
Plaid.com API flaw and major security concern - chirau
https://github.com/plaid/link/issues/68
======
aiisahik
I understand the concerns expressed here but how about someone actually
suggested a solution to this issue?

The oauth thing is not going to work. No bank will implement it or even if a
few do, it will not provide the coverage Plaid offers.

The banks are not onboard - plaid is basically providing api access without
their consent.

Right now, the only real answer to this issue is that you ultimately need to
trust the 4th party who is asking for your banking credentials - Whether it be
Venmo or some other party.

I develop systems for a finance product where we need 24/7 access to all
banking activity in our client's business bank accounts. Our entire business
model depends on this. Our clients use a wide variety of banks. Plaid offers
the only solution and we offer the only solution out there for our clients. As
a result, our clients just has to trust us.

Any suggestions on a practical solution?

------
clon
This is a horrific idea.

I thought I am immune to this kind of exploit thanks to my technical
knowledge. Not so, nearly. I once found a good price on skyscanner.com that
directed me a site called BookingHouse, that in turn used a "man-in-the-middle
as a service" company called mistertango.com that proceeded to ask me for ...
my e-banking credentials. I had to slam the mental brakes hard to avoid typing
out my credentials on this page, and realised how vulnerable you are when you
are conditioned to following instructions as fast as you can (don't want to
lose those sweet-priced tickets!).

This mistertango.com service even goes as far as "interactively" asking for
your 2nd factor code! I thought it was surreal.

Notified BookingHouse, SkyScanner. No reaction.

------
atonse
While I’ve admired what Plaid is trying to do, this has exactly been my
concern from day one. Why would I enter my credentials in just any third party
website? I’d rather do the 2 cent test deposit dance, than enter my business
banking details to a third party (exceptions being aggregators like Mint,
personal capital, E _TRADE, etc).

The solution would have to be something like Oauth that directs me to the
bank.

Update: _I* trust Plaid as the third party but in this case it would be a
“fourth party” website that uses Plaid.

------
sschueller
Maybe someone should inform the banks because they will not be happy when
their customers credentials get stolen.

------
jo6gwb
The post is from 3 years ago and as per GitHub the issue has been resolved.
Not sure why it's been posted

~~~
chirau
It is marked as closed but the issue was not resolved. Did you actually read
the thread? Last post was 2 weeks ago.

