Is Plaid, a service which collects user’s banking login information, safe to use?

Question

I recently signed up for Privacy.com, which uses a service called Plaid to link a bank account. To do this, it requires the user to provide their banking username and password to a webpage from Plaid, not their bank. Then, Plaid accesses the user’s bank account with those credentials on the user’s behalf to get information. Plaid provides an API for websites and apps to easily access this banking information.

In addition to Privacy.com, plenty of other popular services use Plaid, including Venmo, Robinhood, and Coinbase.

Despite the popularity, this service appears to break two "fundamental" Internet security rules:

Never give credentials to a third party. The standard is to redirect the user to a login page on the website of the service providing the login. Plaid doesn’t do this, instead providing the login form on their own website. Even worse, Plaid allows services to embed the form in their websites (as an iframe). It’s not possible for casual internet users to tell the difference between this and an “unsecured” form on some random website, so this appears to be encouraging bad security practice. Worse still, Plaid provides a login page that looks very official, showing the bank logo and using the bank’s color scheme.
Never store passwords in plaintext. The only way for Plaid to access bank account details is with the password, and since my banking password was only required by Plaid once, they must be storing it in plaintext, or "encrypted" but convertible to plain text, so they can continue to use it to access my account.

The problem seems to be that most banks do not provide an API to retrieve customer data, so a service like Plaid (and all the services that use Plaid) simply wouldn't be possible without breaking these "fundamental" security rules. But I'm not convinced that's justification for breaking them. If it's not possible to do it securely, should it be done at all?

My confusion here is that all of these services are "legitimate". None of them are scams; they're all providing a valuable service and have a solid reputation. Plaid has raised billions in funding!

I would think with Plaid using bank logos to make their “fake” bank login forms look legitimate, banks would be after Plaid with lawsuits. But apparently some of them are investors! On Plaid’s website Citi, American Express, and others are listed as investors. It appears that banks aren’t against this bad practice, and are, in some cases, actually encouraging it.

This makes me think that I might be missing something. Maybe Plaid has some special access to banking systems and it isn’t as bad as it seems. On the other hand, maybe Plaid’s reputation is held up only by the fact that they haven't been hacked yet. If (when) they are hacked it will be devastating, since the worst case scenario means the leaking of millions of user's active bank usernames and passwords. Also, many banks don’t protect users if they knowingly gave their credentials to a third party, so a lot of people could lose a lot of money. But if that's the case, wouldn't banks be working to stop Plaid and protect their customers?

I think many of the services provided by Plaid are neat and would like to use them, but if my suspicious here are correct I don’t think I can do so while remaining secure. Of course, I hope I’m completely wrong here and Plaid has some way to operate securely.

So, does Plaid have some special access to banking systems, or is it using user passwords to log in to bank accounts, which requires storing them in plaintext (or convertible to plaintext) and convincing users to give their credentials to a third-party, encouraging bad security practice?

If it’s the latter, I’m afraid I’ll have to pass on Plaid services for now and consider my banking password compromised.

I wish I asked this question about Plaid years ago. And I finally came here just now to write this question, and you have done a PERFECT job writing it already. Thanks. — Ryan, Jul 17 '19 at 14:29
My comment doesn't address your security question, but it does address your decision to pass on Plaid. Our company switched to Plaid via Expensify, and many of us had the same concern about security. However, in the Plaid UI when linking your bank account, you can close the "select your bank" dialog using the "X" in the upper-right corner, and then you'll be presented with a new option to add your account "manually". At this point, you are only prompted for normal ACH info (routing and account numbers). I suspect this option is intentionally hidden. Hope this helps. — Jared, Dec 10 '19 at 01:58
@Jared That is interesting. I don't see that option with waveapps.com (which now uses Plaid). I really don't like the Plaid model and won't be using Wave, Mint, or other services that rely on me sharing a plaintext password with a 3rd party. That takes *so* much trust that they're *super* secure *and* well-meaning. — Ryan, Jan 06 '20 at 00:51
I've asked a related question: https://softwarerecs.stackexchange.com/q/71524/14834 — Ryan, Jan 07 '20 at 02:11
I just want to point out another downside of using a service like this. Nowadays many brokers (e.g. Vanguard) have adopted a policy that they will reimburse you for unauthorized activity in your account. However, to obtain this protection you have to abide by certain practices, and one is not giving your password to others. If there is a breach of Plaid (or a similar service like Yodlee) and your account is compromised as a result, they will not reimburse you for any stolen funds. That could be a very costly error. — Stephen, Feb 23 '21 at 04:56
[TD Bank has now filed a lawsuit accusing Plaid of duping its customers.](https://www.ctvnews.ca/business/td-bank-files-lawsuit-against-plaid-accusing-it-of-trying-to-dupe-consumers-1.5145326) — cschroed, Apr 14 '21 at 16:11
It is completely crazy for all these financial institutions to allow and cooperate with Plaid to do this. This is just insanity plain and simple. — stackoverblown, Apr 15 '21 at 12:15
For Robinhood I entered a fake bank name into the Plaid search and it allowed me a fallback option to enter the Routing and Account numbers the traditional way, so I seem to have avoided Plaid for now - although I had to agree to their privacy policy to get through the form. — JHS, Apr 21 '21 at 02:03
Visa tried to buy Plaid for $5.3 billion to gain that juicy access into the inside of every detail of people's bank accounts but nixed by US DOJ Jan 2021. — gseattle, Apr 25 '21 at 05:46
I tried to sign up for a service but was asked to go through Plaid to link my bank account. Needless to say I declined. My bank accuses Plaid of screen scraping customer data that they aren't supposed to have access to. — Stack Undefined, May 16 '21 at 03:39
Adding insult to injury is that many companies that ask you to use plaid ask you to do it *in their app*. Where you have no idea if the credentials you are entering are going straight to the plaid website via SSL, or being logged/harvested/leaked due to maliciousness or incompetence. — aggieNick02, May 28 '21 at 17:58
Plaid is not the only company providing such service. Flinks is another example. Better generalize your question beyond Plaid. — abbr, Oct 22 '21 at 23:48
@abbr Notice this question was written in 2018. Flinks was not available at this time. From what I can see on The Wayback Machine, their website (flinks.com) only became theirs about a year ago. I don't keep track of everything I've posted online and go back to update it when new companies form. Luckily, this is a community site, so anyone can edit this post! I would not oppose someone changing it to something like "Are services that collect user’s banking login information, like Plaid and Flinks, safe to use?" and adjusting the question body to match, including some details on Flinks. — gfrung4, Oct 25 '21 at 13:11
@abbr I notice you asked a question a few days ago about Flinks and were redirected here. You may not have found this question originally because it does not contain the text "Flinks", so you missed it in a search. This question has become somewhat popular, and I agree it would be valuable to have it at least say Flinks somewhere so others can find it when searching for that service, assuming the concerns expressed here are the same for Flinks. If Flinks is different, it should have its own question. I don't know much about it, so I'd appreciate if someone who does could weigh in on that. — gfrung4, Oct 25 '21 at 13:12
@gseattle: please cite your source ([Visa Abandons Planned Acquisition of Plaid After DOJ Challenge](https://www.wsj.com/articles/visa-abandons-planned-acquisition-of-plaid-after-doj-challenge-11610486569)) and clarify what you mean by "coinbase has that trick locked out". I was able to get Coinbase to link my bank via the two-deposits verification method by clicking the `x` button in the Plaid pop-up after searching for my bank and not entering the user/password. — Dan Dascalescu, Nov 10 '21 at 13:50
I also want to point out that, while it looks similar to features like "log in with Google", technologically it is way different. With "log in with Google", you are supplying your credentials to Google, who is then sharing portions of data (that you control) with the third party application, that Google has identified and is working with. What is happening with Plaid, is that you are giving your bank credentials to Plaid, and Plaid controls what happens to them. — matt forsythe, May 28 '22 at 07:08

score 104 · Answer 1 · edited Nov 10 '21 at 16:32

I want to point out that despite Plaids apparently honest attempts at security, their approach is a privacy nightmare, as you give full access to Plaid, to all and every single information your bank has on you, including loans, funds, investment accounts, credit card statements, address, etc. This makes Plaid differ substantially from other payment services, such as PayPal, as they only have your account number.

