12 comments

[ 2.9 ms ] story [ 40.5 ms ] thread
Just wow...

> "In reality, however, consumers are unwittingly giving their login credentials to the defendant, who takes the information, stores it on its servers, and uses it to mine consumers' bank records for valuable data (e.g., transaction histories, loans, etc.), which the defendant monetizes by selling to third parties," TD claimed in the court records.

I hope TD Bank wins this fight.

(comment deleted)
Friends from Palantir have seen the data that Plaid downright steals and sells for money. Except they don’t “steal” it, they just use the login credentials and pillage anything that’s available online. It’s disgusting. I wish consumers knew better. I wish more banks cared.
Apparently, TD Bank and Plaid settled the lawsuit on 5/3/21:

https://www.bankingdive.com/news/td-plaid-lawsuit-trademark-...

> UPDATE: May 3, 2021: TD Bank filed a motion Thursday to dismiss its case against Plaid in the U.S. District Court for the District of New Jersey, Bloomberg Law reported — meaning the Canadian lender and the data aggregator have reached a settlement.

> The court set a June 7 deadline to rule on the motion. However, the filing did not give any details on the settlement.

How is that not a criminal offence? This is outright fraud.
The crazy thing is, I was recently looking for a simple financial tracking app, and MOST of them required you to log in with your bank ID and password. I thought it was insane to give a third party that kind of access, but it was hard to find an app that didn't almost require that as a core functionality for it to work.
What did you end up selecting? And do you know how it accesses the necessary financial data?
Frustratingly I still haven't found anything. There was a guy actually who posted a kind of Progressive Web App here on Hacker News to solve this exact problem. It stored everything in local storage in the browser. It's really cool, but it was hard to see stuff on the desktop, as there was no link to the phone. Also you had to enter everything manually, which was OK for me.

I'm still searching.

I personally am looking for some solution that DOESN'T access any data, or if it does, then stores it in an encrypted way I'm satisfied with. All the Canadian solutions LITERALLY ask you for your user ID (bank card number...), and password to access ALL the website of your bank. I'm just thinking -- all it takes is one hack and...

You might want to try Actualbudget.com which has local native apps and the option for E2E encryption, but does not automatically import transactions (though I believe CSV import is supported).
Thanks for the link. I downloaded it and am checking it out :)
If you're with the big US banks (Chase, US Bank, Capital One, and others) they provide OAuth connections which, if implemented correctly by finance apps, don't require bank ID and password, and have legal agreements enforced with everyone on the supply chain which restrict how they can use or sell your data.

Shameless plug: my finance app (Fintable.io) provides OAuth-based connections to many large US banks via Finicity.

As a developer that works in the fintech space, I work a LOT with the Plaid API and their competitors like Finicity, Akoya, TrueLayer, SaltEdge and Yodlee.

This industry has basically been the Wild West in the United States for the past decade or so. Europe has regulated open banking where banks are required to provide APIs with enforced limits and restrictions on data usage. The US has no such thing, most banks don't have APIs, these aggregators pull data by screen scraping, which is horrendous for security AND reliability (Plaid/Finicity calls fail about 10% of the time in my experience.)

Fortunately the industry is now rapidly moving away from this mess towards more sane OAuth authentication with contracts between Aggregators like Plaid, and apps like mine, enforcing legal limitations on how the data can be used and providing some standard of security. The big US banks have formed a consortium (Akoya) which both provides a unified API without requiring credentials and scraping, and guidelines on how to protect the data, both legally and technically. Exciting times!