It’s a good idea–to make it easy for fintech companies to easily connect to consumers banks instead of needing to do the week-long process of verifying small bank deposits. That definitely speeds up the onboarding process for people to try out new apps.
But the tradeoff is always with security and convenience and here it’s so glaring and obvious. What Plaid may provide in convenience it completely undermines in security.
Everything about it is a security design anti-pattern and I’m sure everyone working there knows it. It’s simply a phishing site, no other way around it.
The way Plaid works is that it asks you to enter your bank username and password on a site that is not your bank which they try to make look like one.
From Wikipedia, here is what phishing is:
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.
Plaid is disguising their site as your bank’s site to get your password.
Now, it’s important to realize this is the exact same tactic that a fraudulent phishing scammer would use to takeover your account.
They may lure you in with an email or some other link, but eventually take you to an account page that looks exactly like your real account page. And then they will have you enter in your username and password, and then steal those credentials.
Even possibly tech-savvy users of Plaid are being trained to type in their bank credentials into a site that is not their bank. Again, this is violating the first rule of your usernames and passwords, which is don’t share them with anyone else!
Plaid will even intercept your one-time-password or 2FA login number, which again, you should not share. If people get too comfortable sharing this then any attacker can set up a fake login page that also intercepts your 2FA. You can see how that is done here. There are ways for this to be automated:
“They do this by automating the entire process, with a phishing page not only asking a victim for their password, but triggering a 2FA code that is sent to the target’s phone. That code is also phished, and then entered into the legitimate site so the hacker can login and steal the account.”
Additionally, Plaid often may be embedded in a way where it is very difficult to verify, even if you trust Plaid. If the url is not visible it could be an attacker posing as a Plaid login page for your bank—but now you may be so used to typing in your bank password that you’ve just given it to someone else. This can be doubly bad on mobile phones where even on legitimate SSO pages (such as a Google login), the url page is blocked so you cannot tell it is Google.
The question from looking at the Wikipedia definition is: is Plaid fraudulent? The user and site are trusting Plaid so that may be different; but they are disguising their site (Plaid login) as your banks login. Again, people have fallen for scams that are much more obvious.
So while it may be a nice fintech utility, it’s not a replacement for APIs, and it really is a security nightmare. In so many cases the security issue is one of user behavior and social engineering, of moving too fast or accidentally doing the wrong thing. In this case the real issue isn’t if Plaid’s infrastructure itself is secure or they are trusted enough to get your bank credentials. That’s an issue too. But the real issue is that users are getting used to typing their bank passwords on sites that look like their bank that are not their bank. It’s pretty easy to see how this can go wrong.
Also it’s not clear if Plaid using passwords within this way is within the terms of service for the banks and the bank users.
I wonder what the security team at Plaid thinks. They obviously know this. I wonder if they type their own bank passwords into Plaid, or have multiple bank accounts. Or how those passwords are stored. Even Facebook stored passwords in plaintext for years. Even if you know all of this you can be tired and accidentally type your password into a fake site.
So even if Plaid is a trusted and valuable company, it’s still phishing. It’s asking for your username and password for a site that impersonates your bank. I think people need to be careful here.
Thanks for this – still relevant today.