For future reference the tip off is that YNAB/Plaid asks for your bank account's username and password directly. If they were using some proper API, you'd be redirected to an Authorization page on your bank's domain where you could review the requested permissions and the app requesting, and then choose to grant it.

Exactly this, Plaid "kindly requests" you violate the ToS you have with the bank and hand over the keys to your finances.

I have never noped out of anything so hard.

It would be interesting if an attorney general went after Plaid for CFAA violation.

I'm conflicted on the issue. Plaid only has to do this insane screen scraping because there's no other way to get my own financial data. The details of how it's done pains me, but I also think I should have freedom of choice with my data.

IMHO, the Canadian proposal seems like the ideal solution. Force the banks to offer a secure and more efficient way for consumers to access their open banking data. (This will also massively lower the barrier to entry for another Plaid competitor)

edit: Plaid's docs mention that banks may detect and block this screen-scraping. They frame it as the bank limiting "your ability to access your financial information", which I think is somewhat valid. They're quite obtuse about the whole scraping thing though: https://plaid.com/trouble-connecting/#:~:text=Your%20financi...

I'm not conflicted on it at all. Plaid might need to do this for them to work, but there's nothing that makes Plaid required for anything you do with your banking. People keep mistaking convenience for necessity, and that's how we keep ending up with hacked-together services that leak everyone's info and worse.

I'd rather have no convenience than a convenience that hands off the keys to my life behind my back. And so should the rest of us.

You're basically saying that if a law makes something impossible, then it's OK to ignore the law?

This is how most old/out of date laws/not fit for purpose laws end up being revised.

Hi! I work at Plaid. We’re strong advocates for API-based connectivity -- our goal is for 75% of our traffic to be committed to APIs by the end of the year. As part of that, we've actually converted our integration with Capital One to be 100% API-based and use OAuth for authentication. You can read more here: https://www.capitalone.com/about/newsroom/data-sharing-agree...

What you did was wrong and you all knew it.

It seems to have paid off though, so congratulations. Nobody with half a brain would trust you.

Let's be real, banks wouldn't see government regulation like this if something like Plaid didn't force them to have to implement more secure ways to get your own financial data.

I actually do agree - but two wrongs don't make a right here. Taking raw credentials from users without them knowing is completely messed up and a massive danger to the end-user. It's not justifiable in those terms.

Yes I agree it can be scary, but it seems like this is the way a lot of companies have to do things if they want regulation to change at any reasonable pace.

Just look at Uber and AirBnB as examples. Most cities they started in they were operating in kinda grey areas or even breaking laws. But they could afford to eat any fines and continue on anyway. It forced governments to put regulations in place to support these systems.

Especially when it comes to banking, it moves at such a snails pace for anything to ever evolve. The two banks I am with in Canada only just recently finally added support for 2FA. But it's not even the type where you can use your own authenticator app. You have to use SMS, Phone Call, or their app. My one bank has my "password" being restricted to 6 characters. It's basically got to be a 6 digit pin. It's incredibly insecure already, Plaid doesn't make it much worse.

Now with 2FA finally there I feel a lot more secure using Plaid. Because now everytime I want to import my transactions in YNAB I have to enter my 2FA code before it can pull things.

But is it a good thing for companies that are rich enough to be able to force changes in regulations by overwhelming the government's ability to punish them?

No, it definitely is not. Governments notoriously move slow and they do not often keep up with the fast moving pace of technology.

Governments for the most part worldwide have still done barely anything to address things like "loot boxes" in gaming despite them being almost identical to gambling. They aren't even getting fined or anything for this and are raking in billions of dollars. So whether or not big companies are doing things to break regulations they can still be doing things that should be regulated or are not ethical anyway.

The taxi industry was pretty bad and often filled with scams and corruption. One of the cities I live near only allowed one cab company to be licensed in the city and they sucked especially when people needed rides home at night. So when Uber came in people loved it because they could finally get home safety after a night of drinking and it discouraged people from having to try and drive home drunk. For whatever reason the city always only allowed this one cab company. It would be reasonable to think a city official had some affiliation with that company to not allow other cab companies to come in.

Uber forced that to happen and it forced them to make regulation for it. There seemed to be no progress in that happening before Uber came to town.

So while Uber has some pretty shitty practices and I wouldn't consider it a good company, it is definitely a good example of what often needs to be done to force regulation.

And I mean a city always had the option to increase their fines to something massive and hit Uber hard, but instead they realized that their population wanted that and they would likely lose a lot of votes if they did something against the people like that.

Literally the only way for apps you want to use with your own financial details is to screen scrape.

Plaid better have good security!

But I don't see this as unethical in the slightest. In fact, I see it as a company doing the right thing by consumers in letting them get access to their own data.

I don’t see this as wrong at all, it’s an extremely useful feature with no alternative. Actually if alternatives start to appear it’s to services like theirs.

And insulting their whole user base like this sure will get you lots of support.

Do you make it unmistakably clear for new users that if you have a data breach and someone loses $400,000 because you leaked their password, they are likely shit out of luck?

Don't know US regulations, but my country has plenty of case law determining that the customer is liable for every single dollar of loss if someone uses their account details to steal their money or take a massive loan in their name.

Is there a list of which institutions you support using APIs versus screen scrapers? I'm a happy user of YNAB and would like to have automated imports for any bank that can be read from securely.

Unfortunately, there isn't a comprehensive list that I'm allowed to share, and even if there were we're often rolling out API access gradually because it can require implementation changes on the developer's side (for example, to support an OAuth redirect flow), so it's possible that right now a particular institution may be accessed via API in one Plaid integration but via screen-scraping in another. I think the only thing I can say here about specific institutions is that of the major US banks, Capital One, Chase, Wells Fargo, and US Bank have all issued press releases indicating that they have signed agreements with us to provide API based access.

I'm sure you guys started at that point and realized it was not possible because the banks didn't offer it, didn't understand why, and didn't care about you

And now after you made your solution and gained traction with many fintech apps, the timeline was accelerated by FTC settlements

But don't get the order twisted, you're trying to plai us.

You gave them your bank account login credentials and you didn't think it was strange?

Plaid has designed the screens to resemble each bank's login screen. They essentially phish people. I, as a tech-savvy person, noticed something was up when I saw the URL didn't match my bank's. But most people would put in their password, thinking they are logging into their bank's website, and would be none the wiser.

OK, I work at Plaid and I feel like I have to jump in here -- while it's true that we've iterated on the Plaid Link UI over time and it hasn't always looked like it does now, you can see what the login screen currently looks like here: https://plaid.com/plaid-link/ and here: https://plaid.com/demo/

IMO it does clearly tell end users that they are connecting to Plaid.

So some good finally came from that TD lawsuit. The last time I saw a Plaid login in a service I use, it was a definite phishing screen. It's good that you have moved away from phishing people, but it doesn't change the fact that a) you phished them for years, and b) you still do not in any way warn them that if they use your service it 'voids the warranty', so if their account gets hacked (not necessarily through Plaid), they will be SOL.

As another HNer responded: cred screens are given the appearance of being your financial institution, so I assumed an api auth token being issued after “logging in” with the institution. Still, shame on me for not inspecting more closely.