While it is bad and unethical to encourage sharing credentials, I really hope we don't continue to criminalize intermediary services that act on the user's behalf. User's should be able to use whatever product and services they want. If you don't want consumer's to use third party tools then either improve your own tools or implement better security.
On the bright side it sounds like in the Power Venture's case they did a few other things to sort of 'impersonate' Facebook in order to encourage user's to use their product. So maybe things haven't escalated too far yet... the outcome of this & Plaid will certainly be interesting.
At a meta-level, using unethical as a qualifier seems like an attempt to bolster an argument without having to provide a logical argument. I think most discussions are cleaner without broaching the thorny topic of ethics. Such discussions usually devolve into ideological battles, which by HN guidelines, "trample curiosity".
If I choose to give my credentials to e.g. Mint to aggregate information for my own benefit, that's good because it was entirely my choice.
> Plaid's behavior works against the social norms that the majority of the tech community supports; in this case it deviates from the norm of keeping login information private.
But actually after re-reading the article, everything seems perfectly fine. The number of participants was only 12 who were all related in some fashion to Plaid employees & everything was pretty well disclosed. So the updated logical argument would be:
> Plaid's actions were limited in scope such that it had little chance of undermining norms regarding account login security. The purpose behind their actions was to increase the interoperability of their software and other software which is seen as a legitimate and net-positive goal in the software community.
I seemed like more of a disclaimer to avoid such ideological battles and deliver a nuanced view. "I agree the practice is shady, but..."
I really wanted to use mint, but couldn't bring myself to give away my bank password.
I resorted to writing my own tooling using puppeteer running on my machine to automatically login to my bank accounts and download the CSV exports of my transaction data for each bank. I then normalize that transaction data, and import the data into Lunch Money.
It was a pretty big hassle to write and get working reliably(ish), but I'm super happy now that it's done. Every 2-3 weeks I run the script, and 5 minutes later all of my transactions are available in Lunch Money. I have the peace of mind of knowing that I'm not exposing my banking credentials to random third parties.
Some companies like Azure use a different account name every time they bill me. I ended up having to regex the credit card transactions for that. Others have something completely nonsensical like "BS 03-6743-2266" (<- this was iTunes), or use a 3rd party processor that puts their own name in the transaction.
The real issue for me is getting itemized purchases to do categorization on. Stuff like restaurants are okay since everything is food, so I can just categorize the whole transaction. Amazon banned me and forced me to change my password while trying to grab my purchase history (and only my purchase history!). I was trying to grab it from email receipts but then I realized they don't send receipts for Subscribe & Save purchases (!).
I'd kill for something better, but for now it's this or manually enter every transaction or give up on financial responsibility.
I have been playing with the idea of doing something like this for a long time. But it seems like a huge job and I haven't been able to motivate myself towards it yet.
My bank even supports showing a lot of those spending stats as in Lunch Money, but it is entirely on their end and I'm not in control of it at all. I can look at the graphs and numbers in the app but I can't export or store it in any way.
I learned that this actually was what they were doing three years ago, and promptly complained to them, and was politely ignored (“Security is very important at POLi”… “Although it does not look like your traditional internet banking screen, the POLi interface is just as secure (if not more so)”…).
I’m baffled that the banks haven’t shut POLi down since it’s fundamentally predicated on ToS breaches, this man-in-the-middle attack and training users to do catastrophically stupid things, even including undermining 2FA (“give us your username and password; oh, looks like you have 2FA enabled, give us that token too?”). I complained to my bank (NAB) at the same time, and they said of using POLi Payments that “NAB does not suggest this course of action as this will be a breach of security” and that I should talk to POLi instead, as they “are unable to put a full block on this service as customers can still authorise transactions themselves at their own risk however NAB has advised in the terms and conditions of a breach this may cause”. In other words, they’re just covering their ears and ignoring it. Yet I’m sure they could block POLi without much difficulty if they actually wanted to, since all requests will be coming from POLi servers and are sure to be easily detectable (even their usage pattern would be trivial to detect). So why don’t they want to kill off this security menace?
Perhaps the worst part of it all is that Australia Post purchased POLi Payments some years back, thereby legitimising this abomination that should be terminated with prejudice.
Seriously, how do you end up with such a major player in the payments space being predicated around lies and evasion, terms-of-service violations and security malpractice? (And they even got exempted by ASIC from holding a financial services license.)
Another silly thing about it these days is that half the reason for the MitM attack (rapid confirmation that the transaction has taken place) is no longer needed, because almost all banks in Australia now support rapid transfers and linking email addresses to bank accounts, so they could just say “transfer the money to sales@example.com.au with description 12345” and reconcile it within a minute at least as an alternative to the MitM attack.
I usually pay for airlines with my credit card, now they aren't allowed to charge as large fees as they used to. Before that, I'd used BPay instead (which I still use for a lot of bills).
Yeah, and it's also the number two and three rules with bank passwords.
I sold Bitcoin for the first time a few months ago on Coinbase. Their only bank integration is via Plaid, and I did a double-take and noped the fuck out of that right away. It boggles my mind that's even a thing. Luckly I was able to get my money out via Paypal instead without too much hassle.
It's another tax on the poor, same as advertising. No service targeting sophisticated, wealthy people would use this. But if you have someone desperate for liquidity, of course they'll hand you the keys to their kingdom.
The default mechanism to transfer cash into Carta to exercise your options was with Plaid.
Now to be fair, you also had the option to use check routing numbers to perform the transfer. But I have to imagine that most people use plaid without a second thought.
*if you log into a company system, with a company provided username and password, those credentials belong to the company
[0] https://www.ctvnews.ca/business/td-bank-files-lawsuit-agains...
Seems like this is going to wind up in court sooner rather than later.
If you trick someone into giving your their credentials and use them, how is that not the textbook definition of unauthorized access?
[1] Revised Directive on Payment Services (PSD2)https://en.wikipedia.org/wiki/Payment_Services_Directive#Rev... (Revised Directive on Payment Services (PSD2))
In the US, I have to pass through so many rent seekers to move some digits over (Plaid, Stripe, and Visa/MasterCard). Meanwhile Europe has PSD2 now and China AliPay/WeChat Pay. Even India, which in the past 3 months has unfortunately proven dysfunctional has UPI, which is orders of magnitude better than what we have.
When has the US recently passed legislation or standards that fosters innovation? (this is a serious good faith question - there seems to be a lot of govt grants for stuff like basic research, but a whiff of money churns out stuff like repealing net neutrality).
The big kicker for me is Interac e-Transfers, where you simply log into your banking and can email (or text) money to anyone in the country - they click the link in the email/SMS they receive, log into their bank account, and choose where the money is deposited. We've had this system in place since at least 2014? Hell I pay my rent and buy weed just by sending e-transfers, they're treated the same as cash and happen instantly. I reminds me of something that happened recently, I stumbled into a conversation with some of my American friends trying to figure out how the one person was going to pay the other >1000 miles apart; it was absolute lunacy listening to them decide between PayPal, Cash App, Venmo, etc., trying to figure out who had the lowest fees for both parties, factoring in the time it takes for the transaction to happen and transferring to/from their bank account if necessary. It's insane to me how the banking system underlying the world's largest economy is so far behind the times.
It's not instant. Transfers can be delayed for hours in some cases.
It has ridiculously low limits that cannot be raised.
Until recently it had a cumbersome question and answer system with strange character limits for each.
Virtually no businesses use it. You can buy weed (illegally) using it because they can't use credit card processing.
A revamp to the Interac system is in the works which looks similar to the UK faster payments. A frankly much better system.
https://www.theglobeandmail.com/business/article-interac-cho...
Really, the existing autodeposit feature would be perfect if it let you log in to your online banking and confirm pending transactions before autodepositing them. For that matter it would be nice if the email gave me a string I could paste into my online banking to get to the existing confirmation page.
It's all much better than having to link your bank account to some third party or give away your credentials though.
Even now you never have to pin in the US.
By the way I blame patents for this. Patents are a legal blockade on third party innovation. But that's how progress is made! Everyone copies everyone. You see something and you make a better version. Patents gum up the works and drive things to a standstill. They don't have this problem in China. Some people think investment won't happen without IP restrictions, but I think it will, just differently. There's no more unicorns and whales, but there's a lot more fish.
I'm hopeful we'll see all countries converge onto a similar pace of innovation and progress. Large countries/regions (as a simple proxy for population and access to raw resources) will hopefully reach this parity sooner than later. At that point, I also hope that 1 country/ideology will never be able to pull far ahead of another - short of some fluke breakthrough that can be kept secret.
If you take UPI, for instance, it's a fairly robust standard that has been developed by a non-governmental body that has been ruined by the regulator insisting that banks charge 0 transaction fees even for individuals that do a large number of transactions. This is because the regulator believes even a small fee will hamper adoption. This results in a relatively high failure rate because banks refuse to invest in servers and technologies that can handle the huge volume of transactions.
I am happy that technological standards are largely untouched by the government.
If anything is going to kill the US it will be something like the collapse of fair elections or the huge ballooning healthcare and education costs, not the payment rails.
If you think about it, the payments system is a 2+% sales tax! Levied by private corporations! I don't even have an alternative since by contract with Visa/MC stores can't provide a lower price for paying cash.
There's lots of good examples of regulated open banking. Europe has PDS2. Australia has Consumer Data Right Act. Several other countries that are now implementing open banking legislation: Brazil, Japan, Saudi Arabia, Mexico, Singapore, Hong Kong, India.
It would be great to see US on that list some day.
Having an act, and being able to use it any useful manner are two very different things.
From my understanding, banks are required to provide an API. Not a specific one - any API. Which means each bank has a different one and you need yet another rent seeker that aggregates those APIs.
That's on top of requiring specific, often outdated security mechanisms, so now every time I want to pay something with a credit card I have to do extra authentication, >1 GB of my phone's memory is filled just with bank auth apps (again, each bank has their own).
If anyone can implement such an aggregator, market competition should drive the cost of that close to zero soon enough.
Defining this is a job for industry bodies and suchlike, as is keeping it current. Lest we forget jokes like the 2020 Brexit agreement containing references to Netscape Navigator 4.0
what exactly does this mean? Other countries did not have a corona virus wave?
> what exactly does this mean?
That our response to the current wave has been tragic.
> Other countries did not have a corona virus wave?
Yes they did. However, we had the opportunity to learn from the tragic things that happened elsewhere and could have done stuff to prevent it/soften the blow but we didn't. The problem is not that we "allowed" another wave to happen, but that we allowed people to die due to a lack of oxygen and ICU beds.
Their motive may be different but their actions just help make this sort of behaviour on the vulnerable (ie. non technically/security literate) easier to repeat by the more unscrupulous.
What a useless statement. That could mean anything.