If you don't believe me, here's their data collection description from their privacy statement (Effective Date: February 22, 2021, my italics):

Information we collect from your financial accounts. The information we receive from the financial product and service providers that maintain your financial accounts varies depending on a number of factors, including the specific Plaid services developers use, as well as the information made available by those providers. But, in general, we collect the following types of identifiers, commercial information, and other personal information from your financial product and service providers:

Account information, including financial institution name, account name, account type, account ownership, branch number, IBAN, BIC, account number, routing number, and sort code;

Information about an account balance, including current and available balance;

Information about credit accounts, including due dates, balances owed, payment amounts and dates, transaction history, credit limit, repayment status, and interest rate;

Information about loan accounts, including due dates, repayment status, balances, payment amounts and dates, interest rate, guarantor, loan type, payment plan, and terms;

Information about investment accounts, including transaction information, type of asset, identifying details about the asset, quantity, price, fees, and cost basis;

Identifiers [NB: SSN?] and information about the account owner(s), including name, email address, phone number, date of birth, and address information;

Information about account transactions, including amount, date, payee, type, quantity, price, location, involved securities, and a description of the transaction; and

Professional information, including information about your employer, in limited cases where you’ve connected your payroll accounts or provided us with your pay stub information.

The data collected from your financial accounts includes information from all accounts (e.g., checking, savings, and credit card) accessible through a single set of account credentials.

Also note how the scope of the information collected has expanded over time, by looking at the previous revisions of this answer.

To make matters even worse, they can share all that information with their customers, i.e., the company that wants you to link with them. That means that when, e.g., your rent is paid via Plaid (my landlord uses a service that relies on Plaid), all of that information may be shared with that service! And while they, in turn, may not distribute that data further, you now have to trust another party that they are able to keep your data safe.

Again, here's the relevant excerpt from that privacy statement (again, my italics):

How We Share Your Information

We share your End User Information for a number of business purposes:

With the developer of the application you are using and as directed by that developer (such as with another third party if directed by you);

To enforce any contract with you;

With our data processors and other service providers, partners, or contractors in connection with the services they perform for us or developers;

[...]

In connection with a change in ownership or control of all or a part of our business (such as a merger, acquisition, reorganization, or bankruptcy);

Between and among Plaid and our current and future parents, affiliates, subsidiaries and other companies under common control or ownership;

As we believe reasonably appropriate to protect the rights, privacy, safety, or property of you, developers, our partners, Plaid, and others; or

For any other notified purpose with your consent.

It is a security nightmare, I agree. To make matters worse, if you have trouble linking your bank, this is what they encourage: "If you receive the error message “Error: Please disable the added/extra security placed on the account,” you’ll need to either disable the two-factor verification setting on your bank account, or contact your bank to make sure there isn’t a problem with your online banking profile." — A Friend, Sep 05 '20 at 00:56
[There's now a class action lawsuit against Plaid related to these privacy concerns.](https://www.natlawreview.com/article/it-s-getting-real-five-pending-lawsuits-against-plaid-inc-get-consolidated) — cschroed, Apr 14 '21 at 16:17
@cschroed Good! I don't understand how Plaid was ever even allowed to get customers' logins and passwords in the first place. It completely flies in the face of basic internet security. — stackoverblown, Apr 15 '21 at 12:12
"We do not sell or rent end user information to ... third parties ... we do share end user information with third parties ... [in the case of reorganization like giving Juan a new title] ... and other companies". I don't blame evil for testing us, it's their job, I blame us for not passing the test — gseattle, Apr 25 '21 at 03:22
I've asked Plaid for the data they have on me. The result was [complete useless](https://softwarerecs.stackexchange.com/questions/71524/accounting-software-or-web-app-with-automatic-import-without-me-sharing-my-finan/81197#81197). — Dan Dascalescu, Jan 18 '22 at 12:29

gowenfawr · Answer 2 · 2021-03-21T21:09:29.213

So, does Plaid have some special access to banking systems, or is it using user passwords to log in to bank accounts, which requires storing them in plaintext (or convertible to plaintext) and convincing users to give their credentials to a third-party, encouraging bad security practice?

Plaid, and many other services (Mint comes to mind), are storing your passwords and sometimes security questions in an accessible (hopefully, reversible encryption, not plaintext) format.

Is this poor security practice? Yes.

Is there a realistic alternative? No.

Financial systems in the US almost never support any sort of federation or open banking APIs. There is no regulatory requirement or incentive for them to do so. There is no financial incentive for them to do so, as permitting 3rd parties to incorporate their data into value-added services does not benefit them, and may harm them if the 3rd party is chosen over homegrown value-added services.

The good that can be said of Plaid is that by providing a standard middleman service that's used by multiple front-ends and trusted by significant back-ends, they're reducing the number of people trying to re-invent that particular wheel. With no particular evidence, I'd rather someone specialize in this dirty job, if it needs to be done.

You, the consumer, are left with the choice of participating in this less-secure practice, and getting value-added services and inter-operation between accounts, or avoiding these services and the benefits they may offer. Enjoy!

(Actually, with Privacy.com, you have another option - you can link your back-end bank account as an ACH source using your bank routing number and account number. You may need to contact support to set it up, but it is an option. That's about as insecure as writing a check.)

Rant:

It's ridiculous. Wells Fargo, for example, allows you to create read-only sub-accounts - exactly what we'd want if we're handing credentials off to a 3rd party! However, those sub-accounts cannot be used with 3rd parties, because of the way their authentication is set up. It's like banging your head against gravel, looking for a financial that has a well-thought-out security and inter-operability model.

I understand that Capital One is actually trying to do this right, but haven't played with it myself.

Minor update, 2021: Improved movement towards APIs, in part because it will allow banks to limit what information a third party has access to. Interesting article here.

What about... I pair my Bank account with Coinbase, transfer money and then change the Bank password? I assume, if someone breaks into Plaid he would get an old password, so I guess it's safe. — Ish Thomas, Jan 25 '19 at 02:56
@IshThomas That would protect your account, but be careful, as it will likely lock you out of your account - because Plaid will keep trying to log in with the old password and failing. Better to delete the account from Coinbase before changing the password. (I speak from experience, I did this to myself, I had to change my bank username to get my account unlocked (and stay unlocked) again.) — gowenfawr, Jan 25 '19 at 13:43
Oh wow. Thanks for the tip! I wouldn't think that's even the danger. Why wouldn't you force the user to reauthenticate? That's so stupid — Ish Thomas, Jan 26 '19 at 04:10
@IshThomas the entire episode reinforced my belief that banks are idiotic. They log user-agent string of bad attempts for me to see. I asked them for the source IP of the bad attempts so I could ensure it wasn't one of my many computers; they refused, said they would release on warrant or would *show* me if I came into the branch but couldn't *give them* to me. They opened a "fraud case" based on my call, but then wouldn't allow me to rename the account because no changes are possible with an open fraud case... It was a nightmare. — gowenfawr, Jan 26 '19 at 15:00
@gowenfawr But at least in this case, Plaid seems to be idiotic too. Retrying an authentication attempt that fails is just asking for trouble. It's possible that the banks have backed them into this by providing ambiguous error responses, some of which are legitimately retry-safe, but even then Plaid should be using more caution to avoid this worst case scenario. — GrandOpener, Mar 22 '19 at 14:00
@GrandOpener In my experience Plaid does not re-try authentication when an incorrect credentials response is received. This is based on experience of having worked with their APIs for several years. — toddg, Dec 04 '19 at 16:23
yes there is a realistic alternative. That's the whole point of Oauth. To connect a bank account you'd authenticate with your bank and your bank then sends a unique secure auth token to the service you are using. Really backward the way it's being done. should be illegal. Or at the very least, the bank should let you generate a secure token that can then be added to the service. passing username/passwords? who thought of this? especially for banking?! can't believe it's a thing — a5af, Mar 07 '21 at 18:23

Dan Dascalescu · Answer 3 · 2022-01-18T12:31:14.490

Plaid has become safer to use with their my.plaid.com portal (in beta as of November 2021), which you can use to manage your connections.

