| | Ask HN: Are you terrified of Plaid’s account verification approach? | | 56 points by YeBanKo on Sept 2, 2021 | hide | past | favorite | 24comments | |
| As a consumer, aren't you terrified of Plaid account verification approach? Some time ago I wanted to connect my bank account to my old Coinbase account, once I chose my bank I was prompted to enter my online banking username and password. They use the service called Plaid, that requires your bank credentials (and one time code if 2F is enabled) to verify your checking account. I was able to go with ACH deposit verification route as an alternative, but it is not default approach anymore. This seems like a security and privacy nightmare.First, sharing your username and password is against the most basic principle we tell the users. Don't share your password! Even a text message with the verification code says not to share it! I'd be surprised if this also does not violate terms of services for online banking.Second, according to Plaid help pages they store credentials if bank does not provide an API. Ideally, banks themselves should not store unhashed passwords, let alone third party apps.Third, it is a privacy nightmare. With such unlimited scope, they scrape everything, your entire financial history is available. And this all for what? To instantly verify a bank account? Their help pages and some comments from the founders state that they don't share/sell your info without explicit permission. They aren't now, but will they later? What if their monetization strategy changes? What if their new owner has a different view on privacy? Or I move to the state that has no CCPA analogue? Is it another service where I need to make sure to opt out of sharing and keep an eye on upcoming TS changes and wonder for how long they are going to keep my data? I dug a little bit and discovered that Plaid is used by many in fintech: Coinbase, Robinhood, Venmo, Betterment, you name it. Maybe I was living under a rock for too long, but this password sharing practice did not use to be mainstream. I have or had accounts with some of them and I think deposit verification used to be the way few short years back. I know the US banks don't have any shared scoped authorization mechanism similar to OAuth2/OpenID Connect and there is no easy way to instantly verify the account. ACH deposit can take a week. Though do you really need to fund your Coinbase, Robinhood or Betterment account immediately, is a week later too late? Isn't the whole spiel of Betterment and the likes that "time in market" > "time the market", so a week later would not matter for your retirement? Sure, this approach can be sensible in some narrow use case, when you indeed want them to have that unfettered access. But for the majority of consumers, I don't see how it is worthy of forming such a dangerous habit. However, I almost am certain, for fintech services there is a significant drop in conversion and uptick in abandonment rate, when they need a customer to come back in few days to finish their account funding. Again, seems to be not enough for the industry to be complacent about it. Note: this is not a critique of Plaid or other services, their security practices maybe excellent, their code reviewed, tested, audited by 3rd parties, etc and there is a limited scope when it is sensible, I am shocked that this becomes mainstream. UPDATE: I am well aware of Mint and that it has been around for a while. The goal of Mint is toaggregate and manage your finances from one place. It may be that narrow use case, where it can be justified given the current state of things. You want to give it full ongoing access, because of the value it brings you. My beef is with it being normalized for the sake of few point conversion increase in the use case, when it does not benefit the customer and another alternative exists. |  | |
It seems that increasingly, companies are asking users to break the golden rules of security they once preached (or are breaking them for users).Once they were told to never under any circ*mstances share their password with anyone else. Now they're expected to tell whether it's OK to share their password with a third party website or not. To the non-technical user, they were doing something else, then were asked for their banking login. They weren't trying to log into the bank, so their vulnerability to phishing is slowly increased by this pattern. Similarly with "don't click links in emails you don't trust" - now we have security notification and email verification links to approve logins arriving, requiring users to click within 5 minutes to approve logins. Breaking the "don't fall for time pressure" rule too that users used to be trained with. Even their email client is most likely hiding the email address of the sender and focusing on the (self-declared) sender name, and some are now masking the destination of URLs when hovered over (Outlook protection), to make it near impossible for a user to tell what they're clicking. Back to banks, it definitely is a poor workflow and I share the same concern even where oauth style workflows are concerned - users likely can't tell if it's the real bank website or not, so they're being trained to divulge their credentials on demand. This will help attackers over time, as users become even more willing to share this kind of information upon request! | | | |
> Once they were told to never under any circ*mstances share their password with anyone else.That ship has sailed a long time ago, I vividly remember in around 2010/2011 my friend was opening a Facebook account in front of me and it asked for his e-mail and his e-mail's password which he gave without blinking. I was stunned, couldn't believe my eyes | | | |
Oh yeah, I remember this. I think LinkedIn did the same. They desperately wanted to find your connections. It was the times when Facebook used plain HTTP and everyone in coffee shop next to you could read your messages. | | | |
This method of banking data access (storing credentials and then screen-scraping the website) has been used at least since 2009. That's when Mint.com was founded.It's very common in the US, 100% legal, and allowed by the banks. In fact, I once worked on a project where a major bank paid us to write a Plaid-like scraper for their own website because their internal systems were such a disaster. It's definitely not great, but it's currently the only way to exfiltrate US banking data. If it bothers you, consider switching to a bank with an API that Plaid can use instead. More info: https://plaid.com/open-banking/ | | | |
And it should be banned by law, It's a security nightmare for users and a major pain in the ass from banks perspective as well (worked in one that was scrapped kind of that way).I'm happy my region is mostly free of those practices and attempts are publicly shamed. PSD2 in EU did a lot of good to push companies to create actual API's to their services as a mandatory requirement. Edit: TLDR: I have simplified a few things, but basically its european "eIDAS" and it seems to work! Currently in Poland there is a "my id" kind of service driven by gov. You can create an account there and manage some of your own data, like send formal message to any office, check your public health procedures history, status of vehicles owned, etc.. It's not perfect, but it's growing. Such account can be verified by our "IRS", for instance. You can also skip verifying the account by logging into that "my id" service using bank account you already have. At least 10 major banks and additional 20 other services allow that. The idea is that they already checked your documents (or verified you in any other way) when creating their accounts. Biggest surprise here is that it actually works. More or less a gift from previous administration. We have a working ID infrastructure that basically anyone can use - owning some kind of account is basically required and the most basic bank accounts are free by law. So anyone using any of those 30+ services (major telecoms, banks, insurance) can authorize with any service that uses "my id". Now you have to be really stubborn to NOT be able to log into gov sites, even without going out of your house at all. | | | |
I can't even say this is questionable, this is unacceptable. I can hardly believe this exists and wonder why is it allowed to. If I were a bank I would block any attempts to access an account (or even put the whole account in quarantine) if I had any suspicion it's someone else but it's owner is who is entering the password.And the security itself is not my main concert, privacy is. A third party should not know what I do with my money. | | | |
> With such unlimited scope, they scrape everything, your entire financial history is available.This is exactly why the fintech industry pushed so hard for the PSD2 directive in the EU. The Schufa, the German version of Equifax (and just as bad...), even tried to advertise a "let us look at your financial history in your bank account and maybe we'll let you pass then". Fortunately, public outrage was immense and they had to retract their plans for now (https://www.tagesschau.de/investigativ/ndr-wdr/schufa-checkn...). | | | |
Much like the Keynes quote about sound bankers, a safe bank customer is not one who doesn't get hacked, but one who gets hacked in the same way at the same time as everyone else. So no, I don't worry about doing something "unsafe" with my bank details as long as it's something mainstream that everyone else is doing. If it goes wrong, the government will bail me out. It can't be less safe than paper cheques, which apparently the US still uses. | | | |
If your user authentication flow is WebAuthn your users can't mistakenly give their credentials for your service to anybody short of literally FedExing their physical Security Key to the bad guys.In fact even you can't give your users credentials away, they're the only ones who have them. This is if course intended to cure phishing but it also ensures this Plaid scraping flow can't make sense. | | | |
Banks still use text messages for two factor, not even an authentication app. And it’s been proven multiple times that stealing numbers is way easier than it should be. I don’t expect banks to migrate to WebAuthn any time soon. | | | |
I do wish banks used WebAuthn. But I don't expect them to start, they largely seem to rely on the ability to reverse transactions instead of avoiding illegitimate transactions in the first place. | | | |
Yes. I assume Plaid will result in all my money getting stolen, with me having no recourse (the terms of service deny any recourse if you share your username/password and someone initiates a transfer using that) and/or my bank accounts being forcibly closed due to violating the ToS (via sharing username/password). So I don't use Plaid, or services which require it. | | | |
US banks are starting to implement OAuth (or OAuth-like) solutions. Bank of America and possibly Chase have solutions that have come online recently and are used by YNAB. (No relation to any of these three companies other than as a customer.) | | | |
From the moment some company put that Plaid process in front of me, I was horrified. I could hardly believe it existed. If somebody had wanted me to work on such a thing as a programmer, I would have refused. The existence and success of Plaid helped persuade me that in the technical solutions world, having good taste and morality is often a hindrance to business success. Plaid shouldn't exist. If somebody had the bad taste to bring it into existence, it should fail from non-use. But here we are. | | | |
My issue with Plaid (and I'm not sure if I was doing something wrong) was not being able to connect to TDBANK unless I turned off 2FA temporarily on my bank account which is obviously a bad thing to do. They had some lawsuit drama back and forth before, so I'm not sure if the connection problems were related to that.Regardless, I've quit using services that rely on Plaid. It's too much of a hassle and potential risk to deal with for me at the moment. | | | |
