[clickety_clack]

I personally have _no idea_ what the security posture of plaid is. I know they're a startup and made a bit of noise a few years ago, but if I was trying to buy something and a third party app popped up saying, "hey give me total access to withdraw directly from your bank account for a sec", why on earth would I say yes to that?

It also seems to go against common security advice. "Never log into your back account if redirected by a website you sort of, but don't really trust, except sometimes its alright and it's up to you to tell the difference" is a terrible way to secure banking.

[eastbayjake]

In fairness they redirect you to your bank to login, you authorize the application (which can be revoked at any time), and then they redirect you back with tokenized information. (In fact it's kind of a pain point that when I use Plaid to link my bank for eg reimbursement deposits from my FSA/HSA, it has tokenized the account numbers so I can't actually tell which account is which.) I guess I get for less savvy users why that might look scary but the alternative is... keying your account number directly into a merchant's system for ACH, which is actually scary (and the default on many government websites which I actually trust less!)

[lxgr]

Nowadays Plaid uses OAuth for many banks, but the real problem is and always has been that they get full access to your transaction data and pass it on to their users.