Episode 211 of The Privacy Security & OSINT podcast did a pretty thorough analysis of the data collected by Plaid. Highly recommend a listen: https://inteltechniques.com/blog/2021/03/26/the-privacy-secu...

The system is awful but that’s what you’re stuck with in the US. In Europe open banking is regulated, so banks have to provide an oath-like API, often no credential sharing involved.

I run a fintech startup, and as ridiculously insecure as the Plaid model is, there is huge demand for it. Customers want to extract their transaction data and there is no good interbank payment system in the US.

I live in the Ukraine at the moment and the interbank payment system is far better here. Anyone can send money instantly to anyone else just by knowing their account number. The transfer fee is stated up front in the mobile app, and the transfer is instantaneous. Large amounts are protected by a 2FA approval notification, and you may receive a call from your bank. Businesses regularly accept payments through it as well.

>it seems like such a horrible idea

It probably is.

> To this day I don't understand why anyone would use Plaid.

It's more desirable to use a fin-tech company to handle all that than take on the liability yourself, as a company wanting to receive payments (or connect to transaction info, like a lot of the popular budgeting apps do).

I guess that makes sense from the company’s side. But why would a consumer agree? I’d much rather go through the hassle of getting a cashier’s check or sending a wire transfer.

People are just so used to doing stuff like this. The upside is that the companies who do these transactions have a lot of exposure, and thus incentive to not mess up. People are probably just numb to a lot of these sorts of things, either that or they're just unaware that they're using a third party. It's possible that younger generations aren't even aware of how to use other means, like cashiers checks or money orders.

I believe I'm using Plaid, to use the budgeting app I use (YNAB).

Can anyone tell me what the risks are? I seriously thought this was a pretty safe thing to do.

Well ok, now Plaid has your login info for your bank. How well do they protect it? What employees have access to your credentials? Are they unhackable?

A bad actor with your bank login and password could cause a LOT of mischief.

I suppose I was misinformed about how Plaid worked. I was under the impression that Plaid was similar to OAuth, where they didn't actually have the username & passwords.

Nope.

They have to use bank login and password, so that can scrape your info. No banks tend to implement OAuth. I've been out of the world for 2 years, but last I was in I was kicking and screaming to keep where I worked away from it, and I still warn people off.

YNAB uses Plaid and MX: https://www.youneedabudget.com/security/

I’ve never been asked to provide access to my bank to buy anything, that sounds like insane overreach. There are budgeting apps that ask for it but I don’t use any of them. My main bank account provides webhooks for transactions which I use for my budgeting app, that works well enough for me.

y, it sounds like a bad idea to me.

I have never understood why don't banks offer READ ONLY api/access to accounts for 3rd budgeting apps/expense trackers or even verifying you for a mortgage.

nope. Considered creating a budget app that would need a service like Plaid but I just think it's the wrong approach so won't use it.

Privacy.com uses it, I used it. You really don't have much of a choice.