Of course they collect this data! Do you understand what Plaid does?
Here's what happens:
Tesla says I want to verify that a human is purchasing a car, take a deposit, and get the information needed to pre-approve the customer for the loan required to buy it.
Plaid says, we can do that for you. Plaid has you link your bank account so it can 1) verify your identity, and 2) give Tesla the information needed to debit your account. Then Plaid pulls your account history and asks you to link additional accounts as needed to get the relevant information for the underwriting process.
This allows Tesla to complete this process entirely online without a dealership in about 2 minutes. If you've ever bought a car traditionally, applied for a loan, or even linked bank accounts into a budgeting app, this is an incredible UX win for the user. Shocking, even.
> So you really have nothing to worry about if your bank is competent.
US Banks not only use SMS for 2FA, many of them REQUIRE it for 2FA.
They also tend to require "security questions" that are usually easily guessed or researched. Again, information that makes it easier, not harder, to get into your account.
Good luck trying to find a bank that uses hardware tokens.
> Why is it inherently bad to trust a 3rd party?
Because doing so substantially increases the attack surface and historically third parties have done a terrible job.
For example: every app that uses SMS 2FA inherently trusts the customer's cell phone company. Companies which have done little to address identity thiefs porting out numbers, requesting replacement SIMs, etc.
Sorry that US Bank leaves you exposed to a sim-jacking attack which, if they use Twilio, is mitigated by their verify API. I don't need hardware tokens and full custody of my financial information. I Just Don't. That's literally the entire point of a bank. They do that for me.
You don't need to lecture me on how trust delegation works. I mean you use a bank right? You trust a 3rd party with your actual cash. Plaid hasn't demonstrated incompetence, have they? In fact it seems quite the opposite. There isn't any legitimate case against using them aside from "I literally don't trust anybody" which is hypocritical if you use a bank in the first place.
They also serve as an auditing service, of sorts. Instead of you having to gather a bunch of bank statements to verify income, Plaid pulls those numbers for the service provider. The service provider can trust Plaid as an intermediary whose reputation would be damaged if they helped people lie or were otherwise delivering unreliable information. In my experience Plaid is a huge UX improvement and if you use them in OAuth mode you literally have no reason to criticize because the entire argument falls apart (they don’t store your credentials and can only do what you authorize granularly, using the system as designed).
Anyway my bone to pick is with the “3rd party instantly bad” mentality. Your bank probably uses 1000 and 1 3rd parties too. Our banking regulations are focused on making sure money depositors aren’t taken advantage of and harmed by unhealthy or risky asset management practices. If you don’t find Plaid valuable then thats fine, you do you. I do wonder how you can know that without using them though…
Second, Plaid will use app passwords if you have 2FA enabled and your bank supports them. This is the correct way to handle that scenario.
Third, Plaid saves me a lot of trouble and I have come to trust them. I am happy to delegate responsibility to them.
Why is it inherently bad to trust a 3rd party?