Plaid Deletes GitHub Issue Exposing Imitation of Bank Login UIs

169 pointssammnaser6y ago46 comments

Plaid imitates major bank account UIs in their login forms to make users more comfortable submitting their bank credentials to Plaid. This issue was addressed in this Github issue (archived from WaybackMachine): http://web.archive.org/web/20190415103059/https://github.com/plaid/link/issues/68

The Github issue has since been deleted, as shown here: https://github.com/plaid/link/issues/68. I'm hoping this isn't a repost, but this behavior seems ridiculous to me, and I'm hoping to bring it to wider attention (if it isn't already).

Edit: post flagged for some reason. Oh well.

46 comments

whockey6y ago

Hi all - co-founder of Plaid here. We're in the process of migrating this repository and replacing it with a dedicated iOS SDK repo, JS SDK, and (soon to be) Android SDK. However, I messed up the order of operations with this migration and can empathize with the reaction. I personally chatted with a lot of the commenters on the original issue before we did this and more than happy to engage/get feedback from anyone else over email/phone/in-person. Feel free to shoot me an email at william [at] plaid [dot] com if you want to chat/have any feedback.

bauerm976y ago

I don't think people are upset about the repo being "archived" and having lost access to the issue, per se. I think people are (justifiably) furious because you offer a product which is fundamentally insecure in it's current state and seem to refuse to fix it. And it's not that websites which are using your product are susceptible to attacks, but that a malicious website can impersonate your product and it will be indistinguishable from a legitimate site. Let that sink in. A malicious website can be indistinguishable from a legitimate customer of yours, and users WILL enter their banking information. That is the heart of people's completely justified outrage here, and it's baffling that anybody on your security team could have possibly signed off on this. If people on your security team don't see the problem here they should be immediately fired and never work in the security field again. You guys better have some really expensive lawyers, because it feels like you are being criminally negligent here and should absolutely be held liable when some users inevitably have their lives destroyed as a result.

lykr0n6y ago

Can we get a way where we can centrally manage linked accounts? I have at least 5 apps that use plaid and I should be able to go to your website and see what authorizations I have enabled and disable them.

whockey6y ago

Yes! We're actually working on something in this space that I'm really excited about. If you shoot me an email I can get you on the beta and would love your feedback!

2 more replies

temp1290386y ago

No offense, but I think we’d all be better off with open bank API standards in the US.

wexxx6y ago

Obviously. But why would banks ever do that? They see Robinhood, Lending Club, Venmo, etc as competitors. No way there going to open up API’s to them unless the government forces the banks to do it.

chrisgoman6y ago

So maybe Plaid will be what Venmo was to Zelle. I have been following this space for a while now. When Plaid came into the picture, it made Yodlee be more open. So maybe in 10 more years we will have open bank APIs.

They have been trying to get banks to have APIs for years with no luck -- ofx/ofc. Mint went their own way for scraping and Watsi died because they did NOT want to do scraping. I was actually surprised when 2 years ago Xero got a "direct integration with Wells Fargo. Synapse got some funding a couple of days ago one can certainly hope

ryanackley6y ago

Here's my main beef with Plaid: a lot of times when you use it as an end user you have no idea that you're giving one of Plaid's customers full history on all of your transactions, accounts, credit cards, loans, etc. Plaid presents you with a ToS that you will probably never read.

Compare that to something like "Sign-in with Google" or "Sign in with Github". They put it in plain english exactly what the website you are signing into is asking permission for and you explicitly say I'm ok with that.

amluto6y ago

I wonder if an enterprising attorney general could try to go after Plaid for CFAA violations. They are arguably making unauthorized, fraudulent access to banks’ computer systems.

diggan6y ago

Seems to have happened not because they deleted that specific issue but because they have disabled issues in general for that specific repository. Take a look at https://github.com/plaid/link and see there is no "Issues" tab. When doing that, it removes all existing issues.

RyJones6y ago

as an owner of multiple orgs, I dislike that I can't disable new issues while retaining history.

sammnaserOP6y ago

Indeed, I didn't notice that. In any case, the issue doesn't exist anymore, and the public discussion on this problem was wiped.

greenyoda6y ago

> Plaid imitates major bank account UIs in their login forms to make users more comfortable submitting their bank credentials to Plaid.

