A few of my friends were talking about Plaid the other day, and I told them I like the company/product, but "many people on HN hate it." They were perplexed and when I explained it was because you guys were nervous about entering your bank password into a third-party (yet reputable) company's interface (that's encrypted), they wrote it off as "being paranoid." Can't say I disagree...
It is probably the one thing you can do today that will at some point cause you lose money from your bank account.
It is not even paranoid. It's a bad idea to leave your bank access codes with someone else.
The less people understand how things work the more likely they are to trust it. This just opens up a new avenue for exploitation.
I previously worked at a “reputable” company whose main product stores usernames and passwords for third-party sites. It’s a conceptually-similar product to what Plaid offers, but in a different problem space. These passwords were encrypted.
* any developer or ops member could trivially have dumped the entire plaintext dataset
* there were multiple bugs discovered that would have allowed dummy accounts to quickly, trivially, and remotely dump the entire plaintext dataset
* if these bugs had been exploited, we would have had no way to know past a few weeks due to log rotation policies
* administrator passwords to systems were often just single English words
If anyone with ill intent had looked at this product for more than an hour, they likely would have discovered some of the bugs mentioned; one was pretty much just a
Combine this with the consequences of a breach: if your credentials are stolen from Plaid and used to steal money from you, your bank, brokerage, or other financial institution can point to your use of this product as cause to deny your claim to have your funds returned. Essentially, they can point to Plaid as a violation of their terms of service, and hold you on the hook for any losses as you voluntarily gave your credentials to a third party.
Hell, even if Plaid isn’t breached and your account is compromised through other means, they can use the logs from Plaid regularly logging into your account to make the same case.
My problem with these services is not that I don't trust them - I know how bad banking IT is, they can't be much worse. What bothers me, is that they teach users that it's okay to enter your credentials into third party sites, a recipe for disaster.
See PSD2 in the EU, for example.