Hacker News new | past | comments | ask | show | jobs | submit login

Plaid's product is absolutely absurd. Yes, please train your users to type their username and passwords into third party sites because they're given a legitimate looking sign-in box. US Banking infrastructure is so hopelessly bad that this is hack of a business is considered legitimate fin-tech.

My wallet was stolen and before I realized it was gone and could cancel my CCs some dude made like six obviously fraudulent purchases. No Chip and Pin - zero verification. US banking needs to be legislatively hard-reset.




I have a wallet attached to the back of my phone and it's the only thing I carry. Makes it tough to forget / not realize it missing since I need it so frequently.


So a single point of failure then?

It also means you are holding your cards on your time all the time you use your phone on the street, which is prime time for somebody to come and snag it out of your hand


it looks like a normal case, you can't see the cards.

not a single point at all, it's just a couple cards in the slot.


It's still a single point of failure.


So now if you lose your phone you also lose your wallet and are really screwed. It’s better to hedge your risk and keep important stufd in different places. It might increase the chance of losing something but mitigates the risk of losing everything. I think most people would prefer to mitigate the big risk instead of the small ones.


Also would make cancelling your cards harder if they were lost along with your phone?


I don't call banks, it's a terrible experience. I always use online chat or Twitter for that sort of thing.


I don't hear this type of criticism for Personal Capital or Mint, both of which collect credentials to catalog transactions.


HNers have been launching this criticism at Mint at least since I signed up for this website.

https://hn.algolia.com/?q=mint+password


This is just a bunch of questions asking how Mint stores the credentials; in the majority of these posts, nobody seems to be passing judgment.


Every time Plaid is mentioned on HN, people want to hate. My take is: don't use it if you're scared ?

A few of my friends were talking about Plaid the other day, and I told them I like the company/product, but "many people on HN hate it." They were perplexed and when I explained it was because you guys were nervous about entering your bank password into a third-party (yet reputable) company's interface (that's encrypted), they wrote it off as "being paranoid." Can't say I disagree...


Saying the company interface is encrypted so it's safe shows how effective this attack can be. One of the attacks would present you with a login box. You thin this is plaid and it is encrypted so it's safe so you enter your username/password. It turns out to be a different third party. Not to worry the hacker interface is encrypted as well. Another attack surface opened up involves data breaches at plaid where company employee dumps access to everyone.

It is probably the one thing you can do today that will at some point cause you lose money from your bank account.

It is not even paranoid. It's a bad idea to leave your bank access codes with someone else.

The less people understand how things work the more likely they are to trust it. This just opens up a new avenue for exploitation.


The point is not, I think, that Plaid is sketchy but that the banking infrastructure is so poor that you can build a billion dollar business based on screen scraping. There is a clear and obvious need for better API integration to banks but the banks themselves have been incredibly slow to provide this.


I've never used plaid, but in Germany there's a (I guess) similar service, Sofortüberweisung.

My problem with these services is not that I don't trust them - I know how bad banking IT is, they can't be much worse. What bothers me, is that they teach users that it's okay to enter your credentials into third party sites, a recipe for disaster.


“Encrypted” is not the same as “secure” and in practice knowing that data is encrypted gives you virtually zero useful information toward knowing if your data is secure.

I previously worked at a “reputable” company whose main product stores usernames and passwords for third-party sites. It’s a conceptually-similar product to what Plaid offers, but in a different problem space. These passwords were encrypted.

And yet:

* any developer or ops member could trivially have dumped the entire plaintext dataset

* there were multiple bugs discovered that would have allowed dummy accounts to quickly, trivially, and remotely dump the entire plaintext dataset

* if these bugs had been exploited, we would have had no way to know past a few weeks due to log rotation policies

* administrator passwords to systems were often just single English words

If anyone with ill intent had looked at this product for more than an hour, they likely would have discovered some of the bugs mentioned; one was pretty much just a

    GET /accounts/$i/passwords.csv
I have no particular information regarding Plaid that would lead me to expect they’re anywhere near this bad. I also have no particular reason to believe they aren’t this bad, but in my experience as a infosec engineer, the overwhelming majority of companies—even “reputable” ones—are far closer to the shitshow end of the spectrum than they are to the competent end when it comes to security. Even if they are competent it’s not that big a reassurance, because competent companies still get popped with depressing regularity. It still often just takes one mistake from a well-meaning engineer to introduce a severe security vulnerability, even in a company that generally takes security seriously.

Combine this with the consequences of a breach: if your credentials are stolen from Plaid and used to steal money from you, your bank, brokerage, or other financial institution can point to your use of this product as cause to deny your claim to have your funds returned. Essentially, they can point to Plaid as a violation of their terms of service, and hold you on the hook for any losses as you voluntarily gave your credentials to a third party.

Hell, even if Plaid isn’t breached and your account is compromised through other means, they can use the logs from Plaid regularly logging into your account to make the same case.


It shouldn't need your password. Better systems are possible that grant various forms of access without effectively giving them 'root', and such systems preserve your own protections.

See PSD2 in the EU, for example.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: