Ask HN: Aren't you terrified of Plaid account verification approach?
31 by YeBanKo | 10 comments on Hacker News.
As a consumer, aren't you terrified of Plaid account verification approach? Some time ago I wanted to connect my bank account to my old Coinbase account, once I chose my bank I was prompted to enter my online banking username and password. They use the service called Plaid, that requires your bank credentials (and one time code if 2F is enabled) to verify your checking account. I was able to go with ACH deposit verification route as an alternative, but it is not default approach anymore. This seems like a security and privacy nightmare. First, sharing your username and password is against the most basic principle we tell the users. Don't share your password! Even a text message with the verification code says not to share it! I'd be surprised if this also does not violate terms of services for online banking. Second, according to Plaid help pages they store credentials if bank does not provide an API. Ideally, banks themselves should not store unhashed passwords, let alone third party apps. Third, it is a privacy nightmare. With such unlimited scope, they scrape everything, your entire financial history is available. And this all for what? To instantly verify a bank account? Their help pages and some comments from the founders state that they don't share/sell your info without explicit permission. They aren't now, but will they later? What if their monetization strategy changes? What if their new owner has a different view on privacy? Or I move to the state that has no CCPA analogue? Is it another service where I need to make sure to opt out of sharing and keep an eye on upcoming TS changes and wonder for how long they are going to keep my data? I dug a little bit and discovered that Plaid is used by many in fintech: Coinbase, Robinhood, Venmo, Betterment, you name it. Maybe I was living under a rock for too long, but this password sharing practice did not use to be mainstream. I have or had accounts with some of them and I think deposit verification used to be the way few short years back. I know the US banks don't have any shared scoped authorization mechanism similar to OAuth2/OpenID Connect and there is no easy way to instantly verify the account. ACH deposit can take a week. Though do you really need to fund your Coinbase, Robinhood or Betterment account immediately, is a week later too late? Isn't the whole spiel of Betterment and the likes that "time in market" > "time the market", so a week later would not matter for your retirement? Sure, this approach can be sensible in some narrow use case, when you indeed want them to have that unfettered access. But for the majority of consumers, I don't see how it is worthy of forming such a dangerous habit. However, I almost am certain, for fintech services there is a significant drop in conversion and uptick in abandonment rate, when they need a customer to come back in few days to finish their account funding. Again, seems to be not enough for the industry to be complacent about it. Note: this is not a critique of Plaid or other services, their security practices maybe excellent, their code reviewed, tested, audited by 3rd parties, etc and there is a limited scope when it is sensible, I am shocked that this becomes mainstream. UPDATE: I am well aware of Mint and that it has been around for a while. The goal of Mint is to aggregate and manage your finances from one place. It may be that narrow use case, where it can be justified given the current state of things. You want to give it full ongoing access, because of the value it brings you. My beef is with it being normalized for the sake of few point conversion increase in the use case, when it does not benefit the customer and another alternative exists.
0 Comments