If you give your username/password to a third party then it will be leaked and exploited. No amount of pretense that their so-called security will protect you will ever be full proof. That they say they won't ever have it unencrypted is pure BS. All companies that promise this are liars. You will be hacked eventually. Don't give away your personal login details if you value any of your security or financial life. | | | |
Please correct me if I'm wrong, but I vaguely recalled Plaid actually directed me to my bank's webpage and asked me to input my username and password. So it seemed to me that it's similar to those "log in via your Google/Facebook/etc account" third-party authentication service.Are you certain that the password/text auth code are sent to Plaid instead of the bank? | | | |
It does it for banks, that support it. Many don’t. I want to say that majority in the IS don’t. | | | |
If what you said is true, honestly this is beyond imagination. Can't imagine what's gonna happen if they had a data leak.. | | | |
Yeah, when I first saw the flow, I was shocked... | | | |
Correct, it is a nightmare.Stick with domestic wire transfers to and from crypto exchanges, if in the US. Stay out of the market if domestic wire transfers are too expensive for you. | | | |
Yes, screen-scraping is a security nightmare that should not exist, but that's what you get in the US. It's an example of where libertarian capitalism and free-market forces don't work. In Europe, open banking is government-regulated, and that's the only reason why banks dedicate resources to building an API. | | | |
It is also done in Europe by Sofort / Pay Now / Klarna. (It's all the same thing, there is some brand confusion because of takeovers and translation). | | | |
Didn’t Klarna have problems with fraud, because their security assumptions did not scale well outside of Sweden? | | | FAQs
How to bypass plaid verification?
- From the Home screen, tap your account icon in the top left corner.
- Tap on Personalization & Data below Privacy & Legal.
- Tap Opt-out of transaction data sharing at the bottom of the screen.
Plaid authenticates your financial information, permitting companies to transfer sensitive information securely. But is Plaid safe? Yes, it's considered safe to use. That's because it employs advanced security and encryption protocols to protect your data during transmission.
What is Plaid account verification? ›
What Is Plaid Bank Verification? Financial institutions use Plaid to view your financial data through your bank accounts. In a bank verification, these institutions will be able to see only information related to: Account balances and retrieve up to 24 months of transactions.
Should I give my credentials to Plaid? ›
Never give credentials to a third party.
The standard is to redirect the user to a login page on the website of the service providing the login. Plaid doesn't do this, instead providing the login form on their own website. Even worse, Plaid allows services to embed the form in their websites (as an iframe).
Should I allow Plaid to access my bank account? ›
Yes, Plaid is safe to use. Plaid uses some of the most advanced security and encryption methods available to safely connect your bank account to outside organizations.
How do I unlink my bank account from Plaid? ›
How do I disconnect my financial accounts from an app?
- Log in to your Plaid Portal account.
- From the Overview tab click the name of the app or service.
- Scroll down to Manage connections.
- Select Disconnect app.
- Review the information about what happens when you disconnect a financial institution from an app.
Why does Plaid ask to connect to my bank account? Plaid connects to your bank account so that it can create a secure connection between your financial institution and the applications that need financial information.
Can Plaid get hacked? ›
Plaid uses a highly secure cloud infrastructure with industry best practices for complete assurance. You will never have to worry about someone hacking your bank account!
Does Plaid monitor my bank account? ›
Unless you provide your consent for Plaid to establish these connections, Plaid does not access your financial data.
Is Plaid income verification safe? ›
With Plaid Income, consumers can now safely and securely verify their income through three different methods: Payroll Income – a consumer connects to their payroll or employer provider and Plaid retrieves their income straight from the source and provides it to the lender.
Venmo uses Plaid to verify your bank account information and, periodically, your bank account balance to check if you have enough funds to cover certain transactions.
What apps use Plaid to connect to your bank? ›
Here's a run through of some popular saving and investment apps which are powered by Plaid:
- Robinhood.
- Acorns.
- Digit.
- Ellevest.
- Qapital.
- Atom.
- Betterment.
- Stash.
We store those credentials and use them to access and obtain information from your financial institution in order to provide that information, at your direction, to the apps and services you want to use.
Can I remove Plaid? ›
In the upper-left of your Plaid Portal account, click the three horizontal lines to expand the menu. At the bottom of the menu, click Settings. Select Delete Plaid Portal account. Review the information provided and click Continue with account deletion.
Can I delete my Plaid account? ›
To delete your Plaid Dashboard account, contact Support. Note that deleting your account is irreversible. To remove a Plaid product or change pricing plans without deleting your entire account, submit a billing ticket to Support.
What is Plaid being sued for? ›
The lawsuit alleged Plaid took improper actions when securing the connection between users' bank accounts and the online app or service. A $58 million settlement was reached. Plaid allows consumers to link their bank accounts to financial services apps.
