Is Plaid, a service which collects user’s banking login information, safe to use?

  • I recently signed up for Privacy.com, which uses a service called Plaid to link a bank account. To do this, it requires the user to provide their banking username and password to a webpage from Plaid, not their bank. Then, Plaid accesses the user’s bank account with those credentials on the user’s behalf to get information. Plaid provides an API for websites and apps to easily access this banking information.

    In addition to Privacy.com, plenty of other popular services use Plaid, including Venmo, Robinhood, and Coinbase.

    Despite the popularity, this service appears to break two "fundamental" Internet security rules:

    1. Never give credentials to a third party. The standard is to redirect the user to a login page on the website of the service providing the login. Plaid doesn’t do this, instead providing the login form on their own website. Even worse, Plaid allows services to embed the form in their websites (as an iframe). It’s not possible for casual internet users to tell the difference between this and an “unsecured” form on some random website, so this appears to be encouraging bad security practice. Worse still, Plaid provides a login page that looks very official, showing the bank logo and using the bank’s color scheme.
    2. Never store passwords in plaintext. The only way for Plaid to access bank account details is with the password, and since my banking password was only required by Plaid once, they must be storing it in plaintext, or "encrypted" but convertible to plain text, so they can continue to use it to access my account.

    Plaid login screen example

    The problem seems to be that most banks do not provide an API to retrieve customer data, so a service like Plaid (and all the services that use Plaid) simply wouldn't be possible without breaking these "fundamental" security rules. But I'm not convinced that's justification for breaking them. If it's not possible to do it securely, should it be done at all?

    My confusion here is that all of these services are "legitimate". None of them are scams; they're all providing a valuable service and have a solid reputation. Plaid has raised billions in funding!

    I would think with Plaid using bank logos to make their “fake” bank login forms look legitimate, banks would be after Plaid with lawsuits. But apparently some of them are investors! On Plaid’s website Citi, American Express, and others are listed as investors. It appears that banks aren’t against this bad practice, and are, in some cases, actually encouraging it.

    This makes me think that I might be missing something. Maybe Plaid has some special access to banking systems and it isn’t as bad as it seems. On the other hand, maybe Plaid’s reputation is held up only by the fact that they haven't been hacked yet. If (when) they are hacked it will be devastating, since the worst case scenario means the leaking of millions of user's active bank usernames and passwords. Also, many banks don’t protect users if they knowingly gave their credentials to a third party, so a lot of people could lose a lot of money. But if that's the case, wouldn't banks be working to stop Plaid and protect their customers?

    I think many of the services provided by Plaid are neat and would like to use them, but if my suspicious here are correct I don’t think I can do so while remaining secure. Of course, I hope I’m completely wrong here and Plaid has some way to operate securely.

    So, does Plaid have some special access to banking systems, or is it using user passwords to log in to bank accounts, which requires storing them in plaintext (or convertible to plaintext) and convincing users to give their credentials to a third-party, encouraging bad security practice?

    If it’s the latter, I’m afraid I’ll have to pass on Plaid services for now and consider my banking password compromised.

    I wish I asked this question about Plaid years ago. And I finally came here just now to write this question, and you have done a PERFECT job writing it already. Thanks.

    My comment doesn't address your security question, but it does address your decision to pass on Plaid. Our company switched to Plaid via Expensify, and many of us had the same concern about security. However, in the Plaid UI when linking your bank account, you can close the "select your bank" dialog using the "X" in the upper-right corner, and then you'll be presented with a new option to add your account "manually". At this point, you are only prompted for normal ACH info (routing and account numbers). I suspect this option is intentionally hidden. Hope this helps.

    @Jared That is interesting. I don't see that option with waveapps.com (which now uses Plaid). I really don't like the Plaid model and won't be using Wave, Mint, or other services that rely on me sharing a plaintext password with a 3rd party. That takes *so* much trust that they're *super* secure *and* well-meaning.

    @Jared Thank you, this works perfectly in Expensify, e.g.

