Hacker News new | past | comments | ask | show | jobs | submit login

>Because using Plaid or Experian they don't need per-bank credentials and tests.

They also push all the risk in terms of Plaid being compromised onto the User's, instead of the service provider.

This is a winning deal for Plaid, because in the event of an undiscovered breach, there is no proof in the form of say, hackers running off with Plaid's hypothetical Autonomous System's credentials and generating fraudulent activity that can be shut down by just patching the breach and changing Plaid's credentials.

Instead, banks have to scratch their heads and figure out why all these seemingly random customers are calling about fraudulent activity at right around the same time.

It's absolutely terrible in the diagnostics department, but seemingly ideal for exploiting legal grey areas for avoiding culpability if something goes wrong.

I'm not sure federated OAuth is the answer, but it's a damn sight better than what Plaid is doing.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact