Hacker News new | past | comments | ask | show | jobs | submit login

If you aren't comfortable with that you better not use any fintech apps like Cash App, Venmo, Wealthfront, Robinhood, any Intuit products, etc. These services use Plaid (like this app does) or similar APIs like Quovo, Yodlee, etc. Even financial institutions themselves like Citi Bank, American Express, Chime, PayPal, etc use these APIs to link your accounts.

And to be clear, the app itself never has access to your credentials. This all happens in an iframe that tokenizes your credentials.

Well of course I won't use anything like that! I find it mind-boggling that people even consider giving a third party their bank account login+password. It's like saying "yes, I want to be robbed of all my money, please take these credentials and spread them forth to whichever leaked data pile they might end up in".

My bank considers transactions done using login credentials to be final. There is no recourse if someone steals your money.

Last year an iOS mail application called "Spark" (otherwise a great app) decided to quietly upload my login and password to their cloud servers so that their servers can access my mail for me. I dropped the app immediately (https://jan.rychter.com/enblog/spark-email-app-why-i-dont-us...).

This should not be considered acceptable. If you want to let users authorize external access to account data, use Oauth2.

Plaid doesn’t let you transfer any money through their API, just read data. If Plaid gets compromised and your username and pass get leaked and used then most (all?) will detect the location change and confirm via SMS.

Which bank implements OAuth?

Every bank in the EU will have to have it or near equivalent very soon under the EU’s Payment Services Directive 2 which mandates API based access to accounts.

Sandboxes are already available under reasonable terms for many banks in for example Ireland.

*edit, first word

Most of the nordic countries in Euruope do through an entity called Nordic API Gateway.


Monzo bank in the UK uses OAuth 2.0 for its API: https://docs.monzo.com/#authentication

(disclaimer: I work here)

You likely are just going through the token system, not putting your details directly into the application. Next to nothing works like that.

You can transfer money in your bank without a second factor check? (an SMS with a code for instance?)

An my accounts do that by default (France), except for pre-approved recipients.

Interesting... I use Spark but when I authorized my gmail account I went through a Google Oauth flow, never entered my password into Spark itself.

If you used any IMAP accounts (not from Google), you would need to enter the password. And Spark will quietly send it to "the cloud" and keep it there, with servers accessing your mail whenever they please. This is kind-of mentioned in the Privacy Policy, but in a way that wasn't clear to me at all.

I found this unacceptable, so I can't use Spark, which I regret. I also lost trust for Readdle, so now, even though they make great apps, I am extra careful with handing them any sensitive information.

Storing the IMAP password is basically the same as storing the Gmail OAuth token in terms of access control, not sure why you think storing one is more evil or scarier than the other.

AFAIK Spark’s push notification service relies on checking for mail server-side (so that they don’t drain your battery with constant background refreshes, I suppose?), so I wouldn’t consider it sneaky.

Not sure, but I guess you can revoke an OAuth token and nothing changes for other apps (and you) on the Gmail/Google account side. On the other hand, if you have to change password...

1) Robinhood only has my routing number and account number.

2) The Cash app only has my routing number and account number.

3) PayPal only has my routing number and account number.

4) My credit card only has my bank’s routing and account number.

Despite these restrictions, the world keeps on spinning round and round.

I don't understand why TransferWise requires me to enter my bank username and password to verify my account. I believe it also uses Plaid behind the scenes, but I used to be able to select "other" bank and enter my routing and account number manually. But as soon as I do that it recognizes my bank and switches to the login screen and I have to abort because I don't want to give it to them. I contacted support and they were not helpful at all.

The project uses plaid. The pass is entered into plaid widget and never sent to me. I only get a key for reading user data through plaid. Payments are done by adding Dwolla to plaid. Also pretty secure and what i believe venmo uses

I in fact don't use any of those apps, partially because of that.

I don't, either. Bank bill pay handles most outgoing payments, and that comes with good guarantees. Everything else is on a credit card. I can get data out of the bank in spreadsheet format if it needs to go into some analysis program. Everything is online, but doesn't involve flaky third parties.

yes, financial apps need to be locally-installed and under your control (preferably open-sourced), for both security and privacy.

Correct move. Only you know your bankpass, even the machine generating it `forgets` after the printout

You list an amazing number of apps and services, but that doesn't seem to reassure me of the idea of giving up your credentials.

That's way too much enthusiasm for the new and shiny app, way too little awareness that in this world people are out to get what's yours, way too little concern for questionable security at every single layer of computing, way too much trust in the banking system, way too careless about the information about you that you give to strangers.

Not something that people I know who are good with money would do.

Wealthfront at least lets you select "my bank isn't in this list" (even if it is) and then you get the UI to enter your routing and account numbers. So no, it doesn't require your bank's user/pass.

I don't know why it isn't well-advertised, I wouldn't use it otherwise.

Out of the app you mentioned only Intuit products, TurboTax specifically asks for bank account password. The rest just use account number is ACH for verification.

Yep this behavior has been normalized by our industry, much to the embarrassment of everyone involved. Move fast and break (other people's) things?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact