> Plaid imitates major bank account UIs in their login forms to make users more comfortable submitting their bank credentials to Plaid.
But it's even worse than that. They're training their users to ignore the security advice that their banks and other web providers have been trying to teach them for years, which makes them more vulnerable to phishing attacks. As one of the commenters on Github said[1]:
> This is horrible, horrible, horrible, horrible, horrible practice. Any malicious actor can copy your design and present a perfectly genuine-looking Plaid input form and gather bank credentials from victims. There's absolutely no way to tell whether a Plaid input form is genuine without examining the HTML source of the page, which is far beyond the ability of almost all users. What good is your $1000 EV cert and your brand's hard-won trust if the user just sees Wacky Joe's Discount Dolphin Assholes, secured by letsencrypt.org in the area of the address bar where we've been telling them to look for a trusted name for about the last decade?
The commenter's next paragraph also bears repeating:
> You guys need to get your act together and realize that you're not in the business of hosting Wordpress blogs or building marketing pages for the latest Barbie Rides Horses Again game somehow still coming out for the Nintendo DS. You collect bank credentials. Re-read the previous sentence. Do it again. Essentially my entire net worth is kept in my Schwab brokerage account which shares the same login as my Schwab checking account. If someone gets my Schwab credentials and I don't notice before they empty me out, my life is over. You simply cannot half-ass security best practices for the sake of UX convenience.
You mentioned EV certificates, but are those actually still meaningful? Troy Hunt wrote a series of articles [0][1][2] about the perceived value of Extended Validation certificates, and concluded that they were essentially useless.
Does anyone else have additional data for/against EV certs nowadays?
I completely agree, but having your life savings under the same login as your checking account is insanity. Maybe I'm overly paranoid but I wouldn't even log in to my broker from my phone.
But it's even worse than that. They're training their users to ignore the security advice that their banks and other web providers have been trying to teach them for years, which makes them more vulnerable to phishing attacks. As one of the commenters on Github said[1]:
> This is horrible, horrible, horrible, horrible, horrible practice. Any malicious actor can copy your design and present a perfectly genuine-looking Plaid input form and gather bank credentials from victims. There's absolutely no way to tell whether a Plaid input form is genuine without examining the HTML source of the page, which is far beyond the ability of almost all users. What good is your $1000 EV cert and your brand's hard-won trust if the user just sees Wacky Joe's Discount Dolphin Assholes, secured by letsencrypt.org in the area of the address bar where we've been telling them to look for a trusted name for about the last decade?
The commenter's next paragraph also bears repeating:
> You guys need to get your act together and realize that you're not in the business of hosting Wordpress blogs or building marketing pages for the latest Barbie Rides Horses Again game somehow still coming out for the Nintendo DS. You collect bank credentials. Re-read the previous sentence. Do it again. Essentially my entire net worth is kept in my Schwab brokerage account which shares the same login as my Schwab checking account. If someone gets my Schwab credentials and I don't notice before they empty me out, my life is over. You simply cannot half-ass security best practices for the sake of UX convenience.
[1] https://web.archive.org/web/20190415103059/https://github.co...