Why does Apple allow Plaid apps in the App Store?

8 points by tehwebguy ↗ HN
In my opinion Plaid is one of the worst things to ever happen to individual data & financial security. Beyond creating the single greatest target for attacks it goes against one of the most fundamental rules: never share username & password with anyone.

Handing your password over to Plaid gives them every bit of data accessible from your bank's web account. They can get as much information in the time it takes to screen scrape your account as the credit bureaus have collected on you in years. Their TOS lets them get everything available as far back as your bank will let them go and does not contain any financial guarantee whatsoever for when they are inevitably hacked.

But now apps are being approved that use Plaid without even confirming to the user that they are talking to Plaid because it's all being done in-app! No one can tell if they are sending their bank login (username, passsword, sometimes security questions / answers & one-time-passwords) to Plaid or a random third party because it happens outside of a browser.

Why is Apple approving apps that use Plaid?

3 comments

[ 4.1 ms ] story [ 19.8 ms ] thread
More Plaid gripes:

- Zero granularity. You are granting Plaid and the company you are connecting to everything if you auth in -- no ability to select categories of data or specific accounts. In fact, you don't even get to know what you are granting access to.

- Bank fraud protection? It's unclear that your bank would decide to cover fraudulent transactions that happen after you willingly hand your login over to a third party.

Because that's how the US banking system works. For now, there is no alternative, except at a few of the big banks which are just starting to offer OAuth-secured APIs. Blame the banks for not offering a secure way to programmatically display your data. In Europe, Open Banking is regulated -- banks MUST provide a secure API, and so they do, and thus permissions are more sanely managed, you don't have to give out your password left and right.
I don’t want any of my banking data to be accessed by a third party, I just want to transfer money.

Account + routing numbers do this just fine over ACH and come with fraud protection for me — we are trading our own protection for someone else’s (whatever third party is using Plaid) and gaining nothing in return in addition to giving them all of our financial data. Incredibly, the transactions performed after linking to Plaid are probably all ACH anyway.