It's encouraging to see Plaid making this level of effort to be accurate. It seems like it could be a viable alternative to Mint using something like https://github.com/yyx990803/build-your-own-mint (written by the author of Vue.js).
It's scary to think what would happen if one of these services (Mint, Personal Capital, Plaid) had a backend data breach. If they can log in to your financial sites, a breach would mean the attacker would be able to as well.
Isn't it more scary to think how many people are so cavalier with sharing their online banking credentials with a third-party app like Plaid?
I don't think enough people realize that when you authenticate with Plaid, even for apps that don't provide "Mint-like" functionality and have no need for your transaction history, you're giving that developer permission to pull your transaction history, personal information, account balance, etc without any additional permission at anytime.
Especially in the accounting tech space. Take a look at HubDoc (which Xero accounting acquired for ~70m) and their practices of asking accountants to share their clients login credentials + challenge questions to every online service they want "automated" instead of using OAuth. Their FAQ even encourages this "Hubdoc will have all of the information it needs to connect and fetch your documents": https://support.hubdoc.com/hc/en-us/articles/360007260052-Wh...
As for bank feeds, no one has solved this the right way. Not even Plaid. Scrapers are not the answer. Maybe open banking standards like already happening in Commonwealth countries? Or a dropbox like app that lives on the user's machine and that does all the scraping without giving away the login credentials to other actors.
"I was surprised the app I gave my banking credentials could read my transactions" seems like a weird complaint, considering there's not that much else legitimate you can do with them. I have concerns about Plaid/Mint/etc. being breached. Less so about the access they have.
You're giving Plaid and your average user way too much credit.
If the inherit trust is so obvious, then why would Plaid not include a very common step in authentication flows like FB and Google to explicitly tell users what they are agreeing to share with XYZ developer before submitting their credentials (which may be just a bank account number, but might also be transaction history, personal information, account balance, etc.)? They've purposefully omitted this step because conversion would almost certainly tank.
I'm not sure I follow nor agree. When I go buy something at Target, they take my money but I in no way expect that Target would then be able to see my bank account balance nor all of my transaction history at every other place I shop.
And yet, you are missing simple distinctions between authorization and authentication. You can authenticate with a separate identity provider. Every site that uses google login does that. They don't get access to your google account. You can also authorize specific things in your google account. Some apps do that too, and they get restricted access to a folder in google drive for example. Plaid doesn't follow any of these patterns. Instead, they show you a log in screen that looks like your bank's login (same colours and everything), only that you are sending your credentials to plaid. This is outright deception.
What does the authentication method have to do with anything? You stated that if an app "takes your money", then you expect it to have unfettered access to all of your financials? That's absurd, regardless of what information you put in.
If I give a valet the keys to my car, it is very clearly for them to drive it to and from a parking space, nothing else. It is not blanket approval for them to go take it on a joyride through the city. To defend them by saying "well you gave them the keys, what did you expect?" would be similarly absurd as defending Plaid et al.
This mostly seems to be required because banks don't provide usable data properly. There should be a way to tie together authorisations and finalized transactions. Any API/interface that doesn't permit this is just broken.
Monzo's API includes a unique transaction ID as well as a timestamp to indicate when (if it has happened) the transaction 'settled'. The open banking APIs implemented by the CMA9 include a BookingDateTime and Status (Booked or Pending) and an immutable transaction ID. It's surely just common sense to do this.
Why is there no regulation to require banks expose a usable API in NA?
We don't have the whole story of their infrastructure and that a lot of Plaid's data sources are scraped and/or aggregated and repackaged in nonstandard ways. ACH and transaction tracking have been working fine for the last 20 years prior to a clever ML system.
As mentioned on another thread, the UK enforces such an API for the largest banks (it's voluntary for the others at the moment) https://www.openbanking.org.uk/
This is part of a wider "challenger bank" initiative. Creating space for smaller, usually digital only, banks to create more competition in the consumer banking market. This was thought to be especially important after the "too big to fail" crash. Directly breaking up the larger banks was never going to happen, so instead they created an environment where competition could (hopefully) flourish.
In my mind the question is why wouldn't they be? It's your transaction data, you have many legitimate uses for it, why not require open access? It's like GDPR but for your bank records. The data's available now, it's just crap. Sometimes banks need a kick in the pants to straighten up.
Reminder that most banks still don’t provide an oauth api for granting read only access to your account info, so we end up with scraping data and problems like this to solve. Plus there is a ton of completely unnecessary risk created here by forcing users to furnish full access credentials to their bank accounts. It’s beyond stupid.
On the other hand, it's crazy to me that we're all talking about how evil Facebook is for selling the fact that I liked "Family Guy" 15 years ago but for some reason we're all OK cheerleading a company that literally enables real-time financial surveillance on unsuspecting users with a purposefully deceitful onboarding flow that hides any mention of what permissions you're actually providing and no simple way to revoke those permission.
It's scary to think what would happen if one of these services (Mint, Personal Capital, Plaid) had a backend data breach. If they can log in to your financial sites, a breach would mean the attacker would be able to as well.