undefined | Better HN

0 pointscommoner4y ago0 comments

> Are you making claims without evidence?

No. Plaid did agree to pay the $58 million, and the lawsuit was for alleged data sharing with third parties without user consent. I don't care if they admit guilt or not. They agreed to pay $58 million to end the lawsuit, and that does not engender trust. Shifting the blame to banks doesn't make Plaid any more reputable.

Providing usernames and passwords of sensitive accounts to a third party is a privacy and security risk, and Plaid has not earned enough trust from me to justify the risk I would need to assume to use their services.

0 comments

westurner4y ago

How did their policies change before and after said settlement?

From https://my.plaid.com/help/360043065354-does-plaid-have-acces... :

> Does Plaid have access to my credentials?

> The type of connection Plaid has to your financial institution determines whether or not we have access to the login credentials for your financial account: your username and password.

> In many cases, when you link a financial institution to an app via Plaid, you provide your login credentials to us and we securely store them. We use those credentials to access and obtain information from your financial institution in order to provide that information, at your direction, to the apps and services you want to use. For more information on how we use your data, please refer to our End User Privacy Policy.

> In other cases, after you request that we link your financial institution to an app or service you want to use, you will be prompted to provide your login credentials directly to your financial institution––not to Plaid––and, upon successful authentication, your financial institution will then return your data to Plaid. In these cases, Plaid does not access or store your account credentials. Instead, your financial institution provides Plaid with a type of security identifier, which permits Plaid to securely reconnect to your financial institution at regularly scheduled intervals to keep your apps and services up-to-date.

> Regardless of which type of connection is made, we do not share your credentials with the apps or services you’ve linked to your financial institution via Plaid. You can read more about how Plaid handles data here.

What do you think this should say instead?

Do you think they use the same key to securely store all accounts, like ACH? Or no key, like the bank ledger that you're downloading a window of as CSV through hopefully a read-only SQL account, hopefully with data encrypted at rest and in motion.

When you download a CSV or a OFX to a local file, is the data then still encrypted at rest?

Again, US Banks can eliminate the need for {Plaid, Mint, } as the account data access middlemen by providing a read-only OAuth API. Because banks do not have a way to allow users to grant read-only access to their account ledgers, the only solution is to securely store the u/p/sqa. If you write a script to fetch your data and call it from cron, how can you decrypt the account credentials after an unattended reboot? When must a human enter key material to decrypt the stored u/p/sqa?

Here, we realize that banks should really have people that do infosec - that comprehend symmetric and assymetric cryptography - audits to point out these sorts of vulnerabilities and risks. And if they had kept current with the times, we would have a very different banking and finance information system architecture with fewer single points of failure.

commonerOP4y ago

I'm not interested in what Plaid puts in a help page, since Plaid's $58 million settlement is for alleged data sharing with third parties without consent, meaning that Plaid is accused of not properly communicating the alleged data sharing to its users or obtaining permission.

And Plaid's terms of service (https://plaid.com/legal/#how-we-use-your-information) contains vague catch-alls such as:

> We share your End User Information for a number of business purposes:

> With our data processors and other service providers, partners, or contractors in connection with the services they perform for us or developers

Sure, it would be great if banks offered different authentication systems, but that has nothing to do with my lack of trust for Plaid. A different authentication system wouldn't eliminate the data sharing concerns I have with Plaid.

westurner4y ago

Wow! Great work on an alternative.

j / k navigate · click thread line to collapse

0 comments

westurner4y ago

How did their policies change before and after said settlement?

From https://my.plaid.com/help/360043065354-does-plaid-have-acces... :

> Does Plaid have access to my credentials?

> The type of connection Plaid has to your financial institution determines whether or not we have access to the login credentials for your financial account: your username and password.

What do you think this should say instead?

When you download a CSV or a OFX to a local file, is the data then still encrypted at rest?

commonerOP4y ago

And Plaid's terms of service (https://plaid.com/legal/#how-we-use-your-information) contains vague catch-alls such as:

> We share your End User Information for a number of business purposes:

> With our data processors and other service providers, partners, or contractors in connection with the services they perform for us or developers

westurner4y ago

Wow! Great work on an alternative.

j / k navigate · click thread line to collapse