How does Plaid verify income? ›
You can verify a user's income via three products: Payroll Income: Retrieve income information from a user-connected payroll account. Document Income: Retrieve income information via a user-uploaded documents such as a pay stub or W-2 form. Bank Income: Retrieve income information from a user-connected bank account.
What does Plaid do with my financial data? ›
Once ownership of your accounts is verified, we securely retrieve your permissioned account information from your financial institution. We collect the data to power the services you've chosen and, when requested, securely share it with the app you're using and establish a secure connection that you control.
Which banks use Plaid? ›
- Ally Bank.
- Discover.
- Fifth Third Bank.
- Huntington Bank.
- KeyBank.
- M1 Finance.
- Mos.
- Navy Federal Credit Union.
If you are unable to find your bank institution on Plaid, you will need to manually enter your bank account and routing numbers. This will allow Plaid to verify your account using micro-deposits in order to set up direct deposit. Plaid will match your information with what is on file at the financial institution.
Have you recently received a message asking you to verify your identity on Venmo? Has the payment app asked you to verify information like your Social Security number (SSN), address and other personal information? If so, it's not a scam.
Do you have to use Plaid for Venmo now? ›
Venmo: The mobile app for peer-to-peer payments and money transfers requires you to verify a bank account through Plaid by entering a username and password for an online bank account.
How do you know if you're getting scammed on Venmo? ›
When You're Selling Something To A Stranger
- A scammer may ask to provide the item or service without actually paying you legitimate funds.
- A scammer may send screenshots of fake emails that make it seem like they've paid you on Venmo when they haven't actually made a payment.
What is Plaid?
- Venmo (peer-to-peer payments)
- Betterment (automated investing)
- Chime (online banking)
- Dave (earned wage access)
- And thousands more...
Cash Advance Apps That Don't Use Plaid
- B9 Advance. B9 Advance is a membership-based cash advance app that allows you to access up to 100% of your paycheck instantly once your account is set up. ...
- CashMaster. ...
- Line. ...
- DailyPay. ...
- Dave.
In addition to the aforementioned apps, some other popular apps that Plaid powers include Chime, Mint, Betterment, and NerdWallet. You might've already received an email alerting you about the class action lawsuit, and if you have, make sure to submit your claim by April 28th, 2022.
What if my bank account isn't on Plaid? ›
If you are unable to find your bank institution on Plaid, you will need to manually enter your bank account and routing numbers. This will allow Plaid to verify your account using micro-deposits in order to set up direct deposit. Plaid will match your information with what is on file at the financial institution.
Can Cash App be verified through Plaid? ›
Yes. You can use Cash App with Plaid. When you use Plaid to add your bank details to Cash App or any other app, your information is securely transmitted and verified. To do this, Plaid uses advanced encryption technology and multi-factor authentication.
Can I cash out without Plaid? ›
Do I have to use Plaid to use Cash App? Yes, you can use Cash App without Plaid. The application has ways to bypass Plaid if you prefer to use it directly from your bank account. To add your bank details manually, you must link your debit card to Cash App, which is connected to your bank account.
How do you manually enter a bank on Plaid? ›
Linking a bank account manually using micro-deposits
- When you reach the Plaid connection section of the Invoice2go Money onboarding application, select the Manual option.
- Enter your routing number.
- Enter your account number.
- Select whether the account is a personal or business account.
- Ally Bank.
- Discover.
- Fifth Third Bank.
- Huntington Bank.
- KeyBank.
- M1 Finance.
- Mos.
- Navy Federal Credit Union.
Plaid will make a single micro-deposit and then automatically verify it within one to two business days. You can try out the Automated Micro-deposits flow in Link Demo.
Why is Cash App asking me to use Plaid? ›
Connecting your bank account through Plaid ensures that your bank information is correct and that you will receive your payments without unnecessary delays due to incorrect bank account information.
Does Zelle use Plaid? ›
Plaid takes your account information, encrypts it, and then gives it to apps like Zelle and Cashapp so you can easily make transactions or view account information.
Why is venmo making me use Plaid? ›
Venmo uses Plaid to verify your bank account information and, periodically, your bank account balance to check if you have enough funds to cover certain transactions.
How do I bypass Plaid verification on Cash App? ›
Cash App uses Plaid, but you can bypass the Plaid requirement by linking your account manually or using your debit card to connect to Cash App. You don't have to link a bank account at all: you can use your Cash App card to withdraw funds through an ATM.
Does Plaid check your bank account? ›
Unless you provide your consent for Plaid to establish these connections, Plaid does not access your financial data.
What apps are connected to Plaid? ›
Here's a run through of some popular saving and investment apps which are powered by Plaid:
- Robinhood.
- Acorns.
- Digit.
- Ellevest.
- Qapital.
- Atom.
- Betterment.
- Stash.
