[tharkun__]

Not parent but, what about this does not scream red bloody flag to you?

    hand over their account passwords to them

Give my banking password to some other company? That's a red bloody flag right there. Stop the presses. Nobody should ever do that. Not outside of very specific use cases like a password manager and in that case there better be seventeen million levels of encryption and such in place.

    for storage in cleartext.

Did we mention the color red? On a flag? I think we did. Cleartext, eh? Who thought this was a good idea?

[tzs]

Storage in cleartext would indeed be a huge red flag, but Plaid says they store it encrypted and I've seen no evidence that they are wrong about that.

That still might be a red flag but not as big a red flag. Cleartext means a database leak would leaks passwords. Encrypted, if done right, would mean a database leak would not leak passwords.

[tharkun__]

Can you share a link that describes what exactly they do?

What I would expect to be table stakes is that they only ever have an encrypted version of the data on their end (like a password manager) and that the encryption key is stored on my machine or if on their side that it by itself is protected by a passphrase that I have to enter each time plaid needs to do something. If we are talking storing the clear text password somehow coz they use screen scraping to implement their features for some banks.

All I find on their site (casually looking) is marketing fluff.

Also really I would expect that they never even need my password at all and that instead they have a proper API between them and the bank(s) where I authorize specific scopes only (preferably read only scoping being available) and my password stays with me and if something bad were to ever be done with a write scoped token from Plaid it would be traceable to their token authorizing it and they would be liable. When I give them my password they basically get full monetary power of attorney and the bank would always fault me ("we can see you logged in with your user and password. We tell you to keep your password/PIN secure and to never share it. Sorry, money gone".

[tzs]

Here's what they say they do [1].

[1] https://support-my.plaid.com/hc/en-us/articles/4410324401047...

[tharkun__]

Relevant section for the "we do store your password" case:

    In other cases, when you link a financial institution to an app via Plaid, you provide your login credentials to us. We store those credentials and use them to collect the data to power the services you’ve chosen and, when requested, securely share it with the app you’re using and establish a secure connection that you control. We then help keep your data safe and private with best-in-class encryption protocols.

Meaning exactly nothing. "encryption protocols" may simply mean that when they log in to screen scrape your bank's online banking they do so over HTTPS.

Sorry but this has zero meaning and I maintain: Red bloody flag. If there's any actual proof out there of them doing all this in a secure way, I'm happy to have my mind changed but this is just part of said marketing fluff.

[namaria]

Like Synapse, this sounds like the "put all your eggs in our digital basket" style of fintech "disruption" is bound to blow up in the faces of everyone involved.

[BenjiWiebe]

Yep, that's what I was meaning.