Hacker News new | past | comments | ask | show | jobs | submit login

The way Plaid works, I'm surprised that they hadn't already been shut down for breaking banks' TOS. It exposes the banks to so much liability for a product that's not even theirs.

I dislike Plaid & similar systems but I disagree.

Enforcing stupid & unreasonable ToS in court is a slippery slope that can be used against users.

You want to use an alternative client to export your data because the official client doesn't allow it? ToS violation and the developer of the alternative client gets sued.

Want to screen-scrape some website to automate some tedious manual behaviour? ToS violation and you get sued.


The ability to delegate some manual process (logging into online banking and getting the data) to a third-party (like Plaid) should be a right that we should defend.

Most manual processes, I agree, automate away. But not the ones that have negative implications for security. I don't care whether it's the TOS or some other means that's used to prevent pw sharing, but it should be prevented. It is the bank's duty to protect its users, not to tolerate services that actively discourage safe practices like 2fa.

In the EU, we're getting DSP2 [0] which requires banks to publish usable APIs to: get account information, and initiate money transfers. That's huge, though only at a baby stage for the moment.

[0] https://ec.europa.eu/commission/presscorner/detail/en/IP_15_...

This is a sham. You need to go through a certification process which costs $$$ before you can get access to those APIs even if the banking data is processed locally, which will only empower the incumbents while locking out open-source solutions and indie developers (remember that a lot of tools & products we use started as someone's side-project; this regulation locks those out by default).

At least with credential sharing & screen-scraping nobody can lock you out. Does it suck? Yeah. But I'd rather take a solution that sucks than no solution at all.

To me that depends on where the fraud risk lies.

In the UK banks (in an attempt to encourage online banking) have a fraud guarantee related to losses from unauthorised access to online banking systems as long as you haven't given your credentials to a 3rd party

Screen scraping, like plaid, obviously breaks that concept.

In that case it seems reasonable for the banks to have a ToS that says "no giving your credentials to third parties".

If there's no such guarantee and the user is on their own from a fraud loss perspective then I don't see a reason for enforcing that kind of ToS.

All that said, the idea of a transactional banking system being online with purely static credentials in 2020 is scary one. Decent 2FA should be used for any system that has a financial impact.

Some banks have tried, but Plaid has a great legal team and has argued with the move towards open banking in the EU that customers have a right to their data.

Will be interesting to see where this goes.

I’m excited to see Australian pushing through open banking APIs, reusing most of the UK/EU spec... but the implementation keeps getting pushed back and back and back. Mid 2020 now for initial roll out it sounds like... so for now I’ll stick with Basiq [0] as it’s Australian focused and free for my particular use case at least. Unless others have some other suggestions? I need to connect to ING Direct

[0] https://basiq.io

Worst is their suggestions to disable 2FA! I twitted to them about it, and they seem to have removed it after that!

Wells Fargo's 2FA uses SMS. Hardly worth enabling.

I don’t know why you’re being downvoted. Sms 2FA is not safe, full stop.

Sure, SMS-based 2FA is not nearly as secure as other forms of 2FA. But unless you're targeted, SMS-based 2FA still helps add a layer of security against other issues like password re-use. Of course none of us do that either, but for the general public, I'd rather support SMS-based 2FA across the board than nothing at all.

For the average Joe it's good enough, no one is SIM swapping Bob who works at Walmart

That's default, but you can buy an RSA hardware token.

Like this one [1]? Seems that it is not necessarily better than SMS.

[1] https://news.ycombinator.com/item?id=4156897

There is an actual, material difference between having no 2FA (guess passwords until you get in), SMS 2FA (have a human person call a phone provider and have the number switched), and token 2FA (given the physical device and a few hundred attempts, you're able to make another device that also authenticates). Saying you might as well not enable 2FA because a token cloning attack exists is ridiculous.

And it's not even an attack on the OTP token.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact