Hacker News new | past | comments | ask | show | jobs | submit login

Every time Plaid is mentioned on HN, people want to hate. My take is: don't use it if you're scared ?

A few of my friends were talking about Plaid the other day, and I told them I like the company/product, but "many people on HN hate it." They were perplexed and when I explained it was because you guys were nervous about entering your bank password into a third-party (yet reputable) company's interface (that's encrypted), they wrote it off as "being paranoid." Can't say I disagree...

Saying the company interface is encrypted so it's safe shows how effective this attack can be. One of the attacks would present you with a login box. You thin this is plaid and it is encrypted so it's safe so you enter your username/password. It turns out to be a different third party. Not to worry the hacker interface is encrypted as well. Another attack surface opened up involves data breaches at plaid where company employee dumps access to everyone.

It is probably the one thing you can do today that will at some point cause you lose money from your bank account.

It is not even paranoid. It's a bad idea to leave your bank access codes with someone else.

The less people understand how things work the more likely they are to trust it. This just opens up a new avenue for exploitation.

The point is not, I think, that Plaid is sketchy but that the banking infrastructure is so poor that you can build a billion dollar business based on screen scraping. There is a clear and obvious need for better API integration to banks but the banks themselves have been incredibly slow to provide this.

“Encrypted” is not the same as “secure” and in practice knowing that data is encrypted gives you virtually zero useful information toward knowing if your data is secure.

I previously worked at a “reputable” company whose main product stores usernames and passwords for third-party sites. It’s a conceptually-similar product to what Plaid offers, but in a different problem space. These passwords were encrypted.

And yet:

* any developer or ops member could trivially have dumped the entire plaintext dataset

* there were multiple bugs discovered that would have allowed dummy accounts to quickly, trivially, and remotely dump the entire plaintext dataset

* if these bugs had been exploited, we would have had no way to know past a few weeks due to log rotation policies

* administrator passwords to systems were often just single English words

If anyone with ill intent had looked at this product for more than an hour, they likely would have discovered some of the bugs mentioned; one was pretty much just a

    GET /accounts/$i/passwords.csv
I have no particular information regarding Plaid that would lead me to expect they’re anywhere near this bad. I also have no particular reason to believe they aren’t this bad, but in my experience as a infosec engineer, the overwhelming majority of companies—even “reputable” ones—are far closer to the shitshow end of the spectrum than they are to the competent end when it comes to security. Even if they are competent it’s not that big a reassurance, because competent companies still get popped with depressing regularity. It still often just takes one mistake from a well-meaning engineer to introduce a severe security vulnerability, even in a company that generally takes security seriously.

Combine this with the consequences of a breach: if your credentials are stolen from Plaid and used to steal money from you, your bank, brokerage, or other financial institution can point to your use of this product as cause to deny your claim to have your funds returned. Essentially, they can point to Plaid as a violation of their terms of service, and hold you on the hook for any losses as you voluntarily gave your credentials to a third party.

Hell, even if Plaid isn’t breached and your account is compromised through other means, they can use the logs from Plaid regularly logging into your account to make the same case.

I've never used plaid, but in Germany there's a (I guess) similar service, Sofortüberweisung.

My problem with these services is not that I don't trust them - I know how bad banking IT is, they can't be much worse. What bothers me, is that they teach users that it's okay to enter your credentials into third party sites, a recipe for disaster.

It shouldn't need your password. Better systems are possible that grant various forms of access without effectively giving them 'root', and such systems preserve your own protections.

See PSD2 in the EU, for example.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact