Are you terrified of Plaid’s account verification approach?

Question

As a consumer, aren't you terrified of Plaid account verification approach?Some time ago I wanted to connect my bank account to my old Coinbase account, once I chose my bank I was prompted to enter my online banking username and password. They use the service called Plaid, that requires your bank credentials (and one time code if 2F is enabled) to verify your checking account. I was able to go with ACH deposit verification route as an alternative, but it is not default approach anymore.This seems like a security and privacy nightmare. First, sharing your username and password is against the most basic principle we tell the users. Don't share your password! Even a text message with the verification code says not to share it! I'd be surprised if this also does not violate terms of services for online banking. Second, according to Plaid help pages they store credentials if bank does not provide an API. Ideally, banks themselves should not store unhashed passwords, let alone third party apps. Third, it is a privacy nightmare. With such unlimited scope, they scrape everything, your entire financial history is available. And this all for what? To instantly verify a bank account? Their help pages and some comments from the founders state that they don't share/sell your info without explicit permission. They aren't now, but will they later? What if their monetization strategy changes? What if their new owner has a different view on privacy? Or I move to the state that has no CCPA analogue? Is it another service where I need to make sure to opt out of sharing and keep an eye on upcoming TS changes and wonder for how long they are going to keep my data?I dug a little bit and discovered that Plaid is used by many in fintech: Coinbase, Robinhood, Venmo, Betterment, you name it. Maybe I was living under a rock for too long, but this password sharing practice did not use to be mainstream. I have or had accounts with some of them and I think deposit verification used to be the way few short years back.I know the US banks don't have any shared scoped authorization mechanism similar to OAuth2/OpenID Connect and there is no easy way to instantly verify the account. ACH deposit can take a week. Though do you really need to fund your Coinbase, Robinhood or Betterment account immediately, is a week later too late? Isn't the whole spiel of Betterment and the likes that "time in market" > "time the market", so a week later would not matter for your retirement? Sure, this approach can be sensible in some narrow use case, when you indeed want them to have that unfettered access. But for the majority of consumers, I don't see how it is worthy of forming such a dangerous habit. However, I almost am certain, for fintech services there is a significant drop in conversion and uptick in abandonment rate, when they need a customer to come back in few days to finish their account funding. Again, seems to be not enough for the industry to be complacent about it.Note: this is not a critique of Plaid or other services, their security practices maybe excellent, their code reviewed, tested, audited by 3rd parties, etc and there is a limited scope when it is sensible, I am shocked that this becomes mainstream.UPDATE: I am well aware of Mint and that it has been around for a while. The goal of Mint is to aggregate and manage your finances from one place. It may be that narrow use case, where it can be justified given the current state of things. You want to give it full ongoing access, because of the value it brings you. My beef is with it being normalized for the sake of few point conversion increase in the use case, when it does not benefit the customer and another alternative exists.

g_p · Accepted Answer

It seems that increasingly, companies are asking users to break the golden rules of security they once preached (or are breaking them for users).
Once they were told to never under any circumstances share their password with anyone else. Now they're expected to tell whether it's OK to share their password with a third party website or not. To the non-technical user, they were doing something else, then were asked for their banking login. They weren't trying to log into the bank, so their vulnerability to phishing is slowly increased by this pattern.
Similarly with "don't click links in emails you don't trust" - now we have security notification and email verification links to approve logins arriving, requiring users to click within 5 minutes to approve logins. Breaking the "don't fall for time pressure" rule too that users used to be trained with.
Even their email client is most likely hiding the email address of the sender and focusing on the (self-declared) sender name, and some are now masking the destination of URLs when hovered over (Outlook protection), to make it near impossible for a user to tell what they're clicking.
Back to banks, it definitely is a poor workflow and I share the same concern even where oauth style workflows are concerned - users likely can't tell if it's the real bank website or not, so they're being trained to divulge their credentials on demand. This will help attackers over time, as users become even more willing to share this kind of information upon request!

smt88 · Answer

This method of banking data access (storing credentials and then screen-scraping the website) has been used at least since 2009. That's when Mint.com was founded.
It's very common in the US, 100% legal, and allowed by the banks.
In fact, I once worked on a project where a major bank paid us to write a Plaid-like scraper for their own website because their internal systems were such a disaster.
It's definitely not great, but it's currently the only way to exfiltrate US banking data. If it bothers you, consider switching to a bank with an API that Plaid can use instead.
More info: https://plaid.com/open-banking/

qwerty456127 · Answer

I can't even say this is questionable, this is unacceptable. I can hardly believe this exists and wonder why is it allowed to. If I were a bank I would block any attempts to access an account (or even put the whole account in quarantine) if I had any suspicion it's someone else but it's owner is who is entering the password.And the security itself is not my main concert, privacy is. A third party should not know what I do with my money.

mschuster91 · Answer

> With such unlimited scope, they scrape everything, your entire financial history is available.This is exactly why the fintech industry pushed so hard for the PSD2 directive in the EU. The Schufa, the German version of Equifax (and just as bad...), even tried to advertise a "let us look at your financial history in your bank account and maybe we'll let you pass then". Fortunately, public outrage was immense and they had to retract their plans for now (https://www.tagesschau.de/investigativ/ndr-wdr/schufa-checkn...).

lmm · Answer

Much like the Keynes quote about sound bankers, a safe bank customer is not one who doesn't get hacked, but one who gets hacked in the same way at the same time as everyone else. So no, I don't worry about doing something "unsafe" with my bank details as long as it's something mainstream that everyone else is doing. If it goes wrong, the government will bail me out. It can't be less safe than paper cheques, which apparently the US still uses.

tialaramex · Answer

If your user authentication flow is WebAuthn your users can't mistakenly give their credentials for your service to anybody short of literally FedExing their physical Security Key to the bad guys.
In fact even you can't give your users credentials away, they're the only ones who have them.
This is if course intended to cure phishing but it also ensures this Plaid scraping flow can't make sense.

SAI_Peregrinus · Answer

Yes. I assume Plaid will result in all my money getting stolen, with me having no recourse (the terms of service deny any recourse if you share your username/password and someone initiates a transfer using that) and/or my bank accounts being forcibly closed due to violating the ToS (via sharing username/password). So I don't use Plaid, or services which require it.

daydream · Answer

US banks are starting to implement OAuth (or OAuth-like) solutions. Bank of America and possibly Chase have solutions that have come online recently and are used by YNAB. (No relation to any of these three companies other than as a customer.)

BoHerfIIIJrEsq · Answer

From the moment some company put that Plaid process in front of me, I was horrified. I could hardly believe it existed. If somebody had wanted me to work on such a thing as a programmer, I would have refused. The existence and success of Plaid helped persuade me that in the technical solutions world, having good taste and morality is often a hindrance to business success. Plaid shouldn't exist. If somebody had the bad taste to bring it into existence, it should fail from non-use. But here we are.

logicalmonster · Answer

My issue with Plaid (and I'm not sure if I was doing something wrong) was not being able to connect to TDBANK unless I turned off 2FA temporarily on my bank account which is obviously a bad thing to do. They had some lawsuit drama back and forth before, so I'm not sure if the connection problems were related to that.Regardless, I've quit using services that rely on Plaid. It's too much of a hassle and potential risk to deal with for me at the moment.

sys_64738 · Answer

If you give your username/password to a third party then it will be leaked and exploited. No amount of pretense that their so-called security will protect you will ever be full proof. That they say they won't ever have it unencrypted is pure BS. All companies that promise this are liars. You will be hacked eventually. Don't give away your personal login details if you value any of your security or financial life.

sillycross · Answer

Please correct me if I'm wrong, but I vaguely recalled Plaid actually directed me to my bank's webpage and asked me to input my username and password. So it seemed to me that it's similar to those "log in via your Google/Facebook/etc account" third-party authentication service.Are you certain that the password/text auth code are sent to Plaid instead of the bank?

nadagast · Answer

Yeah, when I first saw the flow, I was shocked...

vmception · Answer

Correct, it is a nightmare.Stick with domestic wire transfers to and from crypto exchanges, if in the US.Stay out of the market if domestic wire transfers are too expensive for you.

igammarays · Answer

Yes, screen-scraping is a security nightmare that should not exist, but that's what you get in the US. It's an example of where libertarian capitalism and free-market forces don't work. In Europe, open banking is government-regulated, and that's the only reason why banks dedicate resources to building an API.