Hacker News new | past | comments | ask | show | jobs | submit login

Plaid is terrible! Both Wells Fargo and Bank of America support API integration, but Plaid chooses to screen-scrape and does not work if you have 2FA enabled. Also, you can't even manually enter your bank information. In other words, even if you pay dearly to Plaid, you may block many users who use some of the top banks in the States! There is a bunch of services I cannot use because they rely solely on Plaid, and I'm not willing to disable 2FA! Maybe being Visa, it will make the whole service more meaningful if Visa pushes banks to integrate, because it's 2020, and giving your password for your bank to a third party, when there are APIs and OAuth/OpenID protocols available for banks.

The way Plaid works, I'm surprised that they hadn't already been shut down for breaking banks' TOS. It exposes the banks to so much liability for a product that's not even theirs.

I dislike Plaid & similar systems but I disagree.

Enforcing stupid & unreasonable ToS in court is a slippery slope that can be used against users.

You want to use an alternative client to export your data because the official client doesn't allow it? ToS violation and the developer of the alternative client gets sued.

Want to screen-scrape some website to automate some tedious manual behaviour? ToS violation and you get sued.


The ability to delegate some manual process (logging into online banking and getting the data) to a third-party (like Plaid) should be a right that we should defend.

Most manual processes, I agree, automate away. But not the ones that have negative implications for security. I don't care whether it's the TOS or some other means that's used to prevent pw sharing, but it should be prevented. It is the bank's duty to protect its users, not to tolerate services that actively discourage safe practices like 2fa.

In the EU, we're getting DSP2 [0] which requires banks to publish usable APIs to: get account information, and initiate money transfers. That's huge, though only at a baby stage for the moment.

[0] https://ec.europa.eu/commission/presscorner/detail/en/IP_15_...

This is a sham. You need to go through a certification process which costs $$$ before you can get access to those APIs even if the banking data is processed locally, which will only empower the incumbents while locking out open-source solutions and indie developers (remember that a lot of tools & products we use started as someone's side-project; this regulation locks those out by default).

At least with credential sharing & screen-scraping nobody can lock you out. Does it suck? Yeah. But I'd rather take a solution that sucks than no solution at all.

To me that depends on where the fraud risk lies.

In the UK banks (in an attempt to encourage online banking) have a fraud guarantee related to losses from unauthorised access to online banking systems as long as you haven't given your credentials to a 3rd party

Screen scraping, like plaid, obviously breaks that concept.

In that case it seems reasonable for the banks to have a ToS that says "no giving your credentials to third parties".

If there's no such guarantee and the user is on their own from a fraud loss perspective then I don't see a reason for enforcing that kind of ToS.

All that said, the idea of a transactional banking system being online with purely static credentials in 2020 is scary one. Decent 2FA should be used for any system that has a financial impact.

Some banks have tried, but Plaid has a great legal team and has argued with the move towards open banking in the EU that customers have a right to their data.

Will be interesting to see where this goes.

I’m excited to see Australian pushing through open banking APIs, reusing most of the UK/EU spec... but the implementation keeps getting pushed back and back and back. Mid 2020 now for initial roll out it sounds like... so for now I’ll stick with Basiq [0] as it’s Australian focused and free for my particular use case at least. Unless others have some other suggestions? I need to connect to ING Direct

[0] https://basiq.io

Worst is their suggestions to disable 2FA! I twitted to them about it, and they seem to have removed it after that!

Wells Fargo's 2FA uses SMS. Hardly worth enabling.

I don’t know why you’re being downvoted. Sms 2FA is not safe, full stop.

Sure, SMS-based 2FA is not nearly as secure as other forms of 2FA. But unless you're targeted, SMS-based 2FA still helps add a layer of security against other issues like password re-use. Of course none of us do that either, but for the general public, I'd rather support SMS-based 2FA across the board than nothing at all.

For the average Joe it's good enough, no one is SIM swapping Bob who works at Walmart

That's default, but you can buy an RSA hardware token.

Like this one [1]? Seems that it is not necessarily better than SMS.

[1] https://news.ycombinator.com/item?id=4156897

There is an actual, material difference between having no 2FA (guess passwords until you get in), SMS 2FA (have a human person call a phone provider and have the number switched), and token 2FA (given the physical device and a few hundred attempts, you're able to make another device that also authenticates). Saying you might as well not enable 2FA because a token cloning attack exists is ridiculous.

