Plaid Deletes GitHub Issue Exposing Imitation of Bank Login UIs

[+] whockey|6 years ago|reply

Hi all - co-founder of Plaid here. We're in the process of migrating this repository and replacing it with a dedicated iOS SDK repo, JS SDK, and (soon to be) Android SDK. However, I messed up the order of operations with this migration and can empathize with the reaction. I personally chatted with a lot of the commenters on the original issue before we did this and more than happy to engage/get feedback from anyone else over email/phone/in-person. Feel free to shoot me an email at william [at] plaid [dot] com if you want to chat/have any feedback.

[+] bauerm97|6 years ago|reply

I don't think people are upset about the repo being "archived" and having lost access to the issue, per se. I think people are (justifiably) furious because you offer a product which is fundamentally insecure in it's current state and seem to refuse to fix it. And it's not that websites which are using your product are susceptible to attacks, but that a malicious website can impersonate your product and it will be indistinguishable from a legitimate site. Let that sink in. A malicious website can be indistinguishable from a legitimate customer of yours, and users WILL enter their banking information. That is the heart of people's completely justified outrage here, and it's baffling that anybody on your security team could have possibly signed off on this. If people on your security team don't see the problem here they should be immediately fired and never work in the security field again. You guys better have some really expensive lawyers, because it feels like you are being criminally negligent here and should absolutely be held liable when some users inevitably have their lives destroyed as a result.

[+] lykr0n|6 years ago|reply

Can we get a way where we can centrally manage linked accounts? I have at least 5 apps that use plaid and I should be able to go to your website and see what authorizations I have enabled and disable them.

[+] temp129038|6 years ago|reply

No offense, but I think we’d all be better off with open bank API standards in the US.

[+] ryanackley|6 years ago|reply

Here's my main beef with Plaid: a lot of times when you use it as an end user you have no idea that you're giving one of Plaid's customers full history on all of your transactions, accounts, credit cards, loans, etc. Plaid presents you with a ToS that you will probably never read.

Compare that to something like "Sign-in with Google" or "Sign in with Github". They put it in plain english exactly what the website you are signing into is asking permission for and you explicitly say I'm ok with that.

[+] amluto|6 years ago|reply

I wonder if an enterprising attorney general could try to go after Plaid for CFAA violations. They are arguably making unauthorized, fraudulent access to banks’ computer systems.

[+] diggan|6 years ago|reply

Seems to have happened not because they deleted that specific issue but because they have disabled issues in general for that specific repository. Take a look at https://github.com/plaid/link and see there is no "Issues" tab. When doing that, it removes all existing issues.

[+] RyJones|6 years ago|reply

as an owner of multiple orgs, I dislike that I can't disable new issues while retaining history.

[+] sammnaser|6 years ago|reply

Indeed, I didn't notice that. In any case, the issue doesn't exist anymore, and the public discussion on this problem was wiped.

[+] greenyoda|6 years ago|reply

> Plaid imitates major bank account UIs in their login forms to make users more comfortable submitting their bank credentials to Plaid.

But it's even worse than that. They're training their users to ignore the security advice that their banks and other web providers have been trying to teach them for years, which makes them more vulnerable to phishing attacks. As one of the commenters on Github said[1]:

> This is horrible, horrible, horrible, horrible, horrible practice. Any malicious actor can copy your design and present a perfectly genuine-looking Plaid input form and gather bank credentials from victims. There's absolutely no way to tell whether a Plaid input form is genuine without examining the HTML source of the page, which is far beyond the ability of almost all users. What good is your $1000 EV cert and your brand's hard-won trust if the user just sees Wacky Joe's Discount Dolphin Assholes, secured by letsencrypt.org in the area of the address bar where we've been telling them to look for a trusted name for about the last decade?

The commenter's next paragraph also bears repeating:

> You guys need to get your act together and realize that you're not in the business of hosting Wordpress blogs or building marketing pages for the latest Barbie Rides Horses Again game somehow still coming out for the Nintendo DS. You collect bank credentials. Re-read the previous sentence. Do it again. Essentially my entire net worth is kept in my Schwab brokerage account which shares the same login as my Schwab checking account. If someone gets my Schwab credentials and I don't notice before they empty me out, my life is over. You simply cannot half-ass security best practices for the sake of UX convenience.

[1] https://web.archive.org/web/20190415103059/https://github.co...

[+] karlding|6 years ago|reply

You mentioned EV certificates, but are those actually still meaningful? Troy Hunt wrote a series of articles [0][1][2] about the perceived value of Extended Validation certificates, and concluded that they were essentially useless.

Does anyone else have additional data for/against EV certs nowadays?

[0] https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas...

[1] https://www.troyhunt.com/extended-validation-certificates-ar...

[2] https://www.troyhunt.com/paypals-beautiful-demonstration-of-...

[+] buckminster|6 years ago|reply

I completely agree, but having your life savings under the same login as your checking account is insanity. Maybe I'm overly paranoid but I wouldn't even log in to my broker from my phone.

[+] rhizome|6 years ago|reply

michaelckelly commented on Dec 7, 2018

@skierpage and @briangordon we appreciate your concerns, which is why our compliance team vets anybody who uses Link. As to malicious knock offs, this is a matter that most successful companies lookout for and deal with -- as we and our security team do.

This person should not be allowed to provide services that use bank APIs. Who should do the preventing? Banks.

[+] temp129038|6 years ago|reply

Plaid needs to be exposed as one of the most unethical companies in SV. If people are worried about online privacy then they should really be worried about a company that is so deceiving and makes it basically impossible to revoke permissions on something as sensitive as access to your bank account and transaction history once granted.

[+] okigan|6 years ago|reply

Looks like Betterment & Wealthfront use plaid, which could affect many on HN [1][2].

[1] https://www.quora.com/Why-doesnt-Betterment-or-Wealthfront-u...

[2] https://www.investmentnews.com/article/20190108/FREE/1901099...

[+] jgalt212|6 years ago|reply

probably so, but the if you look at all the large recent successes in SV, all of them have had serious moral and legal lapses. As they are well funded, and have powerful friends, they have thus far avoided jail time.

So my cynical view, is that Plaid is just playing a game of doing what works and has proven to work. I am not excusing their bad behavior, just trying to point out what's motivating it. Robbers will always rob, and cheaters will always cheat, but we as a society need to make it less profitable to rob and cheat--and not just for the lower classes, for the elites as well.

Rahm Emanuel wrote on this recently in The Atlantic, and then shortly thereafter took a well paid job in financial services. So I guess, more do as I say not do as I do.

https://www.theatlantic.com/ideas/archive/2019/05/middle-cla...

[+] adrr|6 years ago|reply

To revoke access change your bank password. My biggest concern with any of the bank api providers is who they use to scrape the banks. Most are offshore outside the reach of US law enforcement or court system.

[+] robot|6 years ago|reply

can you revoke by changing your password?

[+] csswizardry|6 years ago|reply

Hah. This is the only company that has ever f—ked me over. I’m a self-employed consultant who flew out to SF to work with them and was told the gig was off the working-day before we were set to begin. My lawyer said I absolutely had a case but I’d need to be prepared to open an international lawsuit against them (I’m UK-based) and I just couldn’t muster the effort. They got away with it.

They also quite cheerfully asked me ‘Hey! Next time you’re in the area we’d love to look at working together?’ Classy.

[+] wexxx|6 years ago|reply

Not to downplay the security implications here, but Plaid has pretty much changed finance. It’s a straightforward case of trading security / privacy for functionality. Apps like Venmo, Robinhood, Wealthfront, and most every other financial startup would not exist without Plaid.

[+] TheSpiciestDev|6 years ago|reply

This is the first time I'm hearing of Plaid and is it actually something banks have signed-off on and are ok with? This whole thing looks to make for a bad precedence.

[+] Aspos|6 years ago|reply

Absence of open banking standards and regulation produces such monsters.

[+] tzs|6 years ago|reply

Since HN doesn’t turn URLs in text submissions into clickable links like it does in comments, here are the URLs given for your clicking convenience.

http://web.archive.org/web/20190415103059/https://github.com...

https://github.com/plaid/link/issues/68

[+] BillinghamJ|6 years ago|reply

I feel it's worth bearing in mind that this is normal to the point that the financial regulator in the UK standardised the activity as part of the EU-wide PSD2. It is being phased out in favour of open banking in the next couple of years, now that there's a requirement for more OAuth-like approaches. (In fact, Plaid just launched in the UK on the open banking APIs)

Banks are well aware that this is a thing and they're not that bothered.

If you want to see this improve, maybe push on US regulators to formalise it?

[+] AnssiH|6 years ago|reply

Here the Finnish Financial Supervisory Authority stated in Jan 2018 that this practice is not allowed:

https://www.finanssivalvonta.fi/en/regulation/interpretation...

[+] homero|6 years ago|reply

The scariest thing is whether they keep downloading transactions or just verify i own the account like they make you think they're doing.

[+] carlineng|6 years ago|reply

In today’s economy, data is the most valuable asset a company can own, and financial/transaction data is the holy grail. I would be very surprised if their current valuation could be justified purely on their subscription sales alone.

[+] rishirishi|6 years ago|reply

Hard delete of an issue over closing it or closing comments... for such a security sensitive issue... under the rug sweeping.

[+] sschueller|6 years ago|reply

Well, thanks to the fact that you can't delete anything off the internet it will still be presented as evidence in court some day.

This confirms to me that staying as far away as possible from plaid is the right move.

[+] Nursie|6 years ago|reply

Plaid really do seem a little dodgy to me. In the UK they are effectively offering a PSD2-API forwarding service, which seems very much against the spirit of PSD2 and the open banking initiatives.

[+] origamitang|6 years ago|reply

It's very convenient. But also very expensive (maybe) The raw costs of getting an AISP licence are about £1000 in the UK... but that's ignoring all of the time and effort to understand PDS2, legals etc but $500+/month for Plaid to do it for you ? I'm not sure. Sounds avoidable like vendor lock in to me.

[+] pbreit|6 years ago|reply

Plaid is mainly US where PSD2 does not apply. Banks sometimes get together to work on these topics but it rarely goes well (see ofx/ofc). What more frequently happens is a company like Plaid forces it and then works with banks to satandardize.

[+] reustle|6 years ago|reply

I really hate that transferwise essentially requires me to use Plaid, yet they don't support RSA keys!

[+] samcday|6 years ago|reply

This is depressing. It feels to me like the number of tech unicorns that have been caught red handed doing something immoral/unethical/illegal is starting to outweigh the ones that haven't.

46 comments