A service called Plaid wants to connect to your bank account with your username and password. What could possibly go wrong?
Another day, another Silicon Valley company that seeks to take a system that functioned and insert themselves into it, sucking out money as they go.
A few months ago I wrote about the Buy Now, Pay Later services that are like a reinvented version of the credit card, layaway, and payday lenders all at once, all in the service of helping you buy even more things you can’t afford.
And now, comes a service that completely detonates any sort of financial privacy you may claim to have.
It’s a service called Plaid. And while it may not be super new, it’s new to my radar, and unless I’m missing something, it seems supremely malevolent, massively risky, and contributes nothing beneficial to your life.
Sound neat? Read on.
Table of Contents
Privacy first
Your online privacy is valuable, and it is yours to lose. Or give away.
When you give your credit card information and save it on a website, you are allowing them to hold onto, sell, and (potentially) steal your information, identity, and your money. Yes, they say they won’t use this information improperly, and I’m sure in many cases they mean well, but data hacks and privacy breaches are very common.
In fact, you can type in your email address to this site to see if you’ve been the subject of a data breach. Try it, it’s really eye-opening.
Any information you give out to companies, especially online, especially companies that don’t have a track record of security, is information that can be stolen and/or used against you.
For example: don’t like how many robocalls you get? Then why did you put your real number on all those forms you filled out?
Also, companies that require you to input your social security or credit card number on the phone, and then read it back to you over the line, have a special place in hell reserved for them.
But nowhere should you be more careful and cautious than with your bank account.
For most people, your checking account is the place where most of your money comes in and goes out. This needs to be protected at all costs. There should be no reason why you should ever have to give out your username and password to anyone else.
Plaid asks you to give them your username and password to your bank. Need I go on?
Making a withdrawal
So here’s how I came face-to-face with Plaid.
I had received a certain amount of cryptocurrency for some work I had done (don’t ask, it’s not that exciting) and my goal was to convert that into real money.
There aren’t a whole lot of ways to convert crypto into “dirty fiat” (as they call it), especially if you’re a U.S. citizen, but Coinbase seemed to be the least offending option, so I went with it.
But in order to “cash out”, you need to connect to an account where you can to cash out to.
So far, so normal.
I surveyed my options. I looked at wire transfer, but it carried a hefty fee of $25, so I discarded that on general principle. I looked at PayPal, but I got stuck in a verification loop where it wouldn’t accept the phone number I had on file, despite having used it for years.
But then I saw that there was a bank account option. That seemed simplest to me. It’s what I use when I want to withdraw money from my Ally savings accounts. Coinbase was, in effect, just another savings account, albeit with funny ticker names, crazy tax implications, and the whiff of desperation and get-rich-quick all over it.
So I went to connect my bank account to Coinbase.
And this is where the trouble began.
Enter Plaid
A new window opened, and I saw a modal pop-up, saying “Coinbase uses Plaid to connect your accounts”.
Now, I had never heard of Plaid, but whatever, I see a lot of logos when I go to pay for things. Samsung Pay, Apple Pay, Verified by VISA, I don’t really care about the mechanism as long as the money goes through seamlessly.
But then, on the next screen, things got weird.
Select your financial institution. Okay sure, my bank name isn’t a secret. I entered that in and pressed Next.
Then came the kicker. “Please enter your username and password.”
What in the ever-living…?
I immediately canceled out, thinking that I had gone down the wrong path. But I tried it again, and the same thing happened. I could not add my bank account unless I gave them my login credentials.
You can trust me
Coinbase said Plaid was a third-party service provider that could “facilitate bank account transfers“. They were quick to point out Coinbase would never have access to your account credentials.
But what about Plaid itself? According to their “how it works” page, they say that they “believe in collecting only what is needed” because our “financial information is both personal and powerful”. Furthermore, they use all sorts of confident-sounding terms such as “data encryption” “cloud infrastructure” and “independent security testing”.
But I have to say that reading all this put me in mind of those Joe Isuzu commercials from the 1980’s where an obvious liar was trying to sell cars, while the subtitles tell the truth beneath him.
As a poster on StackExchange pointed out:
“[D]espite Plaids apparently honest attempts at security, their approach is a privacy nightmare, as you give full access to Plaid, to all and every single information your bank has on you, including loans, funds, investment accounts, credit card statements, address, etc. This makes Plaid differ substantially from other payment services, such as PayPal, as they only have your account number.”
