Advertising Disclosure
  1. Home
  2. Community
  3. Ask
  4. PLAID - Anyone Use It? (Privacy And Security Concerns)

PLAID - Anyone Use It? (Privacy And Security Concerns)

senda
  |     |   126 posts since 2015

It seems a lot of banks/CUs are now using "Plaid" to be able to quickly verify and send money when opening a new account (both the places I've tried to open accounts in the last 2 weeks had PLAID -- one as a choce among others, and the other place as the ONLY on-line choice). In looking at their (long) privacy policy and terms -- and what they were asking for, I decided I didn't want to give all my financial info and login/security info to a fintech company, so I aborted both instances at both places.

(1) Has anyone here actually used Plaid?

(2) For those that have, any suggestions on how to keep privacy intact, or is it pretty much lost once you do it? ie, do you immediately delete your bank info once its initial use is done? (though Plaid would still keep that info, I'm assuming).

(3) One bank (via Plaid) needed my login info at my other bank where the money was located. It also mentioned changing one's password -- which seemed to suggest maybe it's not as private and secure as it's touted to be -- not to mention having to change passwords all the time after using PLAID would be a pain.

Have users here opted for Plaid, or chosen to do things the old-fashioned way (ACH, wire, etc) even though it takes longer?

With both institutions I aborted mid-way and refused to use PLAID because I didn't like what I saw -- everything from what they collect to forced arbitration to the simple fact that while of course any bank can have a data breach, if PLAID had a data breach, that would mean compromised accounts at multiple institutions. Something just didn't smell right, but I'm seeing PLAID everywhere now. Thoughts? Comments? Suggestions/Ideas?

Thanks

  Post an answer
10


Answers
enduser
  |     |   711 posts since 2015
Plaid is involved in a active class action lawsuit for improperly using users login information. Anyone who used plaid qualified for the class action lawsuit.
https://www.plaidsettlement.com/
Reply
7
me1004
  |     |   1,379 posts since 2010
I agree, any place that insists you hand over your loging name and passowrd -- absolutely no. I have run into this with Alliant CU as an option for immediate link, but the slower manual deposit method as the alternative. Take the alternative. (And a pox of Alliant for even offering the fast method that requires you hand over your login!) I also ran into it when trying to pay tuition for someone, the payment processor, Strip, insisted I had to hand over my log in to my bank account so they could get the money, there was no alternative.

Why would they need that when I can link any number of other places to take bills and other from my bank account without giving up my login?

Frankly, calling for that, even as an option (most people do not understand the dangers), should be outlawed, as far and away too dangerous, no matter any best intent ot the processor.

If you do it, as Gary says, change your password right after doing it. But they would still have your login name.
Reply
5
planxy
  |     |   140 posts since 2013
Alliant has become somewhat off lately, Plaid is just another example of what goes wrong. Suggest avoiding.
Reply
2
Ltssharon
  |     |   471 posts since 2020
You may have seen my post on ‘record keep in’ on here. I feared a tech got financial info. It has taken me a month to get things straight. Lesson learned the hard way. Just passing it on.
Reply
3
JeffinEasternFL
  |     |   744 posts since 2020
Slim chance, oops, slim just left the station, I guess NO chance!  (Diddo for anyone dumb enough to attempt to use Chime! Caveat Emptor...Not worth it for very little gain ..)
Reply
3
lou
  |     |   1,004 posts since 2010
No way I am giving my username and password to anyone I don't know. That's a deal breaker for me.

Other people have indicated you should change your password after linking accounts, but won't that hinder your ability to subsequently make transfers between the two accounts?
Reply
2
GreenDream
  |     |   358 posts since 2019
"Other people have indicated you should change your password after linking accounts, but won't that hinder your ability to subsequently make transfers between the two accounts?"

No. For the same reason that you don't need to keep getting and verifying 2 micro deposits every time you make transfer between the two accounts when you verify it the old fashioned way: once the account is verified/linked (regardless of the method used) you are good to transfer money to/from that account as you please as that account is now verified as belonging to you.
Reply
1
Infinityy
  |     |   107 posts since 2020
I use it when required (if there's no other way to link an external account, or I want to link the external account immediately). I'm not concerned about the security of Plaid -- I trust they are properly encrypting the login credentials.
Reply
1
GH1
  |     |   1,054 posts since 2017
Infinity. Do not believe they are secure. Here you see they just paid out over 58 million in a lawsuit. Over improper use of credential info. I do not trust they are one more hack away from disaster and taking people with them.

