Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Plaid Deletes GitHub Issue Exposing Imitation of Bank Login UIs
169 points by sammnaser on June 8, 2019 | hide | past | favorite | 46 comments
Plaid imitates major bank account UIs in their login forms to make users more comfortable submitting their bank credentials to Plaid. This issue was addressed in this Github issue (archived from WaybackMachine): http://web.archive.org/web/20190415103059/https://github.com/plaid/link/issues/68

The Github issue has since been deleted, as shown here: https://github.com/plaid/link/issues/68. I'm hoping this isn't a repost, but this behavior seems ridiculous to me, and I'm hoping to bring it to wider attention (if it isn't already).

Edit: post flagged for some reason. Oh well.




Hi all - co-founder of Plaid here. We're in the process of migrating this repository and replacing it with a dedicated iOS SDK repo, JS SDK, and (soon to be) Android SDK. However, I messed up the order of operations with this migration and can empathize with the reaction. I personally chatted with a lot of the commenters on the original issue before we did this and more than happy to engage/get feedback from anyone else over email/phone/in-person. Feel free to shoot me an email at william [at] plaid [dot] com if you want to chat/have any feedback.


I don't think people are upset about the repo being "archived" and having lost access to the issue, per se. I think people are (justifiably) furious because you offer a product which is fundamentally insecure in it's current state and seem to refuse to fix it. And it's not that websites which are using your product are susceptible to attacks, but that a malicious website can impersonate your product and it will be indistinguishable from a legitimate site. Let that sink in. A malicious website can be indistinguishable from a legitimate customer of yours, and users WILL enter their banking information. That is the heart of people's completely justified outrage here, and it's baffling that anybody on your security team could have possibly signed off on this. If people on your security team don't see the problem here they should be immediately fired and never work in the security field again. You guys better have some really expensive lawyers, because it feels like you are being criminally negligent here and should absolutely be held liable when some users inevitably have their lives destroyed as a result.


Can we get a way where we can centrally manage linked accounts? I have at least 5 apps that use plaid and I should be able to go to your website and see what authorizations I have enabled and disable them.


Yes! We're actually working on something in this space that I'm really excited about. If you shoot me an email I can get you on the beta and would love your feedback!


There’s no glory in being excited to launch a basic permissions/access panel for end users of an auth product that should’ve shipped on Day 1. Shameful.


Neat. I'll shoot you an email in a bit!


No offense, but I think we’d all be better off with open bank API standards in the US.


Obviously. But why would banks ever do that? They see Robinhood, Lending Club, Venmo, etc as competitors. No way there going to open up API’s to them unless the government forces the banks to do it.


So maybe Plaid will be what Venmo was to Zelle. I have been following this space for a while now. When Plaid came into the picture, it made Yodlee be more open. So maybe in 10 more years we will have open bank APIs.

They have been trying to get banks to have APIs for years with no luck -- ofx/ofc. Mint went their own way for scraping and Watsi died because they did NOT want to do scraping. I was actually surprised when 2 years ago Xero got a "direct integration with Wells Fargo. Synapse got some funding a couple of days ago one can certainly hope


Here's my main beef with Plaid: a lot of times when you use it as an end user you have no idea that you're giving one of Plaid's customers full history on all of your transactions, accounts, credit cards, loans, etc. Plaid presents you with a ToS that you will probably never read.

Compare that to something like "Sign-in with Google" or "Sign in with Github". They put it in plain english exactly what the website you are signing into is asking permission for and you explicitly say I'm ok with that.


I wonder if an enterprising attorney general could try to go after Plaid for CFAA violations. They are arguably making unauthorized, fraudulent access to banks’ computer systems.


Seems to have happened not because they deleted that specific issue but because they have disabled issues in general for that specific repository. Take a look at https://github.com/plaid/link and see there is no "Issues" tab. When doing that, it removes all existing issues.


as an owner of multiple orgs, I dislike that I can't disable new issues while retaining history.