But it's even worse than that. They're training their users to ignore the security advice that their banks and other web providers have been trying to teach them for years, which makes them more vulnerable to phishing attacks. As one of the commenters on Github said[1]:

> This is horrible, horrible, horrible, horrible, horrible practice. Any malicious actor can copy your design and present a perfectly genuine-looking Plaid input form and gather bank credentials from victims. There's absolutely no way to tell whether a Plaid input form is genuine without examining the HTML source of the page, which is far beyond the ability of almost all users. What good is your $1000 EV cert and your brand's hard-won trust if the user just sees Wacky Joe's Discount Dolphin Assholes, secured by letsencrypt.org in the area of the address bar where we've been telling them to look for a trusted name for about the last decade?

The commenter's next paragraph also bears repeating:

> You guys need to get your act together and realize that you're not in the business of hosting Wordpress blogs or building marketing pages for the latest Barbie Rides Horses Again game somehow still coming out for the Nintendo DS. You collect bank credentials. Re-read the previous sentence. Do it again. Essentially my entire net worth is kept in my Schwab brokerage account which shares the same login as my Schwab checking account. If someone gets my Schwab credentials and I don't notice before they empty me out, my life is over. You simply cannot half-ass security best practices for the sake of UX convenience.

[1] https://web.archive.org/web/20190415103059/https://github.co...

karlding6y ago

You mentioned EV certificates, but are those actually still meaningful? Troy Hunt wrote a series of articles [0][1][2] about the perceived value of Extended Validation certificates, and concluded that they were essentially useless.

Does anyone else have additional data for/against EV certs nowadays?

[0] https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas...

[1] https://www.troyhunt.com/extended-validation-certificates-ar...

[2] https://www.troyhunt.com/paypals-beautiful-demonstration-of-...

buckminster6y ago

I completely agree, but having your life savings under the same login as your checking account is insanity. Maybe I'm overly paranoid but I wouldn't even log in to my broker from my phone.

greenyoda6y ago

You also might not want to keep your entire life savings in a single account. It's convenient, but also a single point of failure.

And if your life savings gets big enough, it might exceed the account balances that are protected by FDIC ($250K) or SIPC ($500K, I think).

rhizome6y ago

michaelckelly commented on Dec 7, 2018

@skierpage and @briangordon we appreciate your concerns, which is why our compliance team vets anybody who uses Link. As to malicious knock offs, this is a matter that most successful companies lookout for and deal with -- as we and our security team do.

This person should not be allowed to provide services that use bank APIs. Who should do the preventing? Banks.

temp1290386y ago

Plaid needs to be exposed as one of the most unethical companies in SV. If people are worried about online privacy then they should really be worried about a company that is so deceiving and makes it basically impossible to revoke permissions on something as sensitive as access to your bank account and transaction history once granted.

okigan6y ago

Looks like Betterment & Wealthfront use plaid, which could affect many on HN [1][2].

[1] https://www.quora.com/Why-doesnt-Betterment-or-Wealthfront-u...

[2] https://www.investmentnews.com/article/20190108/FREE/1901099...

jgalt2126y ago

probably so, but the if you look at all the large recent successes in SV, all of them have had serious moral and legal lapses. As they are well funded, and have powerful friends, they have thus far avoided jail time.

So my cynical view, is that Plaid is just playing a game of doing what works and has proven to work. I am not excusing their bad behavior, just trying to point out what's motivating it. Robbers will always rob, and cheaters will always cheat, but we as a society need to make it less profitable to rob and cheat--and not just for the lower classes, for the elites as well.

Rahm Emanuel wrote on this recently in The Atlantic, and then shortly thereafter took a well paid job in financial services. So I guess, more do as I say not do as I do.

https://www.theatlantic.com/ideas/archive/2019/05/middle-cla...

adrr6y ago

To revoke access change your bank password. My biggest concern with any of the bank api providers is who they use to scrape the banks. Most are offshore outside the reach of US law enforcement or court system.

robot6y ago

can you revoke by changing your password?

temp1290386y ago

I’m not sure, but does it matter?

I take issue with a product that markets to consumers as an easy way to authenticate for the purpose of pulling or pushing funds, but is actually authorizing developers to scrape years of transaction history in 20 minutes, my real time balance, my phone/email/address etc. without another level of permission. It’s disgusting.

I just wanted an alternative to microdeposits to prove to an app that I own a bank account, not give the app free range to steal all my bank data in the process of doing so.

1 more reply

csswizardry6y ago

Hah. This is the only company that has ever f—ked me over. I’m a self-employed consultant who flew out to SF to work with them and was told the gig was off the working-day before we were set to begin. My lawyer said I absolutely had a case but I’d need to be prepared to open an international lawsuit against them (I’m UK-based) and I just couldn’t muster the effort. They got away with it.

They also quite cheerfully asked me ‘Hey! Next time you’re in the area we’d love to look at working together?’ Classy.

wexxx6y ago

Not to downplay the security implications here, but Plaid has pretty much changed finance. It’s a straightforward case of trading security / privacy for functionality. Apps like Venmo, Robinhood, Wealthfront, and most every other financial startup would not exist without Plaid.

TheSpiciestDev6y ago

This is the first time I'm hearing of Plaid and is it actually something banks have signed-off on and are ok with? This whole thing looks to make for a bad precedence.

Aspos6y ago

Absence of open banking standards and regulation produces such monsters.

tzs6y ago

Since HN doesn’t turn URLs in text submissions into clickable links like it does in comments, here are the URLs given for your clicking convenience.

http://web.archive.org/web/20190415103059/https://github.com...

https://github.com/plaid/link/issues/68

BillinghamJ6y ago

I feel it's worth bearing in mind that this is normal to the point that the financial regulator in the UK standardised the activity as part of the EU-wide PSD2. It is being phased out in favour of open banking in the next couple of years, now that there's a requirement for more OAuth-like approaches. (In fact, Plaid just launched in the UK on the open banking APIs)

Banks are well aware that this is a thing and they're not that bothered.

If you want to see this improve, maybe push on US regulators to formalise it?

AnssiH6y ago

Here the Finnish Financial Supervisory Authority stated in Jan 2018 that this practice is not allowed:

https://www.finanssivalvonta.fi/en/regulation/interpretation...

homero6y ago

The scariest thing is whether they keep downloading transactions or just verify i own the account like they make you think they're doing.

carlineng6y ago

In today’s economy, data is the most valuable asset a company can own, and financial/transaction data is the holy grail. I would be very surprised if their current valuation could be justified purely on their subscription sales alone.

rishirishi6y ago

Hard delete of an issue over closing it or closing comments... for such a security sensitive issue... under the rug sweeping.

sschueller6y ago

Well, thanks to the fact that you can't delete anything off the internet it will still be presented as evidence in court some day.

This confirms to me that staying as far away as possible from plaid is the right move.

rishirishi6y ago

What would you recommend for ACH bank account verification?

1 more reply

Nursie6y ago

Plaid really do seem a little dodgy to me. In the UK they are effectively offering a PSD2-API forwarding service, which seems very much against the spirit of PSD2 and the open banking initiatives.

origamitang6y ago

It's very convenient. But also very expensive (maybe) The raw costs of getting an AISP licence are about £1000 in the UK... but that's ignoring all of the time and effort to understand PDS2, legals etc but $500+/month for Plaid to do it for you ? I'm not sure. Sounds avoidable like vendor lock in to me.

pbreit6y ago

Plaid is mainly US where PSD2 does not apply. Banks sometimes get together to work on these topics but it rarely goes well (see ofx/ofc). What more frequently happens is a company like Plaid forces it and then works with banks to satandardize.

reustle6y ago

I really hate that transferwise essentially requires me to use Plaid, yet they don't support RSA keys!

samcday6y ago

This is depressing. It feels to me like the number of tech unicorns that have been caught red handed doing something immoral/unethical/illegal is starting to outweigh the ones that haven't.

j / k navigate · click thread line to collapse

46 comments

whockey6y ago

bauerm976y ago

lykr0n6y ago

whockey6y ago

Yes! We're actually working on something in this space that I'm really excited about. If you shoot me an email I can get you on the beta and would love your feedback!

