
Plaid Deletes GitHub Issue Exposing Imitation of Bank Login UIs - sammnaser
Plaid imitates major bank account UIs in their login forms to make users more comfortable submitting their bank credentials to Plaid. This issue was addressed in this Github issue (archived from WaybackMachine): http:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20190415103059&#x2F;https:&#x2F;&#x2F;github.com&#x2F;plaid&#x2F;link&#x2F;issues&#x2F;68<p>The Github issue has since been deleted, as shown here: https:&#x2F;&#x2F;github.com&#x2F;plaid&#x2F;link&#x2F;issues&#x2F;68. I&#x27;m hoping this isn&#x27;t a repost, but this behavior seems ridiculous to me, and I&#x27;m hoping to bring it to wider attention (if it isn&#x27;t already).<p>Edit: post flagged for some reason. Oh well.
======
whockey
Hi all - co-founder of Plaid here. We're in the process of migrating this
repository and replacing it with a dedicated iOS SDK repo, JS SDK, and (soon
to be) Android SDK. However, I messed up the order of operations with this
migration and can empathize with the reaction. I personally chatted with a lot
of the commenters on the original issue before we did this and more than happy
to engage/get feedback from anyone else over email/phone/in-person. Feel free
to shoot me an email at william [at] plaid [dot] com if you want to chat/have
any feedback.

~~~
temp129038
No offense, but I think we’d all be better off with open bank API standards in
the US.

~~~
wexxx
Obviously. But why would banks ever do that? They see Robinhood, Lending Club,
Venmo, etc as competitors. No way there going to open up API’s to them unless
the government forces the banks to do it.

------
ryanackley
Here's my main beef with Plaid: a lot of times when you use it as an end user
you have no idea that you're giving one of Plaid's customers full history on
all of your transactions, accounts, credit cards, loans, etc. Plaid presents
you with a ToS that you will probably never read.

Compare that to something like "Sign-in with Google" or "Sign in with Github".
They put it in plain english exactly what the website you are signing into is
asking permission for and you explicitly say I'm ok with that.

~~~
amluto
I wonder if an enterprising attorney general could try to go after Plaid for
CFAA violations. They are arguably making unauthorized, fraudulent access to
banks’ computer systems.

------
diggan
Seems to have happened not because they deleted that specific issue but
because they have disabled issues in general for that specific repository.
Take a look at [https://github.com/plaid/link](https://github.com/plaid/link)
and see there is no "Issues" tab. When doing that, it removes all existing
issues.

~~~
RyJones
as an owner of multiple orgs, I dislike that I can't disable new issues while
retaining history.

------
greenyoda
> Plaid imitates major bank account UIs in their login forms to make users
> more comfortable submitting their bank credentials to Plaid.

But it's even worse than that. They're training their users to ignore the
security advice that their banks and other web providers have been trying to
teach them for years, which makes them more vulnerable to phishing attacks. As
one of the commenters on Github said[1]:

> _This is horrible, horrible, horrible, horrible, horrible practice. Any
> malicious actor can copy your design and present a perfectly genuine-looking
> Plaid input form and gather bank credentials from victims. There 's
> absolutely no way to tell whether a Plaid input form is genuine without
> examining the HTML source of the page, which is far beyond the ability of
> almost all users. What good is your $1000 EV cert and your brand's hard-won
> trust if the user just sees Wacky Joe's Discount Dolphin Assholes, secured
> by letsencrypt.org in the area of the address bar where we've been telling
> them to look for a trusted name for about the last decade?_

The commenter's next paragraph also bears repeating:

> _You guys need to get your act together and realize that you 're not in the
> business of hosting Wordpress blogs or building marketing pages for the
> latest Barbie Rides Horses Again game somehow still coming out for the
> Nintendo DS. You collect bank credentials. Re-read the previous sentence. Do
> it again. Essentially my entire net worth is kept in my Schwab brokerage
> account which shares the same login as my Schwab checking account. If
> someone gets my Schwab credentials and I don't notice before they empty me
> out, my life is over. You simply cannot half-ass security best practices for
> the sake of UX convenience._

[1]
[https://web.archive.org/web/20190415103059/https://github.co...](https://web.archive.org/web/20190415103059/https://github.com/plaid/link/issues/68#issuecomment-440894224)

~~~
buckminster
I completely agree, but having your life savings under the same login as your
checking account is insanity. Maybe I'm overly paranoid but I wouldn't even
log in to my broker from my phone.

~~~
greenyoda
You also might not want to keep your entire life savings in a single account.
It's convenient, but also a single point of failure.

And if your life savings gets big enough, it might exceed the account balances
that are protected by FDIC ($250K) or SIPC ($500K, I think).

------
rhizome
_michaelckelly commented on Dec 7, 2018

@skierpage and @briangordon we appreciate your concerns, which is why our
compliance team vets anybody who uses Link. As to malicious knock offs, this
is a matter that most successful companies lookout for and deal with -- as we
and our security team do._

This person should not be allowed to provide services that use bank APIs. Who
should do the preventing? Banks.