Indeed, I didn't notice that. In any case, the issue doesn't exist anymore, and the public discussion on this problem was wiped.


> Plaid imitates major bank account UIs in their login forms to make users more comfortable submitting their bank credentials to Plaid.

But it's even worse than that. They're training their users to ignore the security advice that their banks and other web providers have been trying to teach them for years, which makes them more vulnerable to phishing attacks. As one of the commenters on Github said[1]:

> This is horrible, horrible, horrible, horrible, horrible practice. Any malicious actor can copy your design and present a perfectly genuine-looking Plaid input form and gather bank credentials from victims. There's absolutely no way to tell whether a Plaid input form is genuine without examining the HTML source of the page, which is far beyond the ability of almost all users. What good is your $1000 EV cert and your brand's hard-won trust if the user just sees Wacky Joe's Discount Dolphin Assholes, secured by letsencrypt.org in the area of the address bar where we've been telling them to look for a trusted name for about the last decade?

The commenter's next paragraph also bears repeating:

> You guys need to get your act together and realize that you're not in the business of hosting Wordpress blogs or building marketing pages for the latest Barbie Rides Horses Again game somehow still coming out for the Nintendo DS. You collect bank credentials. Re-read the previous sentence. Do it again. Essentially my entire net worth is kept in my Schwab brokerage account which shares the same login as my Schwab checking account. If someone gets my Schwab credentials and I don't notice before they empty me out, my life is over. You simply cannot half-ass security best practices for the sake of UX convenience.

[1] https://web.archive.org/web/20190415103059/https://github.co...


You mentioned EV certificates, but are those actually still meaningful? Troy Hunt wrote a series of articles [0][1][2] about the perceived value of Extended Validation certificates, and concluded that they were essentially useless.

Does anyone else have additional data for/against EV certs nowadays?

[0] https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas...

[1] https://www.troyhunt.com/extended-validation-certificates-ar...

[2] https://www.troyhunt.com/paypals-beautiful-demonstration-of-...


I completely agree, but having your life savings under the same login as your checking account is insanity. Maybe I'm overly paranoid but I wouldn't even log in to my broker from my phone.


You also might not want to keep your entire life savings in a single account. It's convenient, but also a single point of failure.

And if your life savings gets big enough, it might exceed the account balances that are protected by FDIC ($250K) or SIPC ($500K, I think).


michaelckelly commented on Dec 7, 2018

@skierpage and @briangordon we appreciate your concerns, which is why our compliance team vets anybody who uses Link. As to malicious knock offs, this is a matter that most successful companies lookout for and deal with -- as we and our security team do.

This person should not be allowed to provide services that use bank APIs. Who should do the preventing? Banks.


Plaid needs to be exposed as one of the most unethical companies in SV. If people are worried about online privacy then they should really be worried about a company that is so deceiving and makes it basically impossible to revoke permissions on something as sensitive as access to your bank account and transaction history once granted.


Looks like Betterment & Wealthfront use plaid, which could affect many on HN [1][2].

[1] https://www.quora.com/Why-doesnt-Betterment-or-Wealthfront-u...

[2] https://www.investmentnews.com/article/20190108/FREE/1901099...


probably so, but the if you look at all the large recent successes in SV, all of them have had serious moral and legal lapses. As they are well funded, and have powerful friends, they have thus far avoided jail time.

So my cynical view, is that Plaid is just playing a game of doing what works and has proven to work. I am not excusing their bad behavior, just trying to point out what's motivating it. Robbers will always rob, and cheaters will always cheat, but we as a society need to make it less profitable to rob and cheat--and not just for the lower classes, for the elites as well.

Rahm Emanuel wrote on this recently in The Atlantic, and then shortly thereafter took a well paid job in financial services. So I guess, more do as I say not do as I do.

https://www.theatlantic.com/ideas/archive/2019/05/middle-cla...


To revoke access change your bank password. My biggest concern with any of the bank api providers is who they use to scrape the banks. Most are offshore outside the reach of US law enforcement or court system.


can you revoke by changing your password?