    I just want to point out another downside of using a service like this. Nowadays many brokers (e.g. Vanguard) have adopted a policy that they will reimburse you for unauthorized activity in your account. However, to obtain this protection you have to abide by certain practices, and one is not giving your password to others. If there is a breach of Plaid (or a similar service like Yodlee) and your account is compromised as a result, they will not reimburse you for any stolen funds. That could be a very costly error.

    It is completely crazy for all these financial institutions to allow and cooperate with Plaid to do this. This is just insanity plain and simple.

    For Robinhood I entered a fake bank name into the Plaid search and it allowed me a fallback option to enter the Routing and Account numbers the traditional way, so I seem to have avoided Plaid for now - although I had to agree to their privacy policy to get through the form.

    coinbase has that trick locked out

    Visa tried to buy Plaid for $5.3 billion to gain that juicy access into the inside of every detail of people's bank accounts but nixed by US DOJ Jan 2021.

    I tried to sign up for a service but was asked to go through Plaid to link my bank account. Needless to say I declined. My bank accuses Plaid of screen scraping customer data that they aren't supposed to have access to.

    Adding insult to injury is that many companies that ask you to use plaid ask you to do it *in their app*. Where you have no idea if the credentials you are entering are going straight to the plaid website via SSL, or being logged/harvested/leaked due to maliciousness or incompetence.

  • I want to point out that despite Plaids apparently honest attempts at security, their approach is a privacy nightmare, as you give full access to Plaid, to all and every single information your bank has on you, including loans, funds, investment accounts, credit card statements, etc. This makes Plaid differ substantially from other payment services, such as PayPal, as they only have your account number.

    If you don't believe me, here's their data collection description from their privacy statement (Effective Date: May 29, 2019, my italics):

    Information collected from your financial institutions. The information we receive from the financial institutions and other financial service providers that maintain your financial accounts varies depending on the specific Plaid services our developers use to power their applications, as well as the information made available by those institutions and providers. But, in general, we collect the following types of information from your financial institutions and other financial service providers:

    • Account information, including financial institution name, account name, account type, branch number, IBAN, BIC, and account and routing number;

    • Information about an account balance, including current and available balance;

    • Information about credit accounts, including statement due dates and balances owed, payment amounts and dates, transaction history, and interest rate;

    • Information about loan accounts, including due dates, balances, payment amounts and dates, interest rate, loan type, payment plan, and terms;

    • Information about investment accounts, including identifying details about assets, quantity, and cost basis;

    • Information about the account owner(s), including name, email address, phone number, and address information; and

    • Information about account transactions, including amount, date, type, quantity, price, involved securities, and a description of the transaction.

    • The data collected from your financial accounts includes information from all your sub-accounts (e.g., checking, savings, and credit card) accessible through a single set of account credentials.

    To make matters even worse, they can share all that information with their customers, i.e., the company that wants you to link with them. That means that when, e.g., your rent is paid via Plaid (my landlord uses a service that relies on Plaid), all of that information may be shared with that service! And while they, in turn, may not distribute that data further, you now have to trust another party that they are able to keep your data safe.

    Again, here's the relevant excerpt from that privacy statement (again, my italics):

    How We Share and Store Your Information

    We do not sell or rent end user information to marketers or other third parties. But we do share end user information with third parties as described in this Policy. For example, we share your information with the developer of the application you are using and as directed by that developer (such as with another third party if so directed by you). We also share your information:

    • With your consent;

    • With our service providers, partners, or contractors in connection with the services they perform for us or our developers;

    • If we believe in good faith that disclosure is appropriate to comply with applicable law, regulation, or legal process (such as a court order or subpoena);

    • In connection with a change in ownership or control of all or a part of our business (such as a merger, acquisition, reorganization, or bankruptcy);

    • Between and among Plaid and our current and future parents, affiliates, subsidiaries and other companies under common control or ownership; or

    • As we believe reasonably appropriate to protect the rights, privacy, safety, or property of you, our developers, our partners, or Plaid.

    I can't believe this is legal and that banks allow this!

    It is a security nightmare, I agree. To make matters worse, if you have trouble linking your bank, this is what they encourage: "If you receive the error message “Error: Please disable the added/extra security placed on the account,” you’ll need to either disable the two-factor verification setting on your bank account, or contact your bank to make sure there isn’t a problem with your online banking profile."

    @cschroed Good! I don't understand how Plaid was ever even allowed to get customers' logins and passwords in the first place. It completely flies in the face of basic internet security.

    "We do not sell or rent end user information to ... third parties ... we do share end user information with third parties ... [in the case of reorganization like giving Juan a new title] ... and other companies". I don't blame evil for testing us, it's their job, I blame us for not passing the test

  • So, does Plaid have some special access to banking systems, or is it using user passwords to log in to bank accounts, which requires storing them in plaintext (or convertible to plaintext) and convincing users to give their credentials to a third-party, encouraging bad security practice?

    Plaid, and many other services (Mint comes to mind), are storing your passwords and sometimes security questions in an accessible (hopefully, reversible encryption, not plaintext) format.

    Is this poor security practice? Yes.

    Is there a realistic alternative? No.

    Financial systems in the US almost never support any sort of federation or open banking APIs. There is no regulatory requirement or incentive for them to do so. There is no financial incentive for them to do so, as permitting 3rd parties to incorporate their data into value-added services does not benefit them, and may harm them if the 3rd party is chosen over homegrown value-added services.

    The good that can be said of Plaid is that by providing a standard middleman service that's used by multiple front-ends and trusted by significant back-ends, they're reducing the number of people trying to re-invent that particular wheel. With no particular evidence, I'd rather someone specialize in this dirty job, if it needs to be done.

    You, the consumer, are left with the choice of participating in this less-secure practice, and getting value-added services and inter-operation between accounts, or avoiding these services and the benefits they may offer. Enjoy!

    (Actually, with Privacy.com, you have another option - you can link your back-end bank account as an ACH source using your bank routing number and account number. You may need to contact support to set it up, but it is an option. That's about as insecure as writing a check.)


    Rant:

    It's ridiculous. Wells Fargo, for example, allows you to create read-only sub-accounts - exactly what we'd want if we're handing credentials off to a 3rd party! However, those sub-accounts cannot be used with 3rd parties, because of the way their authentication is set up. It's like banging your head against gravel, looking for a financial that has a well-thought-out security and inter-operability model.

    I understand that Capital One is actually trying to do this right, but haven't played with it myself.


    Minor update, 2021: Improved movement towards APIs, in part because it will allow banks to limit what information a third party has access to. Interesting article here.

    What about... I pair my Bank account with Coinbase, transfer money and then change the Bank password? I assume, if someone breaks into Plaid he would get an old password, so I guess it's safe.

    @IshThomas That would protect your account, but be careful, as it will likely lock you out of your account - because Plaid will keep trying to log in with the old password and failing. Better to delete the account from Coinbase before changing the password. (I speak from experience, I did this to myself, I had to change my bank username to get my account unlocked (and stay unlocked) again.)

    Oh wow. Thanks for the tip! I wouldn't think that's even the danger. Why wouldn't you force the user to reauthenticate? That's so stupid

    @IshThomas the entire episode reinforced my belief that banks are idiotic. They log user-agent string of bad attempts for me to see. I asked them for the source IP of the bad attempts so I could ensure it wasn't one of my many computers; they refused, said they would release on warrant or would *show* me if I came into the branch but couldn't *give them* to me. They opened a "fraud case" based on my call, but then wouldn't allow me to rename the account because no changes are possible with an open fraud case... It was a nightmare.

    @gowenfawr But at least in this case, Plaid seems to be idiotic too. Retrying an authentication attempt that fails is just asking for trouble. It's possible that the banks have backed them into this by providing ambiguous error responses, some of which are legitimately retry-safe, but even then Plaid should be using more caution to avoid this worst case scenario.

    @GrandOpener In my experience Plaid does not re-try authentication when an incorrect credentials response is received. This is based on experience of having worked with their APIs for several years.

    yes there is a realistic alternative. That's the whole point of Oauth. To connect a bank account you'd authenticate with your bank and your bank then sends a unique secure auth token to the service you are using. Really backward the way it's being done. should be illegal. Or at the very least, the bank should let you generate a secure token that can then be added to the service. passing username/passwords? who thought of this? especially for banking?! can't believe it's a thing

  • Yes, Plaid is safe. They don't store the password, they create a "bank relation" between the bank account and the service that is using Plaid with tokens. And if the customer changes his bank account password, the bank notifies Plaid of this NOC (notice of change), and you will have to reauthenticate on the Plaid link to get your bank account relation reconnected.

