Going Plaid: Would you give up your bank login credentials?
A service called Plaid wants to connect to your bank account with your username and password. What could possibly go wrong?
Another day, another Silicon Valley company that seeks to take a system that functioned and insert themselves into it, sucking out money as they go.
A few months ago I wrote about the Buy Now, Pay Later services that are like a reinvented version of the credit card, layaway, and payday lenders all at once, all in the service of helping you buy even more things you can’t afford.
And now, comes a service that completely detonates any sort of financial privacy you may claim to have.
It’s a service called Plaid. And while it may not be super new, it’s new to my radar, and unless I’m missing something, it seems supremely malevolent, massively risky, and contributes nothing beneficial to your life.
Sound neat? Read on.
Your online privacy is valuable, and it is yours to lose. Or give away.
When you give your credit card information and save it on a website, you are allowing them to hold onto, sell, and (potentially) steal your information, identity, and your money. Yes, they say they won’t use this information improperly, and I’m sure in many cases they mean well, but data hacks and privacy breaches are very common.
In fact, you can type in your email address to this site to see if you’ve been the subject of a data breach. Try it, it’s really eye-opening.
Any information you give out to companies, especially online, especially companies that don’t have a track record of security, is information that can be stolen and/or used against you.
For example: don’t like how many robocalls you get? Then why did you put your real number on all those forms you filled out?
Also, companies that require you to input your social security or credit card number on the phone, and then read it back to you over the line, have a special place in hell reserved for them.
But nowhere should you be more careful and cautious than with your bank account.
For most people, your checking account is the place where most of your money comes in and goes out. This needs to be protected at all costs. There should be no reason why you should ever have to give out your username and password to anyone else.
Plaid asks you to give them your username and password to your bank. Need I go on?
Making a withdrawal
So here’s how I came face-to-face with Plaid.
I had received a certain amount of cryptocurrency for some work I had done (don’t ask, it’s not that exciting) and my goal was to convert that into real money.
There aren’t a whole lot of ways to convert crypto into “dirty fiat” (as they call it), especially if you’re a U.S. citizen, but Coinbase seemed to be the least offending option, so I went with it.
But in order to “cash out”, you need to connect to an account where you can to cash out to.
So far, so normal.
I surveyed my options. I looked at wire transfer, but it carried a hefty fee of $25, so I discarded that on general principle. I looked at PayPal, but I got stuck in a verification loop where it wouldn’t accept the phone number I had on file, despite having used it for years.
But then I saw that there was a bank account option. That seemed simplest to me. It’s what I use when I want to withdraw money from my Ally savings accounts. Coinbase was, in effect, just another savings account, albeit with funny ticker names, crazy tax implications, and the whiff of desperation and get-rich-quick all over it.
So I went to connect my bank account to Coinbase.
And this is where the trouble began.
A new window opened, and I saw a modal pop-up, saying “Coinbase uses Plaid to connect your accounts”.
Now, I had never heard of Plaid, but whatever, I see a lot of logos when I go to pay for things. Samsung Pay, Apple Pay, Verified by VISA, I don’t really care about the mechanism as long as the money goes through seamlessly.
But then, on the next screen, things got weird.
Select your financial institution. Okay sure, my bank name isn’t a secret. I entered that in and pressed Next.
Then came the kicker. “Please enter your username and password.”
What in the ever-living…?
I immediately canceled out, thinking that I had gone down the wrong path. But I tried it again, and the same thing happened. I could not add my bank account unless I gave them my login credentials.
You can trust me
Coinbase said Plaid was a third-party service provider that could “facilitate bank account transfers”. They were quick to point out Coinbase would never have access to your account credentials.
But what about Plaid itself? According to their “how it works” page, they say that they “believe in collecting only what is needed” because our “financial information is both personal and powerful”. Furthermore, they use all sorts of confident-sounding terms such as “data encryption” “cloud infrastructure” and “independent security testing”.
But I have to say that reading all this put me in mind of those Joe Isuzu commercials from the 1980’s where an obvious liar was trying to sell cars, while the subtitles tell the truth beneath him.
As a poster on StackExchange pointed out:
“[D]espite Plaids apparently honest attempts at security, their approach is a privacy nightmare, as you give full access to Plaid, to all and every single information your bank has on you, including loans, funds, investment accounts, credit card statements, address, etc. This makes Plaid differ substantially from other payment services, such as PayPal, as they only have your account number.”
Meanwhile, here is a list of 68 of the biggest data breaches ever. You can bet that most of them also relied on “data encryption” and “independent security testing”.
But you can trust me. Or my mother will be struck by lightning.
Why has it come to this
I’ll quote from another poster on that same StackExchange post who points out something I didn’t realize:
“Financial systems in the US almost never support any sort of federation or open banking APIs. There is no regulatory requirement or incentive for them to do so. There is no financial incentive for them to do so, as permitting 3rd parties to incorporate their data into value-added services does not benefit them, and may harm them if the 3rd party is chosen over homegrown value-added services.”
So there you have it.
Isn’t there a better way?
People have been linking accounts for years now. If you’ve ever had two very small deposits put into your account (say, $0.16 and $0.07) and had to verify them back, then congrats, you’ve alleviated the need for a service like Plaid.
In general, any service that requires you to give out your password to another site in order to use, should pretty much go die a painful death. And you, needless to say, should never, ever, give out a password to any site, especially not a financial institution.
Securing your financial information is just as important as securing your money.
And, as for my personal situation, I was able, somehow, to link my debit card without needing Plaid. So I got my money in the end, no massive financial security breach necessary.