[jerry80]

Yes. Plaid can be used to verify banking details (many stock brokers use it for this, for example).

Plaid works by asking the user to give their banking username and password to Plaid, and then their two factor authentication token too. Plaid logs into their account behind the scenes to verify ownership.

Plaid claims to not store this info, and I assume that they don't, but it still seems like one of the biggest security anti-patterns ever. If nothing else, it's training users to ignore the "don't share your password" warnings. Do we really want users trained to be more susceptible to phishing?

[rizpanjwani]

Yeah in the last decade, I have many times considered building a service that would have a better interface and access to information by fetching it from all my financial institutions, but what's held me back is the lack of APIs and I never even considered collecting user credentials as a viable option because of the potential security nightmare and possible libabilities. I guess it pays to be ignorant of all that and just plow ahead. Once you get billions in VC funding, you can fend off any consequences.

[dexterous]

> Plaid claims to not store this info, and I assume that they don't

Think of it as Plaid storing OAuth2 access tokens, sort of; and the tokens do expire (over pretty long periods), though, some bank integrations do allow them to generate their equivalent of refresh tokens.

Plaid didn't go into this blind; they know the tightrope they're walking. As someone who's worked with Plaid to build an integration into our product, I'd say they're definitely in a very gray area, but that's pretty much all of the Fintech space right now.

Although, I'd also say they're not malicious; even if it is just motivated by the fear of the bad press resulting in a customer exodus.