    Can you provide references to the information that they use tokens, not passwords? That would certainly be the _ideal_ way for them to do things, but other than services like Plaid, there is little indication that banks are willing/able to provide such tokens to third party services.

    I believe the Plaid "tokens" you see referred to are the arbitrary token Plaid generates and hands to the business that is using Plaid as a middleman; the business will then use that token to tell Plaid which bank account to access (which Plaid will then access using the stored credentials they have, in most cases). So, yes, tokens exist, but not between Plaid and the banks; between Plaid's customers and Plaid.

    I don't buy that for a second. They claim that "Plaid supports ~9,600 financial institutions in the U.S. and Canada - from national banks to local credit unions." There's no way they integrated with each individual institution using some sort of token exchange. I'd bet that a lot of the smaller banks and credit unions have no dev team to speak of and wouldn't be able to implement such systems.

    I love that everyone downvoted the actual correct answer. SMH I happen to know the CTO of Plaid and have talked with him about this. @Glyoko they reverse engineer the mobile apps to allow them to create access tokens. So while they do use your password to create the original token, they don't need it after that. And that's how they offer so many institutions, even easier when many of the institutions use the same third-party mobile access systems.

    @ToddDabney - as the CEO of an identity provider (FusionAuth) that works with many banks, I have a hard time believing this. There isn't some magical "token" that every mobile application uses. Some use server-side sessions in fact and those tokens expire quickly. Some use JWTs which similarly expire quickly. Very few banks use refresh tokens or other long lived tokens because of the security risks. Claiming that Plaid reversed engineered 10,000 mobile apps and somehow figured out how to generate long-lived tokens is extremely hard to believe. I'll believe it when Plaid publishes it.

    @voidmain I didn't say there is some "magic token" that every mobile application uses or that they reverse engineered 10,000 apps. What I was trying to point out was that there are large groups of banks that all use the same white labeled app, so once you've reverse engineered one, you've done most of the work for the others that use it. I might be misremembering about password storage, and Plaid isn't clear about this either way.

    @ToddDabney - but that was mainly my point. Even if most banks use a white-labeled app, Plaid could never use tokens in order to manage a connection to your bank. The reason is that most banks have short sessions (like 10-15 minutes), and those are managed by a token. If plain uses that token, then they would be "logged out" after 10 minutes. Obviously, this won't work. Instead, they are likely storing the plain-text passwords and screen-scraping to access the bank accounts. This is a horribly insecure solution.

    @voidmain I just used Plaid to access my bank, and I realized how I know they're using long-lived tokens. Because I only have to provide a 2FA token once. And there's no way to use my password without that for this bank account. So explain to me how they maintain that access, without a long-lived token, without a second 2FA authorization? Thus also demonstrating the uselessness of holding onto passwords in many cases.

    @ToddDabney I've considered this in the past as well. My conclusion is that most banks use different authentication workflows in a web UI versus through mobile APIs. Plaid is very likely screen scraping (API hacking) mobile API gateways to achieve access. You've likely logged into your mobile app regularly using a username and password without MFA. Again, long lived tokens would need to be accessible to the browser. Check your cookies and you'll see nothing that is long-lived. Thereby disproving your assertion.

    2FA sometimes (erroneously) uses long lived tokens, but the token you refer to is to "verify" the particular device itself. It's like when you log in from a new computer and have to go through some process via email or whatever, then you check the "remember this device" box. That prompts the issuance of a long lived (sometimes never expiring) token simply denoting that you've passed the challenge once before for that device and the extra step isn't required anymore. True 2FA should never do this and this is generally an extra step on top of 2FA (also generally done in the absence of 2FA).

    Fernando Chaied, FALSE, the Plaid user agreement provides room for their admin Bob in the back office with full access (hard worker by the way, often there till 3a) to do anything he wishes although with three mansions he doesn't need any more money. There's zip/nothing/nada stopping that scenario.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM