Is Plaid safe to use?

790    Asked by Ankesh Kumar in SQL Server , Asked on Jul 19, 2021

I recently signed up for Privacy.com, which uses a service called Plaid to link a bank account. To do this, it requires the user to provide their banking username and password to a webpage from Plaid, not their bank. After that  Plaid accesses the user’s bank account with those credentials on the user’s behalf to get information. It provides an API for websites and apps to easily access this banking information. In addition to Privacy.com, plenty of other popular services use Plaid, including Venmo, Robinhood, and Coinbase.Despite its popularity, this service appears to break two "fundamental" Internet security rules:


Never give credentials to a third party. The standard is to redirect the user to a login page on the website of the service providing the login. Plaid doesn’t do this, instead of providing the login form on their own website. Even worse, Plaid allows services to embed the form in their websites (as an iframe). It’s not possible for casual internet users to tell the difference between this and an “unsecured” form on some random website, so this appears to be encouraging bad security practices. Worse still, Plaid provides a login page that looks very official, showing the bank logo and using the bank’s color scheme.

Never store passwords in plaintext. The only way for Plaid to access bank account details is with the password, and since my banking password was only required by Plaid once, they must be storing it in plaintext, or "encrypted" but convertible to plain text, so they can continue to use it to access my account.


The problem seems to be that most banks do not provide an API to retrieve customer data, so a service like Plaid (and all the services that use Plaid) simply wouldn't be possible without breaking these "fundamental" security rules. But I'm not convinced that's justification for breaking them. If it's not possible to do it securely, should it be done at all?


My confusion here is that all of these services are "legitimate". None of them are scams; they're all providing a valuable service and have a solid reputation. Plaid has raised billions in funding!


I would think with Plaid using bank logos to make their “fake” bank login forms look legitimate, banks would be after Plaid with lawsuits. But apparently, some of them are investors! On Plaid’s website Citi, American Express, and others are listed as investors. It appears that banks aren’t against this bad practice, and are, in some cases, actually encouraging it.


This makes me think that I might be missing something. Maybe Plaid has some special access to banking systems and it isn’t as bad as it seems. On the other hand, maybe Plaid’s reputation is held up only by the fact that they haven't been hacked yet. If (when) they are hacked it will be devastating since the worst-case scenario means the leaking of millions of users’ active bank usernames and passwords. Also, many banks don’t protect users if they knowingly gave their credentials to a third party, so a lot of people could lose a lot of money. But if that's the case, wouldn't banks be working to stop Plaid and protect their customers?


I think many of the services provided by Plaid are neat and would like to use them, but if my suspicious here are correct I don’t think I can do so while remaining secure. Of course, I hope I’m completely wrong here and Plaid has some way to operate securely.


So, does Plaid have some special access to banking systems, or is it using user passwords to log in to bank accounts, which requires storing them in plaintext (or convertible to plaintext) and convincing users to give their credentials to a third party, encouraging bad security practice? If it’s the latter, I’m afraid I’ll have to pass on Plaid services for now and consider my banking password compromised.

Answered by Ankit Chauhan

I want to point out that despite Plaids’ apparently honest attempts at security, their approach is a privacy nightmare, as you give full access to Plaid, to all and every single information your bank has on you, including loans, funds, investment accounts, credit card statements, etc. This makes Plaid differ substantially from other payment services, such as PayPal, as they only have your account number. If you don't believe me, here's their data collection description from their privacy statement (Effective Date: May 29, 2019, my italics):

  • “Information collected from your financial institutions. The information we receive from the financial institutions and other financial service providers that maintain your financial accounts varies depending on the specific Plaid services our developers use to power their applications, as well as the information made available by those institutions and providers. But, in general, we collect the following types of information from your financial institutions and other financial service providers:
  • Account information, including financial institution name, account name, account type, branch number, IBAN, BIC, and account and routing number;
  • Information about an account balance, including current and available balance;
  • Information about credit accounts, including statement due dates and balances owed, payment amounts and dates, transaction history, and interest rate;
  • Information about loan accounts, including due dates, balances, payment amounts and dates, interest rate, loan type, payment plan, and terms;
  • Information about investment accounts, including identifying details about assets, quantity, and cost basis;
  • Information about the account owner(s), including name, email address, phone number, and address information; and
  • Information about account transactions, including amount, date, type, quantity, price, involved securities, and a description of the transaction.
  • The data collected from your financial accounts include information from all your sub-accounts (e.g., checking, savings, and credit card) accessible through a single set of account credentials.”

To make matters even worse, they can share all that information with their customers, i.e. , the company that wants you to link with them. That means that when, e.g., your rent is paid via Plaid (my landlord uses a service that relies on Plaid), all of that information may be shared with that service! And while they, in turn, may not distribute that data further, you now have to trust another party that they are able to keep your data safe.Again, here's the relevant excerpt from that privacy statement that answering whether is plaid safe or not:“How We Share and Store Your Information We do not sell or rent end-user information to marketers or other third parties. But we do share end-user information with third parties as described in this Policy. For example, we share your information with the developer of the application you are using and as directed by that developer (such as with another third party if so directed by you). We also share your information:

With your consent;

  • With our service providers, partners, or contractors in connection with the services they perform for us or our developers;
  • If we believe in good faith that disclosure is appropriate to comply with applicable law, regulation, or legal process (such as a court order or subpoena);
  • In connection with a change in ownership or control of all or a part of our business (such as a merger, acquisition, reorganization, or bankruptcy);
  • Between and among Plaid and our current and future parents, affiliates, subsidiaries and other companies under common control or ownership; or
  • As we believe reasonably appropriate to protect the rights, privacy, safety, or property of you, our developers, our partners, or Plaid.”


So to conclude whether is plaid safe to use or not… Plaid uses the highest levels of security possible to keep your information safe. When you link your checking account with a financial application through Plaid, the company instantly encrypts sensitive data and shares it with the application using a secure connection. Plaid will also never share your login and password info with the linked financial application.

According to the Plaid website, the company uses these measures to keep your information secure:

  • End-to-end data encryption
  • Multi-factor authentication
  • Cloud infrastructure
  • Robust monitoring
  • Third-party security reviews






Your Answer

Interviews

Parent Categories