site banner
PaperclipPerfector  25d ago (text post)   2848 thread views

Small-Scale Question Sunday for October 27, 2024

Do you have a dumb question that you're kind of embarrassed to ask in the main thread? Is there something you're just not sure about?

This is your opportunity to ask questions. No question too simple or too silly.

Culture war topics are accepted, and proposals for a better intro post are appreciated.

2
Top Bottom Old Controversial Comments
Jump in the discussion.

No email address required.

Plaid requires you to give them your bank password, right? You'll never catch me doing that.

Yes, but not always. Some banks (e.g. WellsFargo) support protocol that actually allows to give aggregators limited access without giving away the password. Unfortunately, not all banks support it.

This is where I’m not so sure. Current iterations as far as I can tell generally use “Oauth” which again is a bit of a black box but from what I can tell you’re logging into your bank and giving plaid an access token, which I think can be configured to be read only. Although more black box. In practice, plaid doesn’t have your password generally (although maybe for some banks as your link discusses.) what it can do with that token (is it read only?) is even read only bad enough? Etc. is up for debate.

Current iterations as far as I can tell generally use “Oauth” … In practice, plaid doesn’t have your password generally (although maybe for some banks as your link discusses.)

I've never heard any reports of this. Are you saying you've seen some bank for which Plaid supports OAuth rather than merely doing screen-scraping? If so, what bank is that?

“Oauth” which again is a bit of a black box … what it can do with that token (is it read only?) is even read only bad enough? Etc. is up for debate.

It really shouldn't be “up for debate”.

If your bank supports OAuth as a protocol, but doesn't tell you exactly what authorizations you're granting the relying party when you approve a request, that's a massive failure of your bank, and arguably a violation of at least the spirit of the OAuth spec:

If the request is valid, the authorization server authenticates the resource owner and obtains an authorization decision (by asking the resource owner or by establishing approval via other means) … If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client …

The last time I was faced with a plaid page, they wanted me to enter my password in a plaid page, rather than my bank's page. Perhaps this has changed, but there's simply no way that I'd trust plaid not to retain my password in some regarded way.

Yes, even when banks offer secure "front door" API access, Plaid still refuses to consider those integrations over "back door" screen-scraping; here's an example:

Fidelity has established a secure, integrated connection that better controls how customers can connect the third-party apps they use to their Fidelity accounts. Fidelity is requiring all these third-party websites, applications, and data aggregators to adopt this integrated connection to access our customers’ data.

It is with our customers’ financial well-being in mind that any third-party applications, websites, or data aggregators that do not utilize our secure, integrated connection will be prevented from accessing Fidelity customer data.

I don't know if Fidelity charges for that access, imposes some genuinely unreasonable security requirements, or if “plaid sucks and is dangerous” is just the whole story.

What is this place?

This website is a place for people who want to move past shady thinking and test their ideas in a court of people who don't all share the same biases. Our goal is to optimize for light, not heat; this is a group effort, and all commentators are asked to do their part.

The weekly Culture War threads host the most controversial topics and are the most visible aspect of The Motte. However, many other topics are appropriate here. We encourage people to post anything related to science, politics, or philosophy; if in doubt, post!

Check out The Vault for an archive of old quality posts. You are encouraged to crosspost these elsewhere.


Why are you called The Motte?

A motte is a stone keep on a raised earthwork common in early medieval fortifications. More pertinently, it's an element in a rhetorical move called a "Motte-and-Bailey", originally identified by philosopher Nicholas Shackel. It describes the tendency in discourse for people to move from a controversial but high value claim to a defensible but less exciting one upon any resistance to the former. He likens this to the medieval fortification, where a desirable land (the bailey) is abandoned when in danger for the more easily defended motte. In Shackel's words, "The Motte represents the defensible but undesired propositions to which one retreats when hard pressed."

On The Motte, always attempt to remain inside your defensible territory, even if you are not being pressed.


New post guidelines

If you're posting something that isn't related to the culture war, we encourage you to post a thread for it. A submission statement is highly appreciated, but isn't necessary for text posts or links to largely-text posts such as blogs or news articles; if we're unsure of the value of your post, we might remove it until you add a submission statement. A submission statement is required for non-text sources (videos, podcasts, images).

Culture war posts go in the culture war thread; all links must either include a submission statement or significant commentary. Bare links without those will be removed.

If in doubt, please post it!


Rules


Recommended Posts And Communities

Recommended Realtime Chats