You need to sign up with your phone number, and Plaid will tell you right away if it has any connections linked to it. (I did attempt to sign up and got "We didn’t find apps or accounts connected to XXXX", even though it's the number I use with all my financial institutions, and I do recall giving up on the safer microdeposits option due to time constraints once.)

You can also send a data access or deletion request.

I went through Plaid's access request procedure to see what data Plaid had on me. TL;DR - completely useless.

They had an... interesting KYC process. It requested only sane PII (ID but with the address obscured; no SSN) but not so sane data:

"A complete list of financial institutions (e.g., banks or brokerage firm names) you have currently or previously connected via Plaid."

So they were requesting what I was trying to find out. I've been using all sorts of financial apps for many years. How could I possibly provide a complete list of those I've ever connected via Plaid? Also, they asked for all of this, including the picture of the ID, over insecure email. No secure dropbox was provided.

In the end I received an archive with my data. It was in JSON format (which may be slightly cryptic for those less technical), and... completely useless.

The data Plaid had on me was my own bank accounts. Thank you very much, I know about those. What I wanted to know is what other financial apps and services knew about me, but that was completely missing.

All in all, requesting my data from Plaid was a giant waste of time.

Thank you for this description of your experiences, but it leaves me puzzled over one thing: you begin by saying "Plaid has become safer to use with their my.plaid.com portal..." but the remaining paragraphs are all about ways that it seems useless at best, while introducing additional risks. Furthermore, given what you report about how it handles access requests, is there any reason to think that deletion requests will be effective, useful and in compliance with data protection laws? It is not clear to me how my.plaid.com has made things safer. — sdenham, Feb 19 '22 at 13:32
I don't have enough cred to answer, but yes, you are correct that the data is basically just your transactions. They are hoping other companies can put that information to more detailed use. A lot of the banks offer OAuth integrations nowadays, but I'd guess about 10% of banks do not have and may not ever be bothered to provide an auth mechanism that doesn't involve you sliding the password. Check out the API docs for the Plaid Linker for a lot more information on how this process works. You can scope down access rights nowadays, and changing your password will disrupt Plaid's access. — Scott Simontis, Dec 31 '22 at 00:11
If it is kind enough to let me post links, this is the Linker I was referring to. It is responsible for the login and authorization workflow to connect accounts. https://plaid.com/docs/link/ — Scott Simontis, Dec 31 '22 at 00:11

score -9 · Answer 4 · answered Mar 20 '19 at 16:06

-9

Yes, Plaid is safe. They don't store the password, they create a "bank relation" between the bank account and the service that is using Plaid with tokens. And if the customer changes his bank account password, the bank notifies Plaid of this NOC (notice of change), and you will have to reauthenticate on the Plaid link to get your bank account relation reconnected.

answered Mar 20 '19 at 16:06

Fernando Chaied

1

20

Can you provide references to the information that they use tokens, not passwords? That would certainly be the _ideal_ way for them to do things, but other than services like Plaid, there is little indication that banks are willing/able to provide such tokens to third party services. – GrandOpener Mar 22 '19 at 14:19
17

I believe the Plaid "tokens" you see referred to are the arbitrary token Plaid generates and hands to the business that is using Plaid as a middleman; the business will then use that token to tell Plaid which bank account to access (which Plaid will then access using the stored credentials they have, in most cases). So, yes, tokens exist, but not between Plaid and the banks; between Plaid's customers and Plaid. – gowenfawr Mar 22 '19 at 14:32
5

I don't buy that for a second. They [claim that](https://plaid.com/financial-institutions/) "Plaid supports ~9,600 financial institutions in the U.S. and Canada - from national banks to local credit unions." There's no way they integrated with each individual institution using some sort of token exchange. I'd bet that a lot of the smaller banks and credit unions have no dev team to speak of and wouldn't be able to implement such systems. – Glyoko Oct 02 '19 at 17:53
I love that everyone downvoted the actual correct answer. SMH I happen to know the CTO of Plaid and have talked with him about this. @Glyoko they reverse engineer the mobile apps to allow them to create access tokens. So while they do use your password to create the original token, they don't need it after that. And that's how they offer so many institutions, even easier when many of the institutions use the same third-party mobile access systems. – Todd Dabney Sep 16 '20 at 20:00
11

@ToddDabney - as the CEO of an identity provider (FusionAuth) that works with many banks, I have a hard time believing this. There isn't some magical "token" that every mobile application uses. Some use server-side sessions in fact and those tokens expire quickly. Some use JWTs which similarly expire quickly. Very few banks use refresh tokens or other long lived tokens because of the security risks. Claiming that Plaid reversed engineered 10,000 mobile apps and somehow figured out how to generate long-lived tokens is extremely hard to believe. I'll believe it when Plaid publishes it. – voidmain Sep 17 '20 at 14:45
1

@voidmain I didn't say there is some "magic token" that every mobile application uses or that they reverse engineered 10,000 apps. What I was trying to point out was that there are large groups of banks that all use the same white labeled app, so once you've reverse engineered one, you've done most of the work for the others that use it. I might be misremembering about password storage, and Plaid isn't clear about this either way. – Todd Dabney Sep 17 '20 at 21:45
3

@ToddDabney - but that was mainly my point. Even if most banks use a white-labeled app, Plaid could never use tokens in order to manage a connection to your bank. The reason is that most banks have short sessions (like 10-15 minutes), and those are managed by a token. If plain uses that token, then they would be "logged out" after 10 minutes. Obviously, this won't work. Instead, they are likely storing the plain-text passwords and screen-scraping to access the bank accounts. This is a horribly insecure solution. – voidmain Sep 21 '20 at 22:39
@voidmain I just used Plaid to access my bank, and I realized how I know they're using long-lived tokens. Because I only have to provide a 2FA token once. And there's no way to use my password without that for this bank account. So explain to me how they maintain that access, without a long-lived token, without a second 2FA authorization? Thus also demonstrating the uselessness of holding onto passwords in many cases. – Todd Dabney Oct 01 '20 at 05:22
3

@ToddDabney I've considered this in the past as well. My conclusion is that most banks use different authentication workflows in a web UI versus through mobile APIs. Plaid is very likely screen scraping (API hacking) mobile API gateways to achieve access. You've likely logged into your mobile app regularly using a username and password without MFA. Again, long lived tokens would need to be accessible to the browser. Check your cookies and you'll see nothing that is long-lived. Thereby disproving your assertion. – voidmain Oct 03 '20 at 16:42
2FA sometimes (erroneously) uses long lived tokens, but the token you refer to is to "verify" the particular device itself. It's like when you log in from a new computer and have to go through some process via email or whatever, then you check the "remember this device" box. That prompts the issuance of a long lived (sometimes never expiring) token simply denoting that you've passed the challenge once before for that device and the extra step isn't required anymore. True 2FA should never do this and this is generally an extra step on top of 2FA (also generally done in the absence of 2FA). – RayfenWindspear Nov 27 '20 at 04:00
Fernando Chaied, FALSE, the Plaid user agreement provides room for their admin Bob in the back office with full access (hard worker by the way, often there till 3a) to do anything he wishes although with three mansions he doesn't need any more money. There's zip/nothing/nada stopping that scenario. – gseattle Apr 25 '21 at 03:03
@GrandOpener: [Does Plaid have access to my credentials?](https://support-my.plaid.com/hc/en-us/articles/4410324401047-Does-Plaid-have-access-to-my-credentials-) says "In many cases, when you link a financial institution to an app via Plaid, you provide your login credentials to us and we securely store them [...] In other cases, [...] you will be prompted to provide your login credentials directly to your financial institution––not to Plaid––and, upon successful authentication, your financial institution will then return your data to Plaid." – Dan Dascalescu Nov 10 '21 at 16:23

Is Plaid, a service which collects user’s banking login information, safe to use?

4 Answers4

Linked

Related