https://www.courthousenews.com/judge-approves-settlement-ordering-plaid-to-pay-58-million-for-selling-consumer-data/
Reply
6
GH1
  |     |   1,054 posts since 2017
https://www.inputmag.com/culture/plaid-settlement-you-may-qualify
Reply
3
Infinityy
  |     |   107 posts since 2020
The lawsuit doesn't pertain to the security of banking login credentials, only the collection of consumer transaction data in a manner that wasn't prominently disclosed
Reply
1
GH1
  |     |   1,054 posts since 2017
Which clearly shows a lack of responsibility to the customer. What are your recourses if they are hacked. 0
Reply
4
GH1
  |     |   1,054 posts since 2017
https://thekeesh.com/2020/01/plaid-is-still-a-phishing-site/

It’s a good idea–to make it easy for fintech companies to easily connect to consumers banks instead of needing to do the week-long process of verifying small bank deposits. That definitely speeds up the onboarding process for people to try out new apps.

But the tradeoff is always with security and convenience and here it’s so glaring and obvious. What Plaid may provide in convenience it completely undermines in security.

Everything about it is a security design anti-pattern and I’m sure everyone working there knows it. It’s simply a phishing site, no other way around it.

The way Plaid works is that it asks you to enter your bank username and password on a site that is not your bank which they try to make look like one.

From Wikipedia, here is what phishing is:

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.

Plaid is disguising their site as your bank’s site to get your password.

Now, it’s important to realize this is the exact same tactic that a fraudulent phishing scammer would use to takeover your account.

They may lure you in with an email or some other link, but eventually take you to an account page that looks exactly like your real account page. And then they will have you enter in your username and password, and then steal those credentials.

Even possibly tech-savvy users of Plaid are being trained to type in their bank credentials into a site that is not their bank. Again, this is violating the first rule of your usernames and passwords, which is don’t share them with anyone else!

Plaid will even intercept your one-time-password or 2FA login number, which again, you should not share. If people get too comfortable sharing this then any attacker can set up a fake login page that also intercepts your 2FA. You can see how that is done here. There are ways for this to be automated:

“They do this by automating the entire process, with a phishing page not only asking a victim for their password, but triggering a 2FA code that is sent to the target’s phone. That code is also phished, and then entered into the legitimate site so the hacker can login and steal the account.”

Additionally, Plaid often may be embedded in a way where it is very difficult to verify, even if you trust Plaid. If the url is not visible it could be an attacker posing as a Plaid login page for your bank—but now you may be so used to typing in your bank password that you’ve just given it to someone else. This can be doubly bad on mobile phones where even on legitimate SSO pages (such as a Google login), the url page is blocked so you cannot tell it is Google.

The question from looking at the Wikipedia definition is: is Plaid fraudulent? The user and site are trusting Plaid so that may be different; but they are disguising their site (Plaid login) as your banks login. Again, people have fallen for scams that are much more obvious.

So while it may be a nice fintech utility, it’s not a replacement for APIs, and it really is a security nightmare. In so many cases the security issue is one of user behavior and social engineering, of moving too fast or accidentally doing the wrong thing. In this case the real issue isn’t if Plaid’s infrastructure itself is secure or they are trusted enough to get your bank credentials. That’s an issue too. But the real issue is that users are getting used to typing their bank passwords on sites that look like their bank that are not their bank. It’s pretty easy to see how this can go wrong.

Also it’s not clear if Plaid using passwords within this way is within the terms of service for the banks and the bank users.

I wonder what the security team at Plaid thinks. They obviously know this. I wonder if they type their own bank passwords into Plaid, or have multiple bank accounts. Or how those passwords are stored. Even Facebook stored passwords in plaintext for years. Even if you know all of this you can be tired and accidentally type your password into a fake site.

So even if Plaid is a trusted and valuable company, it’s still phishing. It’s asking for your username and password for a site that impersonates your bank. I think people need to be careful here.
Reply
11
GreenDream
  |     |   358 posts since 2019
" I trust they are properly encrypting the login credentials."

whether they are properly encrypting them or not really isn't the issue. The issue is do you trust them (a third party) with your login credentials and if so, why?
Reply
1


The financial institution, product, and APY (Annual Percentage Yield) data displayed on this website is gathered from various sources and may not reflect all of the offers available in your region. Although we strive to provide the most accurate data possible, we cannot guarantee its accuracy. The content displayed is for general information purposes only; always verify account details and availability with the financial institution before opening an account. Contact [email protected] to report inaccurate info or to request offers be included in this website. We are not affiliated with the financial institutions included in this website.