Meanwhile, here is a list of 68 of the biggest data breaches ever. You can bet that most of them also relied on “data encryption” and “independent security testing”.
But you can trust me. Or my mother will be struck by lightning.
Why has it come to this
I’ll quote from another poster on that same StackExchange post who points out something I didn’t realize:
“Financial systems in the US almost never support any sort of federation or open banking APIs. There is no regulatory requirement or incentive for them to do so. There is no financial incentive for them to do so, as permitting 3rd parties to incorporate their data into value-added services does not benefit them, and may harm them if the 3rd party is chosen over homegrown value-added services.”
So there you have it.
Isn’t there a better way?
People have been linking accounts for years now. If you’ve ever had two very small deposits put into your account (say, $0.16 and $0.07) and had to verify them back, then congrats, you’ve alleviated the need for a service like Plaid.
In general, any service that requires you to give out your password to another site in order to use, should pretty much go die a painful death.
And you, needless to say, should never, ever, give out a password to any site, especially not a financial institution.
Securing your financial information is just as important as securing your money.
And, as for my personal situation, I was able, somehow, to link my debit card without needing Plaid. So I got my money in the end, no massive financial security breach necessary.
5 Comments
Ander
Good article, but it’d be more helpful if you’d be more specific about the “somehow” you used to receive your funds WITHOUT sharing your banking info. We’re trying to get a sale payment from Reverb.com, who says we must use Plaid and give them our banking log-in info. Our own bank has advised us not to do this, and I’ve learned online that Plaid has had over 50 security breaches in the last few years.
Mike Pumphrey
Hey, sorry you’re having trouble with this. I hate that this Plaid thing is spreading all over the place.
I don’t know anything about Reverb.com, but I did look at their help pages, and while they “recommend” you use Plaid, it appears that there is still a way to do manual verification. Check this page for details: https://help.reverb.com/hc/en-us/articles/4409230824595-How-to-connect-a-bank-account-with-Reverb-Payments
If the above method doesn’t work, it’s worth calling customer service and asking them for instructions on how to verify manually. They do it for people in other countries, so there’s no reason why they shouldn’t be able to (grudgingly) do it for you as well.
Best of luck to you! Please let us know if you have any success.
Armando
I’m sure you’ve heard of Prosper. They use Plaid for account verification. Even after entering my credentials, they still couldn’t connect to my bank. After reading this article, I’m glad. Thanks!
Dylan York
Plaid has been around for 10 years, I really wouldn’t call it new in the slightest. I’m honestly surprised you’ve only just now had to use it, since I use it to pay rent and Venmo friends. And just because you type in your password, doesn’t mean the service on the other end knows what your password is. Your own bank doesn’t even know your password due to encryption. The same goes for Plaid. If your password is “p@ssword1”, Plaid, and your bank, never sees “p@ssword1”, they see some gibberish of random characters. Once Plaid connects with your bank, they drop those “credentials” they have for you and instead just create a bank relation. That bank relation is what is used to communicate information, no longer your credentials. The only risks with Plaid are the same risks with your Bank. Traffic sniffing, data breaches, bad characters on the inside, phishing, etc. All of those apply to Plaid and your bank as well. I totally get being skeptical about it, but you’re now here preaching this is the devil when you clearly don’t know how it works. If you’re concerned, you can use Plaid, and then immediately remove the bank relation to Plaid from your banks website. This will prevent Plaid from being able to make any more communication requests with your account. If they try, your bank will simply respond saying they aren’t authorized. Additionally, Plaid only allows you to log in to a bank that trusts Plaid and creates a relation with them. If your bank doesn’t trust Plaid, they will refuse service with them. So again, there’s about as much trust in Plaid as there is in your own bank.
Mike Pumphrey
Thanks for your thoughts, I really appreciate it. I think we’ll just have to agree to disagree. Even if I grant that Plaid is an equal risk factor as my bank (a big “if”) then that means that I am doubling my attack vectors at a stroke, not something I care to do.
I’m not saying Plaid is literally evil or anything. I just think that the solution it provides is worse than the problem it purports to solve.
Luckily, Plaid isn’t required on anything crucial, so I can continue to not interact with it.