site banner

Small-Scale Question Sunday for October 27, 2024

Do you have a dumb question that you're kind of embarrassed to ask in the main thread? Is there something you're just not sure about?

This is your opportunity to ask questions. No question too simple or too silly.

Culture war topics are accepted, and proposals for a better intro post are appreciated.

2
Jump in the discussion.

No email address required.

Plaid requires you to give them your bank password, right? You'll never catch me doing that.

Yes, but not always. Some banks (e.g. WellsFargo) support protocol that actually allows to give aggregators limited access without giving away the password. Unfortunately, not all banks support it.

This is where I’m not so sure. Current iterations as far as I can tell generally use “Oauth” which again is a bit of a black box but from what I can tell you’re logging into your bank and giving plaid an access token, which I think can be configured to be read only. Although more black box. In practice, plaid doesn’t have your password generally (although maybe for some banks as your link discusses.) what it can do with that token (is it read only?) is even read only bad enough? Etc. is up for debate.

The last time I was faced with a plaid page, they wanted me to enter my password in a plaid page, rather than my bank's page. Perhaps this has changed, but there's simply no way that I'd trust plaid not to retain my password in some regarded way.

Yes, even when banks offer secure "front door" API access, Plaid still refuses to consider those integrations over "back door" screen-scraping; here's an example:

Fidelity has established a secure, integrated connection that better controls how customers can connect the third-party apps they use to their Fidelity accounts. Fidelity is requiring all these third-party websites, applications, and data aggregators to adopt this integrated connection to access our customers’ data.

It is with our customers’ financial well-being in mind that any third-party applications, websites, or data aggregators that do not utilize our secure, integrated connection will be prevented from accessing Fidelity customer data.

I don't know if Fidelity charges for that access, imposes some genuinely unreasonable security requirements, or if “plaid sucks and is dangerous” is just the whole story.