I’m not sure, but does it matter?

I take issue with a product that markets to consumers as an easy way to authenticate for the purpose of pulling or pushing funds, but is actually authorizing developers to scrape years of transaction history in 20 minutes, my real time balance, my phone/email/address etc. without another level of permission. It’s disgusting.

I just wanted an alternative to microdeposits to prove to an app that I own a bank account, not give the app free range to steal all my bank data in the process of doing so.


In Europe we have PSD2 and similar things which are working towards much more of an oauth type of situation.


In Europe there are industry consortiums working specifically on the account access topic: https://www.openbankingeurope.eu/


Hah. This is the only company that has ever f—ked me over. I’m a self-employed consultant who flew out to SF to work with them and was told the gig was off the working-day before we were set to begin. My lawyer said I absolutely had a case but I’d need to be prepared to open an international lawsuit against them (I’m UK-based) and I just couldn’t muster the effort. They got away with it.

They also quite cheerfully asked me ‘Hey! Next time you’re in the area we’d love to look at working together?’ Classy.


Not to downplay the security implications here, but Plaid has pretty much changed finance. It’s a straightforward case of trading security / privacy for functionality. Apps like Venmo, Robinhood, Wealthfront, and most every other financial startup would not exist without Plaid.


This is the first time I'm hearing of Plaid and is it actually something banks have signed-off on and are ok with? This whole thing looks to make for a bad precedence.


Absence of open banking standards and regulation produces such monsters.


Since HN doesn’t turn URLs in text submissions into clickable links like it does in comments, here are the URLs given for your clicking convenience.

http://web.archive.org/web/20190415103059/https://github.com...

https://github.com/plaid/link/issues/68


I feel it's worth bearing in mind that this is normal to the point that the financial regulator in the UK standardised the activity as part of the EU-wide PSD2. It is being phased out in favour of open banking in the next couple of years, now that there's a requirement for more OAuth-like approaches. (In fact, Plaid just launched in the UK on the open banking APIs)

Banks are well aware that this is a thing and they're not that bothered.

If you want to see this improve, maybe push on US regulators to formalise it?


Here the Finnish Financial Supervisory Authority stated in Jan 2018 that this practice is not allowed:

https://www.finanssivalvonta.fi/en/regulation/interpretation...


The scariest thing is whether they keep downloading transactions or just verify i own the account like they make you think they're doing.


In today’s economy, data is the most valuable asset a company can own, and financial/transaction data is the holy grail. I would be very surprised if their current valuation could be justified purely on their subscription sales alone.


Hard delete of an issue over closing it or closing comments... for such a security sensitive issue... under the rug sweeping.


Well, thanks to the fact that you can't delete anything off the internet it will still be presented as evidence in court some day.

This confirms to me that staying as far away as possible from plaid is the right move.


What would you recommend for ACH bank account verification?


Micro deposit while cumbersome and slow, works fine.

I don't believe access to all of my most personal data should be ‘frictionless’.


Micro deposits definitely do not work fine. If banks offered an authenticated way to confirm bank account & routing number instantly and without access to txn history, would be much better.


Plaid really do seem a little dodgy to me. In the UK they are effectively offering a PSD2-API forwarding service, which seems very much against the spirit of PSD2 and the open banking initiatives.


It's very convenient. But also very expensive (maybe) The raw costs of getting an AISP licence are about £1000 in the UK... but that's ignoring all of the time and effort to understand PDS2, legals etc but $500+/month for Plaid to do it for you ? I'm not sure. Sounds avoidable like vendor lock in to me.


Plaid is mainly US where PSD2 does not apply. Banks sometimes get together to work on these topics but it rarely goes well (see ofx/ofc). What more frequently happens is a company like Plaid forces it and then works with banks to satandardize.


I really hate that transferwise essentially requires me to use Plaid, yet they don't support RSA keys!


This is depressing. It feels to me like the number of tech unicorns that have been caught red handed doing something immoral/unethical/illegal is starting to outweigh the ones that haven't.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: