
You have violated so many long standing regulations, that I am struck dead at my own ability to put myself in shoes that would be able to converge on justifying and managing that business unit knowing what I was doing.
You do not embrace deceptive practices.
You do not usurp and defraud users by accessing their data in excess of what you immediately need to do just what you told them you'd be doing.
You do not commit crimes and hide them long enough, counting on getting "too big to be held to account for it".
You traded your integrity the moment you signed on and okayed that without resistance. You betrayed an implicit mandate to do fair and non-deceptive business in every jurisdiction in the United States. Maybe you're surrounded by people who aren't grounded enough to call a spade a spade, but consider yourself notified by someone who is.
Ya done goofed. Willfully or not I don't have the evidence to support, but ya did. It is my personal hope that Plaid's settlement is rejected, because people deserve to have the character of this group brought into the light of day. Whether Plaid comes out squeaky clean, or the rest of the industry gets indicted for their refusal to integrate, necessitating the measure, I don't care. People need to know though.
What is detailed in the impending settlement is not at all acceptable.
> Plaid wants to throw out all of those years of hard work and ask users to enter their freaking bank credentials into a third-party form.
I interviewed with them and was told the opposite of this. They want to use OAUTH or something akin. They don’t want to be in the business of handling actual passwords. I think for Chase they actually do use a form of OAUTH.
Of course, they could’ve been lying to my face but my impression was that they were being straightforward.
The banks need to provide a secure way to offer third-party access. I don’t see this as Plaid’s fault.
It isn't Plaid's fault. The majority of their traffic is oAuth. Chase for example is oAuth, as are most of the largest financial institutions now. That wasn't the case when Plaid launched and the other issue with screen scraping nobody has brought up (and the article conveniently leaves out) is it's easy to block scraping traffic. Without direct connections Plaid and all aggregators are completely at the mercy of bank systems that don't distinguish their legitimate business use case from spam.
> Fixing it would require banks to develop, deploy, and standardize on better technology, and, well, good luck with that.
There's OFX. (https://en.wikipedia.org/wiki/Open_Financial_Exchange) and "OFX Direct Connect". It's literally made for the same reason Plaid exists. Most banks even allow you to export a (likely broken) version of those files manually. Plaid may be terrible, but banks basically invited this situation and help it exist.
So I disagree with the required level of effort. They had decades to do this. They care so little that one of my banks provides exported files with repeated "unique" IDs and another with the minutes instead of the day of the month (mm/MM mistake). They need to do the very minimum of actually implementing an existing standard and doing basic testing on it.
Banks tend to have terrible UX. A lot of that, is because they are so security-conscious that they can't move quickly or nimbly. I have known several developers that worked for banks, and their stories of their work environments have made banks a "No-How, No-Way," for me.
They did get paid well, though.
A lot of the Jurassic-scale security debacles that we read about, these days, seem to be of the "Why the HELL didn't anyone think this through?" variety.
Looks to me like impulsive "Ooh! Shiny!" programming.
The article correctly points out that Plaid helps avoid the whole challenge deposit problem, which is a real source of issues in US banking.
What this misses, and what everyone forgets, is that Plaid didn't invent this concept of using bank logins to verify account ownership. As far as I know, this was Yodlee's innovation. But anyone who has used Yodlee will tell you their API was designed by people who hate software developers, so an opportunity existed for someone to help businesses do bank account validation using sensible APIs - e.g. Plaid.
Banks have known about Yodlee (and now Plaid) for years. Some approve of them, even making it easier for them to recognize account numbers for validation. Others do not approve of them, and in some cases the tools have to do crazy things like downloading bank statements and parsing account numbers out of PDFs. But the banks have no real choice but to tolerate the existence of these tools because there's no better system in the US.
Getting banks to work together on interoperability is a harder problem than tolerating a set of centralized and well known tools that use account logins for a well understood validation purpose. These tools have a job to do, everyone in the ecosystem understands what that is, and everyone puts up with it for lack of a better option.
Readit News
I’m sure this is a reasonably common flow, but it’s only a slice of what Plaid does. They additionally do transaction parsing/normalization across a wide variety of accounts. I’ve been using Plaid for years as part of my ledger-cli workflow, to automate importing of account transactions.
The security flow is horrible, but the security flow for banks was already horrible: the reason I trust banks with my money is because of strong ability to reverse malicious activity, and regulatory oversight, not because I trust their infosec practices.
Pre-Plaid, I had some local scraping tools to pull transactions, and ran into several instances where the “MFA” step for banks allowed my “browser” to pick its own unique identifier. If I set it to “hahalol”, that was fine, and as long as I kept sending that ID, I never had to MFA again.
If we somehow had a world where there was an actual standard way to fetch data from my banks, I’d love that. I’d switch immediately. But in the current world, Plaid is pretty far down my list of financial-service-related risks.
Note that most banks will not reverse transactions made using your username & password. Plaid's security flow gets rid of the ability to reverse malicious activity.
Your credentials also don't touch Plaid servers for the majority of traffic now; there are still legacy screen scraping extractors but Plaid can't exactly put a gun to a financial institution's head and force them to provide an API.
It's only been recently that Plaid got to a size that players like Capital One or Wells Fargo are forced to play nice and sign a data access agreement or tell their users why they can't use Venmo.
To say the obvious, other people’s risk/reward tradeoffs will be different, and I know plenty of people who’d never consider using Plaid. But I don’t think that makes them an “evil nightmare product from security hell”.
I'm curious why you would say that.
What flaws have you seen in currently banking systems?
I remember that at one time, Facebook had a big screen where you could enter your credentials for a variety of email providers. Facebook would then login with your credentials via IMAP, scrape all email addresses in your mailbox and match them with Facebook contacts. (Note that this was an official feature back then).
Apparently people were perfectly fine with giving Facebook all their contacts and also the full credentials to their mailbox.
Who wasn't fine with it though were the mail providers - which in the end led to the creation of OAuth, I believe.
Are people just making up wild conspiracy theories about Facebook now? They read your contacts but I’m virtually certain they never released any kind of email scanner like you described. I searched for this and came up with nothing.
EDIT: if I’m wrong please show me a source and I’ll happily retract this statement.
EDIT 2: I was wrong. See e1g’s comment below that displays this functionality.
There were alternative ideas like the EU's Open Banking initiative (IIRC) we could have tried to look at, but nothing was anywhere near implemented. Nothing is forcing the banks in the US (where I worked) to implement anything like this. I'm not even sure it's working in the EU yet?
Anyway, this brings back nightmares. Glad I haven't been plagued with plaid since then... yet. knocks on wood
It's called PSD2 and it applies EU-wide since September 2019. Banks have to make _some_ form of API available to third parties. However, these third parties must meet certain criteria and get a license in one of the member states. This makes sense since they can access financial data, and they only have to do it once. So a fintech licensed in e.g. Belgium can access the APIs of a bank in France and vice versa. Since banks already have most of the necessary rules and paperwork in place, I've seen many banks themselves become PSD2 clients as well, offering customers the ability to manage "foreign" bank accounts through their app as well.
First, today a majority of all bank connections are on APIs or OAuth. This is mostly for the biggest banks in the U.S., but we also support some of the biggest platforms on top of which smaller banks & credit unions operate. We don’t want to be in the business of handling credentials in the long-term, for many of the reasons the author of the post pointed out. However, it will take years for this transition to happen with more than 11k banks in the United States. This is something we’ve been pushing for and we’ve worked closely with a lot of financial institutions to support OAuth and even App2App (which is a win not just for security, but also for convenience).
Second, the author focuses on what we call payment authentication (verifying account and routing information), but Plaid is used to power a lot of other use cases across fintech: lending, financial management, identity verification, brokerage, neo banking, etc. So although micro-deposits support verifying payment authentication, they do not support any of these other use cases.
Every day there are tens of millions of people who were not served by the traditional financial system who get access to better financial services because of Plaid. And that would not be possible without what we do.
