alt Hacker NewsTo everyone who doesn’t know how Plaid works: You give your banking username and password directly to Plaid, and it keeps it (so it can continue to login).
I don’t understand how anyone is OK with this. It goes against every security principle and it’s against the terms and conditions of every bank.
I realize that almost no bank provides a secure and proper API to get info and/or to transfer funds, but Plaid’s solution is a disaster waiting to happen.
Replies
I don't think this is still the case?
When we built our Plaid integration it used OAuth and a redirect. Plaid just got an access token, you enter your user/pass at bank side.
Edit: Seems like smaller/local banks are probably the ones that won't support OAuth. We didn't support those.
I thought that’s what Open Banking was supposed to solve: https://en.wikipedia.org/wiki/Open_banking
Hear you 100%. It felt very uncomfortable for me the first time I used it, as well.
The problem is that there sort of isn't a better way right now in the US, and for now, Plaid or a Plaid-like competitor is the safest way. Eventually, it would be awesome if there were clean, open APIs, and standards around this, but for now, it's the best we have.
The alternative of course for the DIY-er is some sort of browser automation, which honestly, is what I tried first. I really wanted it to work, but it didn't - which led us to Plaid.