I recently signed up for Privacy.com, which uses a service called Plaid to link a bank account. To do this, it requires the user to provide their banking username and password to a webpage from Plaid, not their bank. Then, Plaid accesses the user’s bank account with those credentials on the user’s behalf to get information. Plaid provides an API for websites and apps to easily access this banking information.
In addition to Privacy.com, plenty of other popular services use Plaid, including Venmo, Robinhood, and Coinbase.
Despite the popularity, this service appears to break two “fundamental” Internet security rules:
- Never give credentials to a third party. The standard is to redirect the user to a login page on the website of the service providing the login. Plaid doesn’t do this, instead providing the login form on their own website. Even worse, Plaid allows services to embed the form in their websites (as an iframe). It’s not possible for casual internet users to tell the difference between this and an “unsecured” form on some random website, so this appears to be encouraging bad security practice. Worse still, Plaid provides a login page that looks very official, showing the bank logo and using the bank’s color scheme.
- Never store passwords in plaintext. The only way for Plaid to access bank account details is with the password, and since my banking password was only required by Plaid once, they must be storing it in plaintext, or “encrypted” but convertible to plain text, so they can continue to use it to access my account.
The problem seems to be that most banks do not provide an API to retrieve customer data, so a service like Plaid (and all the services that use Plaid) simply wouldn’t be possible without breaking these “fundamental” security rules. But I’m not convinced that’s justification for breaking them. If it’s not possible to do it securely, should it be done at all?
My confusion here is that all of these services are “legitimate”. None of them are scams; they’re all providing a valuable service and have a solid reputation. Plaid has raised billions in funding!
I would think with Plaid using bank logos to make their “fake” bank login forms look legitimate, banks would be after Plaid with lawsuits. But apparently some of them are investors! On Plaid’s website Citi, American Express, and others are listed as investors. It appears that banks aren’t against this bad practice, and are, in some cases, actually encouraging it.
This makes me think that I might be missing something. Maybe Plaid has some special access to banking systems and it isn’t as bad as it seems. On the other hand, maybe Plaid’s reputation is held up only by the fact that they haven’t been hacked yet. If (when) they are hacked it will be devastating, since the worst case scenario means the leaking of millions of user’s active bank usernames and passwords. Also, many banks don’t protect users if they knowingly gave their credentials to a third party, so a lot of people could lose a lot of money. But if that’s the case, wouldn’t banks be working to stop Plaid and protect their customers?
I think many of the services provided by Plaid are neat and would like to use them, but if my suspicious here are correct I don’t think I can do so while remaining secure. Of course, I hope I’m completely wrong here and Plaid has some way to operate securely.
So, does Plaid have some special access to banking systems, or is it using user passwords to log in to bank accounts, which requires storing them in plaintext (or convertible to plaintext) and convincing users to give their credentials to a third-party, encouraging bad security practice?
If it’s the latter, I’m afraid I’ll have to pass on Plaid services for now and consider my banking password compromised.