------
temp129038
Plaid needs to be exposed as one of the most unethical companies in SV. If
people are worried about online privacy then they should really be worried
about a company that is so deceiving and makes it basically impossible to
revoke permissions on something as sensitive as access to your bank account
and transaction history once granted.

~~~
robot
can you revoke by changing your password?

~~~
temp129038
I’m not sure, but does it matter?

I take issue with a product that markets to consumers as an easy way to
_authenticate_ for the purpose of pulling or pushing funds, but is actually
_authorizing_ developers to scrape years of transaction history in 20 minutes,
my real time balance, my phone/email/address etc. without another level of
permission. It’s disgusting.

I just wanted an alternative to microdeposits to prove to an app that I own a
bank account, not give the app free range to steal all my bank data in the
process of doing so.

~~~
Nursie
In Europe we have PSD2 and similar things which are working towards much more
of an oauth type of situation.

~~~
pbreit
In Europe there are industry consortiums working specifically on the account
access topic:
[https://www.openbankingeurope.eu/](https://www.openbankingeurope.eu/)

------
csswizardry
Hah. This is the only company that has ever f—ked me over. I’m a self-employed
consultant who flew out to SF to work with them and was told the gig was off
the working-day before we were set to begin. My lawyer said I absolutely had a
case but I’d need to be prepared to open an international lawsuit against them
(I’m UK-based) and I just couldn’t muster the effort. They got away with it.

They also quite cheerfully asked me ‘Hey! Next time you’re in the area we’d
love to look at working together?’ Classy.

------
wexxx
Not to downplay the security implications here, but Plaid has pretty much
changed finance. It’s a straightforward case of trading security / privacy for
functionality. Apps like Venmo, Robinhood, Wealthfront, and most every other
financial startup would not exist without Plaid.

------
TheSpiciestDev
This is the first time I'm hearing of Plaid and is it actually something banks
have signed-off on and are ok with? This whole thing looks to make for a bad
precedence.

~~~
Aspos
Absence of open banking standards and regulation produces such monsters.

------
tzs
Since HN doesn’t turn URLs in text submissions into clickable links like it
does in comments, here are the URLs given for your clicking convenience.

[http://web.archive.org/web/20190415103059/https://github.com...](http://web.archive.org/web/20190415103059/https://github.com/plaid/link/issues/68)

[https://github.com/plaid/link/issues/68](https://github.com/plaid/link/issues/68)

------
BillinghamJ
I feel it's worth bearing in mind that this is normal to the point that the
financial regulator in the UK standardised the activity as part of the EU-wide
PSD2. It is being phased out in favour of open banking in the next couple of
years, now that there's a requirement for more OAuth-like approaches. (In
fact, Plaid just launched in the UK on the open banking APIs)

Banks are well aware that this is a thing and they're not that bothered.

If you want to see this improve, maybe push on US regulators to formalise it?

~~~
AnssiH
Here the Finnish Financial Supervisory Authority stated in Jan 2018 that this
practice is not allowed:

[https://www.finanssivalvonta.fi/en/regulation/interpretation...](https://www.finanssivalvonta.fi/en/regulation/interpretations/01_2018/)

------
homero
The scariest thing is whether they keep downloading transactions or just
verify i own the account like they make you think they're doing.

~~~
carlineng
In today’s economy, data is the most valuable asset a company can own, and
financial/transaction data is the holy grail. I would be very surprised if
their current valuation could be justified purely on their subscription sales
alone.

------
rishirishi
Hard delete of an issue over closing it or closing comments... for such a
security sensitive issue... under the rug sweeping.

~~~
sschueller
Well, thanks to the fact that you can't delete anything off the internet it
will still be presented as evidence in court some day.

This confirms to me that staying as far away as possible from plaid is the
right move.

~~~
rishirishi
What would you recommend for ACH bank account verification?

~~~
jamiek88
Micro deposit while cumbersome and slow, works fine.

I don't believe access to all of my most personal data should be
‘frictionless’.

~~~
pbreit
Micro deposits definitely do not work fine. If banks offered an authenticated
way to confirm bank account & routing number instantly and without access to
txn history, would be much better.

------
Nursie
Plaid really do seem a little dodgy to me. In the UK they are effectively
offering a PSD2-API forwarding service, which seems very much against the
spirit of PSD2 and the open banking initiatives.

~~~
origamitang
It's very convenient. But also very expensive (maybe) The raw costs of getting
an AISP licence are about £1000 in the UK... but that's ignoring all of the
time and effort to understand PDS2, legals etc but $500+/month for Plaid to do
it for you ? I'm not sure. Sounds avoidable like vendor lock in to me.

------
reustle
I really hate that transferwise essentially requires me to use Plaid, yet they
don't support RSA keys!

------
samcday
This is depressing. It feels to me like the number of tech unicorns that have
been caught red handed doing something immoral/unethical/illegal is starting
to outweigh the ones that haven't.

