Plaid might be my least favorite company ever. It's such a privacy nightmare and they do not even tell you basic information about what you are sharing (or how to revoke sharing rights) going through their typical flow on some random fintech app. If you look at their website, you could be giving away just the bank and routing number, or potentially your entire bank transaction history, balance, identity information, etc. and have no idea. It's terrible and could never recommend ever using an app that forced you through that flow.
Except that like all no-longer-a-startup companies who can make your life a living nightmare if they are not spot-on perfect with their security, Plaid have slapped a mandatory, binding arbitration clause in their user agreement.
Thus, if they do drop the ball in some catastrophic way, your ability to recover anything beyond a firm handshake and maybe an "oops, our bad" on the way to an "Our Incredible Journey" blog post is on the same level of probability as my winning a gold medal in curling at the Olympics: it statistically could happen, but very likely won't.
I alluded to this in my other comment, but I don't blame Plaid. Blame the banks - Plaid isn't doing this behind their banks, but with their blessings. Again, Mint was doing this for years.
When it comes to Credit Card Fraud, the banks are buying all sorts of AI based solutions - after all it's their money. When it comes to customer cash, then its the wild west. I recently found out that my Wells Fargo password isn't even case sensitive.
There is clearly a market need for easier information exchange. Authorizing ACH withdrawals shouldn't require me depositing 2 random values in your account. The Banks could have done the work here, but they didn't and then Plaid came along and did the work for them. I hope they take data security more seriously than Wells Fargo.
Plaid's value is providing the SDK that developers can plug into their app to connect user bank accounts with their app. They have purposefully decided not to show a very common step in the user-facing bank link/onboarding flow of displaying exactly what information you are providing the developer with (e.g. think about FB Connect, Twitter, and Google and how each requires developers to show exactly what permission is being asked of the user).
Plaid has several endpoints you can hit. It could be as little as the bank number/routing number (to pull/push funds), but it can be years of bank transaction history and/or all identifying information about you from your bank (e.g. names, emails, phone numbers, addresses) and/or your current bank balance as well. An app that doesn't even provide mint-like functionality (e.g. showing your spending habits) could be pulling years of bank transaction history and you would not even know. That's horrifying.
Again, Plaid can and should take responsibility for not showing a simple permissions page. There is no way this is just an "oversight" on their part. It's a deliberate decision because they know it would be a conversion killer if people actually consciously understood how much information they are granting to random apps.
Users are generally dumb. I don't disagree that users are granting permission to these apps, but I'm saying that Plaid is making it purposely opaque in a way that common auth flows like FB/Twitter/Google do not get do or get away with.
Not case sensitive, huh? How about not even distinguishing between letters and numbers?
When I called a prominent bank* recently, I was asked to enter my password via the phone. As in, the digit-equivalent of my password. At least I finally figured out why their password length is capped so low - user experience!
*I began this post with the bank name, and then wondered if given their approach to security, even that might be a bad idea.
> I hope they take data security more seriously than Wells Fargo.
But it doesn't really matter how seriously Plaid takes data security, as their whole business is around providing your account data (including your transaction data) to other companies. What matters is if the thousands of business customers of Plaid take data security seriously.
They need to be exposed. Or sued.