On the consumer side I can’t imagine ever giving my bank credentials to Plaid or any other company. Super unnerving that this is even a thing, it’s like the number one rule of passwords.
I really wanted to use mint, but couldn't bring myself to give away my bank password.
I resorted to writing my own tooling using puppeteer running on my machine to automatically login to my bank accounts and download the CSV exports of my transaction data for each bank. I then normalize that transaction data, and import the data into Lunch Money.
It was a pretty big hassle to write and get working reliably(ish), but I'm super happy now that it's done. Every 2-3 weeks I run the script, and 5 minutes later all of my transactions are available in Lunch Money. I have the peace of mind of knowing that I'm not exposing my banking credentials to random third parties.
I've been doing this for a couple years, just with Selenium rather than Puppeteer. Banks are generally okay, and they don't change their websites that often which is nice. A couple banks force phone 2FA and deliberately hide the "email confirmation" option which makes full automation difficult. Also nag screens, Selenium unreliability, etc.
Some companies like Azure use a different account name every time they bill me. I ended up having to regex the credit card transactions for that. Others have something completely nonsensical like "BS 03-6743-2266" (<- this was iTunes), or use a 3rd party processor that puts their own name in the transaction.
The real issue for me is getting itemized purchases to do categorization on. Stuff like restaurants are okay since everything is food, so I can just categorize the whole transaction. Amazon banned me and forced me to change my password while trying to grab my purchase history (and only my purchase history!). I was trying to grab it from email receipts but then I realized they don't send receipts for Subscribe & Save purchases (!).
I'd kill for something better, but for now it's this or manually enter every transaction or give up on financial responsibility.
Yep, I haven't been able to get to full automation either.
I integrate with 1pw, so I don't have to enter my credentials which is nice.
I handle all the 2FA through cli prompts, so as a user you basically need to stick around as it's running because you might get a 2FA prompt as it logs in to banks.
The worst for me has been irregular marketing or other reminder popups from some banks. The kind of thing where they put some interstitial page up once per month or so after you sign in and want you to respond in some way.
Personal, and no repo at the moment. The code is a huge mess, from scattered multiple generations of wrappers around Selenium's "click this element" functionality to custom accounting code to bit rotted parsers for old receipt email formats, etc. My thinking was largely "as long as I have the data I can make the code better later" and that later has yet to come. I don't have any passwords in the code at least but I think I do have email address whitelists/blacklists for email management stuff and lists of merchants for credit card transaction categorization...
I'll see if I can maybe make a repo by the next time there's a thread about how customer hostile banks are.
Did you release the sources for this by any chance?
I have been playing with the idea of doing something like this for a long time. But it seems like a huge job and I haven't been able to motivate myself towards it yet.
My bank even supports showing a lot of those spending stats as in Lunch Money, but it is entirely on their end and I'm not in control of it at all. I can look at the graphs and numbers in the app but I can't export or store it in any way.
I haven't released it. I've considered it, and it's written in a way that others could use it, but I know if it gained significant popularity it would be a really high value target to compromise. I don't have the time to dedicate to the vigilance necessary to defend that kind of a target.
If you're interested, I'd be happy to share the source with you as a starting point
I need to jump through a few hoops to send it, since Github won't let me add a user with read access to a private repository, but I'll send that over tonight
I actually think the opposite is happening. Yes, a few are adding OAuth flow-equivalent, but even more are adding 2-factor and other security measures that prevent a third party.
Maybe Plaid has enough clout to prevent it, but other services have dropped functionality for more and more accounts over the past 2-3 years in my experience.
IIRC, OpenBanking in the UK requires a re-auth every 90 days with the 2FA. I think thats a very reasonable balance, and means services don't have perpetual access.
Oh, I'd be ecstatic if that's how it worked. Instead, I have to go through 2FA every time I want to update with some providers. Others say "Apologies, we're working with the provider to restore support" and have stopped working for years. Others I can transfer money but can no longer see the balance.
On rare occasion I see banks that have a revocable token. I can't remember the exact linking process, but presumably they don't get my credentials, I can specify read-only access and specify specific accounts, it need periodic renewal, and from the bank end I can see who I gave permission to and revoke access from there. This doesn't seem common and I'm not sure if all the clients support those banks (or if it's a limited "in-group").
None of this is especially novel. It's just the incentives and efforts aren't there.
It's frankly annoying. I wish they enforced a notification by some means instead (X still has access unless you do Y), at least for services that only need read-only access.
Yep, but unfortunately it's only a small handful of the banks. And it tends to be the larger national banks that offer proper APIs, and I tend to avoid banking with those.
I'd really like to see Open Banking API laws passed in the US to require banks to offer this kind of API.
When your company uses Carta you'll be forced to use Plaid under time pressure to exercise your stock options. Companies need to stop enabling Plaid because they are too lazy to implement their own payment systems.
Ugh, this is how POLi Payments works in Australia, used by some businesses here and there and mostly by airlines. To do payments there, you literally give them your internet banking username and password, and they impersonate you to transfer money out of your account into the seller’s account. There are multiple bald-faced lies in their marketing (such as calling it a proxy like Opera Mini, and stating that they do not capture usernames or passwords, which… uh, hello, maybe you don’t store them, but you absolutely capture them).
I learned that this actually was what they were doing three years ago, and promptly complained to them, and was politely ignored (“Security is very important at POLi”… “Although it does not look like your traditional internet banking screen, the POLi interface is just as secure (if not more so)”…).
I’m baffled that the banks haven’t shut POLi down since it’s fundamentally predicated on ToS breaches, this man-in-the-middle attack and training users to do catastrophically stupid things, even including undermining 2FA (“give us your username and password; oh, looks like you have 2FA enabled, give us that token too?”). I complained to my bank (NAB) at the same time, and they said of using POLi Payments that “NAB does not suggest this course of action as this will be a breach of security” and that I should talk to POLi instead, as they “are unable to put a full block on this service as customers can still authorise transactions themselves at their own risk however NAB has advised in the terms and conditions of a breach this may cause”. In other words, they’re just covering their ears and ignoring it. Yet I’m sure they could block POLi without much difficulty if they actually wanted to, since all requests will be coming from POLi servers and are sure to be easily detectable (even their usage pattern would be trivial to detect). So why don’t they want to kill off this security menace?
Perhaps the worst part of it all is that Australia Post purchased POLi Payments some years back, thereby legitimising this abomination that should be terminated with prejudice.
Seriously, how do you end up with such a major player in the payments space being predicated around lies and evasion, terms-of-service violations and security malpractice? (And they even got exempted by ASIC from holding a financial services license.)
Another silly thing about it these days is that half the reason for the MitM attack (rapid confirmation that the transaction has taken place) is no longer needed, because almost all banks in Australia now support rapid transfers and linking email addresses to bank accounts, so they could just say “transfer the money to sales@example.com.au with description 12345” and reconcile it within a minute at least as an alternative to the MitM attack.
That's terrible. I've never used it though, as an Australian. The name does sound vaguely familiar though. Are there any businesses that actually require you to use it? I've never seen one.
I usually pay for airlines with my credit card, now they aren't allowed to charge as large fees as they used to. Before that, I'd used BPay instead (which I still use for a lot of bills).
I don’t think I’ve ever seen POLi presented as the only option, but it’s commonly the only fee-free option (BPay isn’t always offered). For myself, as soon as I learned what POLi was (because it asked for my bank username and password) I decided I hate it enough to pay a few extra dollars of credit card fees.
Agreed. The name sounds vaguely familiar but I haven't come across it either. They actually have an interactive demo [0]. It feels super sketchy and wrong being asked for the bank login.
> On the consumer side I can’t imagine ever giving my bank credentials to Plaid or any other company. Super unnerving that this is even a thing, it’s like the number one rule of passwords.
Yeah, and it's also the number two and three rules with bank passwords.
I sold Bitcoin for the first time a few months ago on Coinbase. Their only bank integration is via Plaid, and I did a double-take and noped the fuck out of that right away. It boggles my mind that's even a thing. Luckly I was able to get my money out via Paypal instead without too much hassle.
> I can’t imagine ever giving my bank credentials to Plaid or any other company
It's another tax on the poor, same as advertising. No service targeting sophisticated, wealthy people would use this. But if you have someone desperate for liquidity, of course they'll hand you the keys to their kingdom.
Plaid is used a lot of places, including services mostly for the wealthy. For example, a previous startup I worked at used Carta to manage employee stock options.
The default mechanism to transfer cash into Carta to exercise your options was with Plaid.
Now to be fair, you also had the option to use check routing numbers to perform the transfer. But I have to imagine that most people use plaid without a second thought.
I really wanted to use mint, but couldn't bring myself to give away my bank password.
I resorted to writing my own tooling using puppeteer running on my machine to automatically login to my bank accounts and download the CSV exports of my transaction data for each bank. I then normalize that transaction data, and import the data into Lunch Money.
It was a pretty big hassle to write and get working reliably(ish), but I'm super happy now that it's done. Every 2-3 weeks I run the script, and 5 minutes later all of my transactions are available in Lunch Money. I have the peace of mind of knowing that I'm not exposing my banking credentials to random third parties.