Third, there are a few insinuations in this thread that we sell user data. We do not: the data goes from you to the app you authorize, through Plaid. We do provide some enhancements to the data for that app – e.g., fraud protection, transaction categorization, normalization of data (which is different for each financial institution).
(I can’t speak much to the lawsuit settlement for obvious legal reasons.)
Fourth, I do appreciate keeping companies honest about security practices. We invest a lot in security and privacy, and look forward to the day a post like this cannot be written because every bank is on OAuth. In the meantime, though, we’re actually the ones pushing for this – OAuth would not be happening at any banks if it weren’t for Plaid (there were companies that did what Plaid did for nearly a decade before we started and made zero progress in improving the technological foundation on top of which financial services are built). You may not believe in the current experience, but we view it as a key and necessary part to transitioning to better financial services and infrastructure for everyone.
But no.
https://considertheconsumer.com/wp-content/uploads/2021/08/I...
CTO or not, that which is described here is nothing but predatory, and if you think there is anything ethical about it, or that the ends justified the means, you're not looking far enough down the road.
You have violated so many long standing regulations, that I am struck dead at my own ability to put myself in shoes that would be able to converge on justifying and managing that business unit knowing what I was doing.
You do not embrace deceptive practices. You do not usurp and defraud users by accessing their data in excess of what you immediately need to do just what you told them you'd be doing. You do not commit crimes and hide them long enough, counting on getting "too big to be held to account for it".
You traded your integrity the moment you signed on and okayed that without resistance. You betrayed an implicit mandate to do fair and non-deceptive business in every jurisdiction in the United States. Maybe you're surrounded by people who aren't grounded enough to call a spade a spade, but consider yourself notified by someone who is.
Ya done goofed. Willfully or not I don't have the evidence to support, but ya did. It is my personal hope that Plaid's settlement is rejected, because people deserve to have the character of this group brought into the light of day. Whether Plaid comes out squeaky clean, or the rest of the industry gets indicted for their refusal to integrate, necessitating the measure, I don't care. People need to know though.
What is detailed in the impending settlement is not at all acceptable.
I interviewed with them and was told the opposite of this. They want to use OAUTH or something akin. They don’t want to be in the business of handling actual passwords. I think for Chase they actually do use a form of OAUTH.
Of course, they could’ve been lying to my face but my impression was that they were being straightforward.
The banks need to provide a secure way to offer third-party access. I don’t see this as Plaid’s fault.
- Why?
- Otherwise I've got to do dirty and potentially dangerous things.
- Why?
- Because of my business model.
There's OFX. (https://en.wikipedia.org/wiki/Open_Financial_Exchange) and "OFX Direct Connect". It's literally made for the same reason Plaid exists. Most banks even allow you to export a (likely broken) version of those files manually. Plaid may be terrible, but banks basically invited this situation and help it exist.
So I disagree with the required level of effort. They had decades to do this. They care so little that one of my banks provides exported files with repeated "unique" IDs and another with the minutes instead of the day of the month (mm/MM mistake). They need to do the very minimum of actually implementing an existing standard and doing basic testing on it.
They did get paid well, though.
A lot of the Jurassic-scale security debacles that we read about, these days, seem to be of the "Why the HELL didn't anyone think this through?" variety.
Looks to me like impulsive "Ooh! Shiny!" programming.
What this misses, and what everyone forgets, is that Plaid didn't invent this concept of using bank logins to verify account ownership. As far as I know, this was Yodlee's innovation. But anyone who has used Yodlee will tell you their API was designed by people who hate software developers, so an opportunity existed for someone to help businesses do bank account validation using sensible APIs - e.g. Plaid.
Banks have known about Yodlee (and now Plaid) for years. Some approve of them, even making it easier for them to recognize account numbers for validation. Others do not approve of them, and in some cases the tools have to do crazy things like downloading bank statements and parsing account numbers out of PDFs. But the banks have no real choice but to tolerate the existence of these tools because there's no better system in the US.
Getting banks to work together on interoperability is a harder problem than tolerating a set of centralized and well known tools that use account logins for a well understood validation purpose. These tools have a job to do, everyone in the ecosystem understands what that is, and everyone puts up with it for lack of a better option.