[admn2]

is Plaid inherently bad? Is having an automated way of pulling in real time data worth the security risk of authing into all your bank accounts? Genuinely asking as this seems great in theory, but I'm a bit confused what it looks like to manually keep it updated.

[aketchum]

My company is an online lender - we use plaid so that users may instantly link their bank account. They have an alternative of verifying with micro-deposits, but that does take 2 days and the company gets less information on the user, so there are more manual verifications the user must do (provide paystub and id etc).

Plaid Cons:

- The end user must type their bank account credentials into a third party platform that uses their banks logo. It is terrible for general population cyber security because this is the exact type of you thing you should never do in general. However I do not know of any data leaks or info sec issues from Plaid specifically. As far as I know Plaid is totally safe with this information. Im sure they will be hacked eventually though - everyone is.

- Plaid shows the permission you are granting but the user can not make it more restrictive. For example the company with the plaid integration can choose from 1 to all off these functionalities (they all increase api cost though): KYC Verification, PII from the account, one time current balance, ongoing current balance check, all transactions for previous 2-24 months. The vendor chooses what they want to get and the end user can take it or leave it, they cant pick and choose.

Plaid Pros:

- instantly verify bank account instead of waiting 1-2 days for Micro Deposits to hit account then come back to the app to verify. This is just better flow for the user, who often wants the loan asap. It is better for company too, because there is more conversion.

- balance checks, transaction history - these are useful for us to not overdraw accounts when pulling a payment, and verify income. Budgeting apps use these to auto import values of course.

- many banks have been forced to move to OAuth because of plaid. Having worked at a Top 10 US bank, I do not believe that any other than maybe Capital One would have OAuth today if it were not for Plaid pushing them

- There is really no other feasible option to get this data (other than competitors with same exact strategy so no difference). This is the customer's data that is valuable to them! They should be able to share it with trusted partners if it gives them value.

[jjice]

I was pleasantly surprised to see a few of the large banks having added OAuth in my recent use of a product that uses Plaid. That said, my local bank is far from it and even a large bank like Discover doesn't offer OAuth yet. I've just decided that I have to enter that data manually for those accounts because I can't give out a password to my bank accounts - it's just absurd to me.

Here's to a continued migration to OAuth by banks, but I'm not holding my breath for it.

[xyst]

> The end user must type their bank account credentials into a third party platform

Huh? I have seen plaid redirect to my banks login and then authentication and subsequent authorization (read access to accounts) in other flow. Then plaid uses provided token to retrieve data.

I don’t recall having to pass login credentials to plaid. Maybe that’s a limitation of _your_ bank?

[smsm42]

Yes, for banks that have this workflow enabled. In know WF does something like that. But many banks don't, and for these there's not much alternative except getting username/password and scraping. Terrible security, but dragging the banks into 21th century will take a lot of time. Some providers are annoying enough to ban external aggregation completely, seemingly just out of spite. Normally I wouldn't even work with such bank but unfortunately sometimes (like HSA account from work) you don't have a choice.

[andrewmcwatters]

Yes, but the fault lies with the banks who do not allow their own customers access to their data. Plaid, Intuit, and other private companies scrape financial institutions unless they provide more secure methods to obtain customer data, and most of them do not do this.

So the state of the art to connect to banks... is Selenium with stealth modifications.

I own a business which does the same work as Plaid, Intuit, et al.

[langcss]

An open source repo of selenium scripts for different banks would be a decent thing.

[andrewmcwatters]

I’m going to risk speaking for other people in the space and say that’s not actually a good idea since at the time of writing there are detection strategies that can shut all of us out of every financial institution if they so chose to do so due to recent changes with specific browsers.

It’s unsolved at the moment, and may not be for some time. So it’s a matter of time before the current scraping approaches break. We basically have to recompile the browsers from scratch to stop leaking information that distinguishes automation.

[zburatorul]

https://github.com/jbms/finance-dl

[breadwinner]

If you call Fidelity with a security issue the first question they ask you is, did you share your password with anyone (and if you did, you're to blame).

[fsckboy]

that's line of reasoning applies to all banks etc., though they might not ask it as first question