Hacker News new | past | comments | ask | show | jobs | submit login

I dislike Plaid & similar systems but I disagree.

Enforcing stupid & unreasonable ToS in court is a slippery slope that can be used against users.

You want to use an alternative client to export your data because the official client doesn't allow it? ToS violation and the developer of the alternative client gets sued.

Want to screen-scrape some website to automate some tedious manual behaviour? ToS violation and you get sued.


The ability to delegate some manual process (logging into online banking and getting the data) to a third-party (like Plaid) should be a right that we should defend.

Most manual processes, I agree, automate away. But not the ones that have negative implications for security. I don't care whether it's the TOS or some other means that's used to prevent pw sharing, but it should be prevented. It is the bank's duty to protect its users, not to tolerate services that actively discourage safe practices like 2fa.

In the EU, we're getting DSP2 [0] which requires banks to publish usable APIs to: get account information, and initiate money transfers. That's huge, though only at a baby stage for the moment.

[0] https://ec.europa.eu/commission/presscorner/detail/en/IP_15_...

This is a sham. You need to go through a certification process which costs $$$ before you can get access to those APIs even if the banking data is processed locally, which will only empower the incumbents while locking out open-source solutions and indie developers (remember that a lot of tools & products we use started as someone's side-project; this regulation locks those out by default).

At least with credential sharing & screen-scraping nobody can lock you out. Does it suck? Yeah. But I'd rather take a solution that sucks than no solution at all.

To me that depends on where the fraud risk lies.

In the UK banks (in an attempt to encourage online banking) have a fraud guarantee related to losses from unauthorised access to online banking systems as long as you haven't given your credentials to a 3rd party

Screen scraping, like plaid, obviously breaks that concept.

In that case it seems reasonable for the banks to have a ToS that says "no giving your credentials to third parties".

If there's no such guarantee and the user is on their own from a fraud loss perspective then I don't see a reason for enforcing that kind of ToS.

All that said, the idea of a transactional banking system being online with purely static credentials in 2020 is scary one. Decent 2FA should be used for any system that has a financial impact.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact