I understand the concerns expressed here but how about someone actually suggested a solution to this issue?
The oauth thing is not going to work. No bank will implement it or even if a few do, it will not provide the coverage Plaid offers.
The banks are not onboard - plaid is basically providing api access without their consent.
Right now, the only real answer to this issue is that you ultimately need to trust the 4th party who is asking for your banking credentials - Whether it be Venmo or some other party.
I develop systems for a finance product where we need 24/7 access to all banking activity in our client's business bank accounts. Our entire business model depends on this. Our clients use a wide variety of banks. Plaid offers the only solution and we offer the only solution out there for our clients. As a result, our clients just has to trust us.
I thought I am immune to this kind of exploit thanks to my technical knowledge. Not so, nearly. I once found a good price on skyscanner.com that directed me a site called BookingHouse, that in turn used a "man-in-the-middle as a service" company called mistertango.com that proceeded to ask me for ... my e-banking credentials. I had to slam the mental brakes hard to avoid typing out my credentials on this page, and realised how vulnerable you are when you are conditioned to following instructions as fast as you can (don't want to lose those sweet-priced tickets!).
This mistertango.com service even goes as far as "interactively" asking for your 2nd factor code! I thought it was surreal.
While I’ve admired what Plaid is trying to do, this has exactly been my concern from day one. Why would I enter my credentials in just any third party website? I’d rather do the 2 cent test deposit dance, than enter my business banking details to a third party (exceptions being aggregators like Mint, personal capital, ETRADE, etc).
The solution would have to be something like Oauth that directs me to the bank.
Update: I* trust Plaid as the third party but in this case it would be a “fourth party” website that uses Plaid.
The oauth thing is not going to work. No bank will implement it or even if a few do, it will not provide the coverage Plaid offers.
The banks are not onboard - plaid is basically providing api access without their consent.
Right now, the only real answer to this issue is that you ultimately need to trust the 4th party who is asking for your banking credentials - Whether it be Venmo or some other party.
I develop systems for a finance product where we need 24/7 access to all banking activity in our client's business bank accounts. Our entire business model depends on this. Our clients use a wide variety of banks. Plaid offers the only solution and we offer the only solution out there for our clients. As a result, our clients just has to trust us.
Any suggestions on a practical solution?