[eastbayjake]

When using a government website, you were intimidated by the security posture of... Plaid? (Genuine question, maybe this was some other provider but Plaid's aggregator tool is the most common place I see this pop up in real life for ACH)

[clickety_clack]

I personally have _no idea_ what the security posture of plaid is. I know they're a startup and made a bit of noise a few years ago, but if I was trying to buy something and a third party app popped up saying, "hey give me total access to withdraw directly from your bank account for a sec", why on earth would I say yes to that?

It also seems to go against common security advice. "Never log into your back account if redirected by a website you sort of, but don't really trust, except sometimes its alright and it's up to you to tell the difference" is a terrible way to secure banking.

[eastbayjake]

In fairness they redirect you to your bank to login, you authorize the application (which can be revoked at any time), and then they redirect you back with tokenized information. (In fact it's kind of a pain point that when I use Plaid to link my bank for eg reimbursement deposits from my FSA/HSA, it has tokenized the account numbers so I can't actually tell which account is which.) I guess I get for less savvy users why that might look scary but the alternative is... keying your account number directly into a merchant's system for ACH, which is actually scary (and the default on many government websites which I actually trust less!)

[lxgr]

Nowadays Plaid uses OAuth for many banks, but the real problem is and always has been that they get full access to your transaction data and pass it on to their users.

[axus]

If any site asks me for my bank login credentials, I run far away and start checking if I've made any security mistakes. So far Paypal is the only credentials I'll enter after a redirect.

[Arrowmaster]

I went back and checked. It was not Plaid but Trustly. I've never heard of either before but Trustly's name makes me want to trust it even less than Plaid. And I'm more concerned about all of my personal information such as my transaction history for the past 90 days being siphoned up by yet another commercial entity that can probably profit more from it than the transaction fee they would have collected.