> It’s utterly irresponsible and I have no idea how Plaid hasn’t been shut down. You have no recourse if they are breached.
Wise (formerly TransferWise) is another example. You have to move funds into your Wise account before you can do a transfer, payment, or currency exchange. Wise offer various ways to fund your account such as wire transfer, credit card payment, debit card payment, etc., each of which has different fees, but by far the lowest fee is "direct debit" which involves giving Wise your bank card number and password. I imagine that the overwhelming majority of Wise customers have no idea that this is terrible for security and privacy.
Everything about this practice is hard to believe:
1) I doubt that any bank has given Wise permission to do this.
2) Which raises the question about why the banks aren't blocking IP addresses that Wise uses to log into bank accounts, or at least making a complaint to Wise.
3) It's obviously against the banks' terms of service, but Wise may be breaking some law regarding unauthorized access (in the same vein that you can't authorize a third party to use your passport, for example).
4) What else is Wise doing after they log into your bank account? Are they collecting other information about your transactions and balance?
5) Does Wise store your bank card number and password? If they do, they'd have to store it as cleartext (not as a one-way hash) if they expect to use it again. They could encrypt it of course, but it would have to be reversible so they could get the cleartext back.
6) Why hasn't any bank regulator forced them to stop doing this?
I've never seen this in either the UK or Finland when using Wise. Direct Debit is a legit thing that's more common in the UK - but that takes several days to clear and the protection is quite strong, Wise would have lost a lot of money to fraud if they offered it as an option...
They use Trustly in the Nordics to do something similar to what you mention, which does seem to use propper bank APIs - as I have to authenticate it on the bank app or website separately.
I just transferred some cash from UK -> Europe and whatd'ya konw? There is indeed a hook to the bank, but I am pretty convinced that it is just the legit, real, EU (& UK) wide open banking that Wise have implemented for most of the popular UK banks, mainly because I was on the First Direct (my bank) site the entire time once I clicked through, and I still had to authenticate properly with the app for anything to actually happen.
Are you sure you're not confusing things? Direct debit usually means just a permission to charge the given account for the specified amount. It's commonly used in Canada and doesn't involve sharing your password.
Wise (formerly TransferWise) has different meanings for "debit" and "direct debit".
Their "debit" option works the way you think. You give only your bank card number, expiry date, and CVV.
However, their "direct debit" option requires you to enter your bank debit card number and bank password into Wise's web form. It is not a redirect to the bank website. The URL says "https://wise.com/..." when you're asked to enter that info. Wise definitely gets your bank credentials.
They have yet another option called "bill payment" in which you log into your bank account yourself and do a bill payment to Wise (and giving your Wise account number).
Both the "debit" and "bill payment" methods look secure and acceptable. But Wise charges a considerably higher fee than with their "direct debit" method. And it always seems to take a day or two for the funds to appear in your Wise account with those other methods. They really want to encourage their "direct debit" method in which they get your bank login info.
Are you in the US?
I think Wise’s ways of adding funds vary depending on what’s available in terms of payment infrastructure in each country. In the UK where Wise is based, direct debits are very common for routine payments but do not require a card number. But for receiving money Wise UK’s closest equivalent right now is to authorise payment via open banking and your bank ( the newish UK specs for doing this are really good and online here: https://standards.openbanking.org.uk/ )
I'm speaking about Canada. I should have mentioned that. You're right that the payment options are probably quite different in each country where Wise operates.
Out of curiosity, in Canada (and the USA, where I assume it will be similar), how do you call the system to authorise a business, for example a utility company, to charge your bank account directly every given period, with a more-or-less flexible amount, and with no need for you to take any action?
The reason I ask is that that is what is called a "Direct Debit" in the UK and the European SEPA area, and it does not involve providing any credentials to the bank account. Rather, you only need to provide your International Bank Account Number (IBAN) and maybe your name. However, the ability for a company to be able to take Direct Debit payments is heavily regulated, you can easily cancel them via your bank, and even reverse charges if they were illegitimate.
This is as common as bread and butter in Australia. You provide your bank account (or credit/debit card) details to the company or even govt (gas, electricity, water, car registration, insurance, internet, mobile etc.) and a so called direct debit authority and the company will just debit from your account on the due date.
Yes, Direct Debits or similar are something that I would normally assume is commonplace in every developed country. However, I'm so aware of the American TV trope of receiving "bills" in the mail and having to remember to pay them that I wonder if it's just something that has stuck as a cliché even if it's no longer the case, or whether it is still the ordinary way of handling these payments in North America.
Yeah, direct debit is a very specific, well-standardised thing in the UK and comes with a fair amount of consumer protection. It’s also a bit Oauth-ish in that you can unilaterally cancel it from your bank’s side of things instead of going through the provider.
Can confirm that Wise use Open Banking API to send money in the UK, if your bank supports it. If your bank doesn't support it, it's either debit / credit card or bank transfer.
> 2) Which raises the question about why the banks aren't blocking IP addresses that Wise uses to log into bank accounts, or at least making a complaint to Wise.
People doing screen-scraping like Plaid will seek out IPs that look innocuous. One place I heard of had bank of mobile phones all with cellular data plans hooked up to some UI automation. This lets them run screen scraping from a real phone on a real cellular network.
They pay app developers to install an SDK on their popular mobile apps, then sell the right to run network requests through users devices. Perfect if you want to do some sketchy screen scraping and need access to a lot of innocent looking IP addresses.
>
It sounds like you might be trying to make a ACH direct debit payment, in which case Plaid is indeed one of the payment handlers that help us process these types of payments. However, we also offer other payment options for USD, if your account isn't able to support ACH direct debit.
In Australia Wise will provide you with a reference number and hold the xfer and wait for me to transfer the money to them. Wise has a unique email called a PayId that is registered to their account.
I use my banks app and transfer money to their PayId using the reference number. The transfer takes a few seconds. When Wise gets the money in their account they resume the transfer and I get an in-app notification. Easy
In what country does it have that option? Doesn't seem to be a thing in Australia as far as I can tell. But we do have multiple different ways of doing free (or free for the sender and very low cost for a merchant) payments and transfers, including real-time transfers to/from financial institutions...
Given that it seems to be a similar case in Europe, UK etc. I assume this might just be a US thing?
Australia does have other examples of these systems though, like poli (https://www.polipayments.com/) which is commonly used by airlines to accept and prove direct deposit payments
Wise (formerly TransferWise) is another example. You have to move funds into your Wise account before you can do a transfer, payment, or currency exchange. Wise offer various ways to fund your account such as wire transfer, credit card payment, debit card payment, etc., each of which has different fees, but by far the lowest fee is "direct debit" which involves giving Wise your bank card number and password. I imagine that the overwhelming majority of Wise customers have no idea that this is terrible for security and privacy.
Everything about this practice is hard to believe:
1) I doubt that any bank has given Wise permission to do this.
2) Which raises the question about why the banks aren't blocking IP addresses that Wise uses to log into bank accounts, or at least making a complaint to Wise.
3) It's obviously against the banks' terms of service, but Wise may be breaking some law regarding unauthorized access (in the same vein that you can't authorize a third party to use your passport, for example).
4) What else is Wise doing after they log into your bank account? Are they collecting other information about your transactions and balance?
5) Does Wise store your bank card number and password? If they do, they'd have to store it as cleartext (not as a one-way hash) if they expect to use it again. They could encrypt it of course, but it would have to be reversible so they could get the cleartext back.
6) Why hasn't any bank regulator forced them to stop doing this?