Hacker News new | past | comments | ask | show | jobs | submit login

Slightly off topic, but worth highlighting. Privacy virtual card use Plaid (well at least the last time I looked at it a few months back). The integration was extremely questionable. They were faking the bank’s login page. So when you enter your credentials, it wasn’t the actual banks page.

There was a github issue opened, and after several followed up complaints they blocked further commenting and the removed then ticket.

Subject of the ticket [plaid/link] privacy/security concerns (#68)






Collecting actual banking credentials is how plaid works, quite literally. One needs to be clinically insane to give your bank login creds to a third party voluntarily!

I refuse to do business with any business that uses plaid and has no sane alternative to get bank account numbers (deposit two small amounts, three days later I tell you what they are)

First time i saw it, i assumed the website had been hacked. I was actually more horrified when I found out that this was working as intended and some website wanted my bank password!


Indeed. Sharing your banking credentials with a third party almost certainly violates the terms of service you agreed on with your bank. If the third party has a security lapse and your bank account is drained, your bank might just claim that you authorized that transaction with your credentials, so it's a valid transaction and they won't shell out their own money to refund your loss.

If in doubt, you should check your bank's terms of service for online banking.


> I refuse to do business with any business that uses plaid and has no sane alternative to get bank account numbers (deposit two small amounts, three days later I tell you what they are)

I'm a bit horrified this is still a thing, too. Doing this just confirms you have the correct account and routing number, so you can deposit and withdrawal. It won't allow you to see transactions--will it?

FWIW, a minority of banks have "linked apps" that allow you to revoke access from the bank's website (some are clear they're restricting it to read-only access). But I'm not sure how consistent or widespread this kind of thing is. I doubt if you're offering a service like Plaid you could rely on only supporting these institutions.


> First time i saw it, i assumed the website had been hacked. I was actually more horrified when I found out that this was working as intended and some website wanted my bank password!

This was my exact same impression. Even after some Googling and asking friends where I learned this was a thing, I was still very wary that it was legit.


(I work for Privacy.com)

We do use the Plaid Link widget (as do most other fintechs in the US). We don't touch credentials or handle the bank login page.

Commentary about the state of the US banking system aside, Plaid is pretty much the industry standard way to do instant bank account verifications today. However, we also have options to link with debit card and account / routing number if you're not comfortable with the Plaid route (totally understandable).


What about Yodlee? I'm under the impression that Yodlee is a bigger and much more established player here. Although Yodlee's API certainly isn't great.

It's been pretty widely reported that Yodlee sells user data to hedge funds and others. It's the main reason we didn't go with them.

I developed both Yodlee and Plaid integrations for a customer last year. I remember the Yodlee sales rep mentioning that over 75% of their supported institutions are direct API integrations. Now, this is coming from a sales rep so take it with a grain of salt.

literally this is how bad the industry is where this is an accepted practice? Wow Banks SUCK

Yeah, isn't Plaid basically teaching users to fall for phishing attacks? As with any account, the only sane advice is to only enter your password for account X into the website or app for X. Which is the exact opposite of the expectation Plaid creates.

Also, it's one thing for me to let a third party withdraw money from my checking account (if I provide my account number), but that doesn't mean I want to give them the ability to do things like change my password, disable 2FA, read my transaction history, transfer money out of my other accounts, cancel my cards, and so on — which they can if they have my password. That's just insane.


Do you have a link to thread in question?

If you’re referring to the github link, they took it down after several Complaints.

https://github.com/plaid/link/issues/68


Reminder... donate to the Internet Archive!

https://web.archive.org/web/20190510080449/https://github.co...




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: