[cantrevealname]

To everyone who doesn’t know how Plaid works: You give your banking username and password directly to Plaid, and it keeps it (so it can continue to login).

I don’t understand how anyone is OK with this. It goes against every security principle and it’s against the terms and conditions of every bank.

I realize that almost no bank provides a secure and proper API to get info and/or to transfer funds, but Plaid’s solution is a disaster waiting to happen.

[mbm]

Hear you 100%. It felt very uncomfortable for me the first time I used it, as well.

The problem is that there sort of isn't a better way right now in the US, and for now, Plaid or a Plaid-like competitor is the safest way. Eventually, it would be awesome if there were clean, open APIs, and standards around this, but for now, it's the best we have.

The alternative of course for the DIY-er is some sort of browser automation, which honestly, is what I tried first. I really wanted it to work, but it didn't - which led us to Plaid.

[angoragoats]

> The problem is that there sort of isn't a better way right now in the US, and for now, Plaid or a Plaid-like competitor is the safest way

So then the correct thing to do is to not automate this, until there is a better way. Why would you willingly give your bank credentials to a third party just so you can get some summary emails?? It doesn’t make any sense.

[ryandrake]

It's total insanity. Can't banks detect and ban Plaid? They should suspend/cancel customers' online access as "compromised" if they detect someone other than the user using the user's credentials to log in. All the security theatrics banks put users through and they don't check for obvious credential leaks?

[mbm]

Just to share -- Most of the largest banks/FIs actually work directly with Plaid.

Here's a quick list of some of the major ones:

JPMorgan Chase, Bank of America, Wells Fargo, Citibank, U.S. Bank, PNC, Capital One, Truist, TD Bank, Charles Schwab, Vanguard, Marcus by Goldman Sachs, Goldman Sachs Private Wealth, Morgan Stanley, E*TRADE, USAA, M&T, RBC, American Express, Fifth Third, Citizens, KeyBank, Huntington, Ally, Discover, BMO

[wrs]

Yes, Plaid clearly has different levels of integration with different banks.

When I connect something to Chase with Plaid it is clearly a cooperative system with an OAuth-like permission dialog, and the Chase side even mentions they're tokenizing the account numbers so Plaid can't see them.

When I connect to the little bank down the street I just get a username/password dialog. Their web banking system is so primitive I'm pretty sure Plaid is just scraping it. When they introduced 2FA, Plaid became quite flaky.

[mbm]

Correct. They’re incentivized to try to make it as seamless and secure as possible for the 95%, but it’s challenging to build custom integrations for thousands of institutions. Wouldn’t open standards be nice?

[cantrevealname]

> TD Bank

Quite the opposite in the case of TD Bank. They sued Plaid in 2020. “The bank said in the court filings that the Plaid interface dupes consumers into believing they are entering personal information into TD Bank’s trusted platform.” (They settled in 2021 without explaining the terms of settlement.)

https://financialpost.com/news/fp-street/td-bank-files-lawsu...

[Bjartr]

And as of 2023 TD now has API integration with plaid so you don't need to give credentials to connect your account anymore

https://www.prnewswire.com/news-releases/td-bank-group-and-p...

[mbm]

Hear you 100%. It's certainly not for everyone, and I respect your position.

[angoragoats]

I appreciate it, but by giving horrible companies like Plaid your business you are encouraging and normalizing poor security practices. My parents are almost 80 and use a local bank that I’m pretty sure would just be scraped by Plaid. Do you think they’re going to understand the difference between OAuth and storing their credentials? Plaid and any company like it should be shut down.

[kylecazar]

I don't think this is still the case?

When we built our Plaid integration it used OAuth and a redirect. Plaid just got an access token, you enter your user/pass at bank side.

Edit: Seems like smaller/local banks are probably the ones that won't support OAuth. We didn't support those.

[mbm]

Correct. That’s interesting — so you explicitly opted out for any non-OAuth institutions?

[kylecazar]

This was B2B SaaS for large networks of ambulatory centers to manage/pay their vendors. The banks that were in scope were only the ones they used -- each one of the big names (and around half of them Bank of America).

Can see it being more of an issue if it were a B2C finance app.

[thebruce87m]

I thought that’s what Open Banking was supposed to solve: https://en.wikipedia.org/wiki/Open_banking

[jimmcslim]

And indeed it does, in some markets.

I'll speak to Australia... here we have the legislated Consumer Data Right [1]. This currently puts obligations on banks and energy retailers to make consumer data accessible via an API, via Authorised Data Holders (ADH - the banks and retailers) and Authorised Data Recipients (ADR). However! The major criticism I have of this scheme is that as an individual power user I do not have direct access to these APIs myself. I believe there was originally an intent to support this under the scheme, however due to somewhat legitimate security and access concerns, but also I expect pushback from anyone falling into the ADH category, this is not possible. Setting up an ADR has a not insignificant compliance burden.

However I have recently come across Redbark [2] which is a simple service that has taken on the mantle, and provides a simple sync mechanism for any Consumers that believe they have a Right to their Data. Not affiliated, just a happy customer and I hope that they can make the economics work over the long term.

[1] https://www.cdr.gov.au/

[2] https://redbark.co/

[mbm]

Yup, it would be really awesome if this concept was deployed in the US. Unfortunately, open standards don't seem to gain as much traction here outside of the tech industry.