2 more replies

temp1290386y ago

No offense, but I think we’d all be better off with open bank API standards in the US.

wexxx6y ago

chrisgoman6y ago

ryanackley6y ago

amluto6y ago

I wonder if an enterprising attorney general could try to go after Plaid for CFAA violations. They are arguably making unauthorized, fraudulent access to banks’ computer systems.

diggan6y ago

RyJones6y ago

as an owner of multiple orgs, I dislike that I can't disable new issues while retaining history.

sammnaserOP6y ago

Indeed, I didn't notice that. In any case, the issue doesn't exist anymore, and the public discussion on this problem was wiped.

greenyoda6y ago

> Plaid imitates major bank account UIs in their login forms to make users more comfortable submitting their bank credentials to Plaid.

The commenter's next paragraph also bears repeating:

[1] https://web.archive.org/web/20190415103059/https://github.co...

karlding6y ago

Does anyone else have additional data for/against EV certs nowadays?

[0] https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas...

[1] https://www.troyhunt.com/extended-validation-certificates-ar...

[2] https://www.troyhunt.com/paypals-beautiful-demonstration-of-...

buckminster6y ago

I completely agree, but having your life savings under the same login as your checking account is insanity. Maybe I'm overly paranoid but I wouldn't even log in to my broker from my phone.

greenyoda6y ago

You also might not want to keep your entire life savings in a single account. It's convenient, but also a single point of failure.

And if your life savings gets big enough, it might exceed the account balances that are protected by FDIC ($250K) or SIPC ($500K, I think).

rhizome6y ago

michaelckelly commented on Dec 7, 2018

This person should not be allowed to provide services that use bank APIs. Who should do the preventing? Banks.

temp1290386y ago

okigan6y ago

Looks like Betterment & Wealthfront use plaid, which could affect many on HN [1][2].

[1] https://www.quora.com/Why-doesnt-Betterment-or-Wealthfront-u...

[2] https://www.investmentnews.com/article/20190108/FREE/1901099...

jgalt2126y ago

Rahm Emanuel wrote on this recently in The Atlantic, and then shortly thereafter took a well paid job in financial services. So I guess, more do as I say not do as I do.

https://www.theatlantic.com/ideas/archive/2019/05/middle-cla...

adrr6y ago

robot6y ago

can you revoke by changing your password?

temp1290386y ago

I’m not sure, but does it matter?

I just wanted an alternative to microdeposits to prove to an app that I own a bank account, not give the app free range to steal all my bank data in the process of doing so.

1 more reply

csswizardry6y ago

They also quite cheerfully asked me ‘Hey! Next time you’re in the area we’d love to look at working together?’ Classy.

wexxx6y ago

TheSpiciestDev6y ago

This is the first time I'm hearing of Plaid and is it actually something banks have signed-off on and are ok with? This whole thing looks to make for a bad precedence.

Aspos6y ago

Absence of open banking standards and regulation produces such monsters.

tzs6y ago

Since HN doesn’t turn URLs in text submissions into clickable links like it does in comments, here are the URLs given for your clicking convenience.

http://web.archive.org/web/20190415103059/https://github.com...

https://github.com/plaid/link/issues/68

BillinghamJ6y ago

Banks are well aware that this is a thing and they're not that bothered.

If you want to see this improve, maybe push on US regulators to formalise it?

AnssiH6y ago

Here the Finnish Financial Supervisory Authority stated in Jan 2018 that this practice is not allowed:

https://www.finanssivalvonta.fi/en/regulation/interpretation...

homero6y ago

The scariest thing is whether they keep downloading transactions or just verify i own the account like they make you think they're doing.

carlineng6y ago

rishirishi6y ago

Hard delete of an issue over closing it or closing comments... for such a security sensitive issue... under the rug sweeping.

sschueller6y ago

Well, thanks to the fact that you can't delete anything off the internet it will still be presented as evidence in court some day.

This confirms to me that staying as far away as possible from plaid is the right move.

rishirishi6y ago

What would you recommend for ACH bank account verification?

1 more reply

Nursie6y ago

Plaid really do seem a little dodgy to me. In the UK they are effectively offering a PSD2-API forwarding service, which seems very much against the spirit of PSD2 and the open banking initiatives.

origamitang6y ago

pbreit6y ago

reustle6y ago

I really hate that transferwise essentially requires me to use Plaid, yet they don't support RSA keys!

samcday6y ago

This is depressing. It feels to me like the number of tech unicorns that have been caught red handed doing something immoral/unethical/illegal is starting to outweigh the ones that haven't.

j / k navigate · click thread line to collapse