And it's not even an attack on the OTP token.

This is why I never wanted to use Mint, although maybe Mint is better about this now.

I've also seen online mortgage applications ask for banking and retirement account passwords for the purpose of automated form-filling. It seems very shortsighted to give away your password to save 5 minutes filling out a form.

The nightmare scenario is that you give your bank account password to one of these screen scraping services, someone manages to hack them and empties your account, and you can't get the money back because giving away your password violates the terms of service for your online banking.

Mint used to sync with Chase and Wells Fargo through sketchy scraping, but those banks have since then integrated with Mint over APIs. Mint then disabled syncing until customers reestablished the connection with the new, more secure, method (which I thought was a good move)

For a while they were using Yodlee for the backend (which did all sorts of weird stuff), but I think they rewrote it after Intuit bought them.

They definitely use Plaid or a similar service to scrape data. The few banks that offer APIs do have it.

I don't have issues with Mint. As somebody suggested, Intuit has the privilege of having a different level of access unlike Plaid - maybe due to the importance of QuickBooks to both individuals and businesses.

The cynical part of me is convinced that banks would want to secretly run and popularize this kind of service as honeypots for collecting passwords sharing violations as a future liability defense.

That’d probably risk a counter-suit for willful negligence.

In many cases, if the APIs are available _and support all the necessary features_, Plaid will work with the bank to use the APIs. Banks have chosen to withhold some info from the APIs that are available on the site, which prevents a full switchover. The other problem, of course, is the payment model: should Plaid pay banks for access to the data? Should banks have to make the APIs as fully featured as their site for external consumption?

Also worth noting that the largest of US banks do offer APIs, but a large swath of the rest do not, either due to proprietary systems, choosing not to use their processor-offered solutions, or simply avoiding risk.

So, Plaid will have to scrape for another few years, I suspect, until the banks catch up in the US to what we are seeing in UK and other places.

I work for a popular european competitor of Plaid, Tink (https://tink.com). We don't do screen scraping, but use the banks' own APIs. These days we also ride on the european bank directive "PSD2" which gives us the right to aggregate financial data from financial providers such as banks. That means we aren't breaking an Terms of Services with banks!

...and yes, we support 2FA. ;)

This is a lot easier because European banks all use similar APIs (as far as I've been informed). The US has no such bank API standardization in place. Most banks don't have APIs at all.

Note that a SSL_ERROR_BAD_CERT_DOMAIN is shown when trying to access tink.com at the moment. Says the certificate is only valid for cloudfront.net.

Edit: the website itself also returns a 403.

Weird. Works for me now. ¯\_(ツ)_/¯

Lancaster, England, Windows 10, Firefox, working perfectly for me as well.

Very cool! Maybe you could enlighten me as to why it seems that no one support Transferwise? They have an API but all this services snub them

Works for me Chicago, IL, USA Chrome 79.0.3945.117 Useragent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36 Running on Debian Linux 10

does Plaid actually "screen scrape" though? I thought they did the same thing (use the banks API's)

Apparently they don't seem to do it with all their integrations at least: https://www.insider.com/jpmorgan-announces-partnership-with-...

Not even close to true. We’re one of the larger clients with Plaid and that’s not on Plaid but the service provider to not provide a manual entry.

Plaid works great and we’ve ran into next to no issues with customers linking Plaid

It's actually pretty rare to not run into issues with Plaid.

It depends on your customers, too.

If you're targeting consumers, Plaid's integration works far better than if you're targeting business bank accounts.

No issues with customers linking Plaid.

If your company is ONLY supporting Plaid then your issue is that your smarter customers are leaving.

I can confirm this. I really want to use the trading platform Gemini but will never cave to Plaid.

Any organization that asks for your personal password is nefariously normalizing this behavior and building complacency in consumers to trust anyone with their private information.

I didn't sign up for Gemini for a similar reason - I couldn't add my BofA account. What's wrong with the old school "take a picture of a voided check"?

So, I'm imagining their errors and suggestions to turn off 2FA?

I need to go back and check, we might be in one of their test groups as I haven’t heard any issues with 2FA. We do a catch-all and based on the error, we prompt the user to manually provide their banking info to proceed.

Worth noting I don’t work for a financial services company so the use case is likely very different than the services you’re discussing.

Apologies if I came off strong, it appears I may be a one-off consumer as opposed to mainstream.

So, I guess, I'm not imagining things as I just tried again: https://ibb.co/KGMhFXF

Both Bank of America and Wells Fargo do technically have APIs, though they're limited in scope to corporate accounts for treasury purposes. I've applied for access to both and both declined to even a sandbox account.

Think what you want about the EU, but sometimes they have good initiatives.


This is a sham. You need to go through lots of audits & other administrative BS in order to be declared an "AISP" even if you don't actually process banking data yourself and it never leaves the user's device.

Imagine PCI-DSS compliance but without the exception that you don't have to be PCI-compliant yourself if you don't touch card data and pass it directly to a PCI-compliant payment processor.

It might look dreary to you from a distance, but for us on the ground, it is working. My bank is already offering to show any other banks’ statements along my accounts.

It's only working for large, existing players, is his point. For me wanting to build automatic syncing to my budget tools, I'm still out of luck. They don't even let you access your own data.

That’s kind of expected, isn’t it? An integration you make could be potentially used/abused by others and must be thoroughly vetted. For personal use my bank offers daily CSV downloads.

> For personal use my bank offers daily CSV downloads.

Can you automate this? This is my point. Manual CSV exports are not a solution. Open Banking was supposed to solve this but it's a complete sham that is only there to make them look like they're doing something and benefit the existing incumbents.

Why is it a sham? TPPs (who are either AISPs and/or PISPs) process banking information for customers of participating banks. A TPP will typically provide some kind of service like a unified view of customer finances, and as part of that they're processing customer banking info.

It would be an unusual TPP where the data never left the customer's device. Usually there'll be a web service/web app provided by the TPP and the communications will be between the customer and the TPP and then the TPP and the bank (a.k.a ASPSP)

Whilst it's not perfect, it's a hell of a lot better, from a security perspective, than 3rd parties getting full banking creds for customers.

> It would be an unusual TPP where the data never left the customer's device.

Why? The scenario you mention (providing an unified view of a person's multiple accounts & credit cards) can perfectly be done on the device itself and negates plenty of concerns regarding security, the need for a backend, etc. I personally made an app to display my balance & transactions on my Apple Watch. It's purely local and doesn't even have a backend. Yet, I can't actually launch it "by the rules" because I need to become an AISP even though I never come in contact with actual banking data.

> 3rd parties getting full banking creds for customers.

This is clearly a stop-gap solution until something better comes around, and frankly it isn't the worst solution if you trust the third-party. At least it becomes the user's choice whether to share credentials instead of the bank or some other entity deciding who can and can't have access based on potentially stupid or anti-competitive reasons.

Purely on a customer device would be extremely difficult as the OAuth keys for obtaining the consent would need to be stored on the device, which isn't a solution that scales past one user, from a security standpoint.

The problem of customer choice is that customers are very badly informed about the relative security of services, so there's a market for lemons. If the bank has no liability, that's possibly fine (although it could be argued the bank has some responsibility to advise the customer), but if the bank has any liability for issues resulting, then they get a say in the outcome.

Why wouldn't it be good from a security standpoint? How do social media clients do it then? As far as I know they do oAuth too and so hold the consumer key & consumer secrets inside the binary.

Leakage of the consumer secret/consumer key alone doesn't compromise security as you still need the access token and refresh token which are per-user.

Truelayer (although a smaller company) is the equivalent of Plaid in EU.

You generally need to have good relationships with banks for them to allow you to use their APIs.

> does not work if you have 2FA enabled

Plaid definitely works with BoA + 2FA, at least as of about a month ago when I had to use it.

Just tried again as I don't wanna be accused of making things up: https://ibb.co/KGMhFXF

What type of 2FA are you using? I have the default (SMS based) and it works for me.


Are you trying to use a business account or something? Otherwise I have no clue.

I have both a personal and a business account, but the login is the same, and they fail at the login level, not after I'm authenticated. One cannot tell what sort of accounts are behind the account before you successfully log in.

I have no idea then, it's worked for me in the past - Plaid asks me to give them the 2FA auth code I receive via text.

> and does not work if you have 2FA enabled

Certainly false, at least for Bank Of America. Just yesterday I connected BofA to privacy.com using Plaid and it asked me to enter the SMS 2fa code.

It works only once as they relay the code for verifying account numbers. But it doesn't always work (both with BofA and Wells Fargo) and certainly not for continuous pulling of data.

Which is how 2FA is supposed to work. Perhaps they try to keep the session from timing out, but that is bound to break.

The solution is regulation to force Banks to provide customer data over an API to an authorized third party (preferably with 2FA on that too, and other security mechanisms, like mutual auth, auditing the security and probity of the subscriber etc).

Scraping is such a 1990s solution, and Plaid's Uber-like disregard for rules made it a non-starter for anyone sensible.

Ironically, while it might get systematic integration with VISA, the privacy implications are far worse.

It doesn't - I tried again just to see if I was imagining things: https://ibb.co/KGMhFXF

You can now enter manual account and routing numbers with Plaid and they will handle micro-deposit verification. They also now support 2FA for many banks. Plaid is definitely not great in some areas, but there really isn't a good alternative if you want to aggregate your banking and transaction data. Not in the U.S.

Very few banks have publicly-accessible APIs, and when they do, they likely won't return consistent data. There simply isn't a standard in the U.S. There are literally thousands of banking systems in this country. As someone who helps run a fintech app, I can assure you there are significant numbers of people who are simply members of their local credit union with very limited technology.

I'm surprised they still scrape Bank of America. A few months back (maybe a year), when they really pushed their API integration over scraping, a bunch of services (QuickBooks, Mint, Privacy) required me to reauth on my BofA accounts.

I assumed this was because they were switching over to their API, and that was the only way to pull data now. I could be wrong, it just seems weird that 3 different sites made me reauthenticate within a month or so.

Are there any APIs out there that show the separate amounts a counter credit is made out of (for Bank of America accounts)? We wanted to use it for importing transactions into our system but if several checks are deposited at once the amount would have to ne split manually as it comes in as one transaction.

I am not familiar with their API - possibly it's a crappy one, but I had one integration in the past (can't recall) and there's an area in your profile for authorized apps. I've done Wells Fargo integration, too.

pretty sure this is false, all my accounts are 2FA, and connected to a few different account aggregators (mint, personalcapital, etc) which i am prettty sure all use Plaid. Handles it fine.

Mint does not use Plaid, they have an in-house integrations system.

In house by intuit

My Wells Fargo account uses 2FA, and recently (November 2019) I was unable to connect a service to it through Plaid, getting an error that said my account type was not supported – or something along those lines.

They may have fixed it by now, I haven't tried more recently.

You can remove 2FA, login with Plaid, and re add it. This worked for me.

I'm already uneasy with the way Plaid works, I'm not also going to disable 2FA on my account to accommodate the broken way they access accounts (pretending to be a browser instead of using APIs). There are good, secure ways to grant access to resources, and giving your password to Plaid for them to log in to your account with reduced security is definitely not one of them and certainly not an attractive proposition.

Worst of all, it's a full access, not a scope-restricted one. Imagine somebody hacking Plaid and you disabling 2FA, because otherwise you can't use some of the fancy new services you saw on Product Hunt.

Worst of all, is their privacy policy.

> We retain information we collect about you for as long as necessary to fulfill the purposes for which we collected it, unless a longer retention period is required OR PERMITTED under applicable law.

It is not necessary to "hack" Plaid.

Yeah, it's the users who got hacked when they signed up.

It's all in the way Plaid connects to the banks - they do not systematically support MFA in their bank connectors; hence the issues you are seeing.

This works only if you want to do an account verification. If you have to continuously pull in transactions, it will fail, and ask you to "fix" the problem.

I am able to continuously transfer funds after the initial setup

So, you call me a liar? I have personal, my own business, and several accounts of a nonprofit I am an officer at. All have 2FA and none work. Intuit is a different story and I'm able to sync in bank transactions into it - not with Plaid-based services though!

I feel sorry you had to go through those replies telling you your statements were false or wrong. I think it comes from people who think that if it works for them, it must work for everyone else.

Yeah, I thought I'm imagining things, tried again, and this is what they say about BofA: https://ibb.co/KGMhFXF

Mint uses its own system I think. Personal Capital uses Yodlee.

I'm not a fan of how Plaid works either, but short of pushing for legislation mandating API for all banks, I doubt it will happen in the short term...

Plaid's better than using Finicity, which is even worse.

Finicity is actually the old Intuit screen scraping tech. It's been around almost as long as Yodlee. Not to impugn legacy tech or anything, but I suspect there's some cleanup to do there.

What's funny is that I can link accounts with Betterment, which uses Quovo, which got acquired by Plaid, but I can't with Plaid itself!

you can't rely on third party api for your business. IMHO scraping is the way to go

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact