Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It is particularly sad how common scenarios this are for users, especially in the US. I have known how terrible applications like Plaid (and alternatives) were, but at various points have been required to use them to do something like pay my rent (this is also a very common theme in my life: I strongly dislike a certain company or app, but find myself required to use them regardless, even knowing that my usage and information will be abused).

Giving my full credentials and my security question answer in plaintext to a third party in order to 'link my bank accounts', and then having them scrape every bit of information they can from my personal banking statements and sell it is... nothing short of a nightmare scenario, from many standpoints (user security, user privacy, user education, anti-phishing, and so on).

I guess it's nice to see this class-action lawsuit, but that it amounts to an average of $0.60 per affected user is, well, not particularly inspiring with respect to my hope that things will ever get better here.

Plaid is used by many industry leaders including Venmo, Robinhood, and Coinbase. When it's not used, usually a similar alternative is. Perhaps the most frustrating part of this is that placing blame on these companies is difficult, as there's no interoperability or open banking APIs that can be used as an alternative.



Part of the challenge is there is no great way to easily get my data out of banks and accessible in one place.

Business model aside, they do solve a real problem in a space where there are no real incentives for banks to provide their own solution.

I'd love to see a subscription-based, privacy-focused option with API access targeting the consumer personal finance crowd. I think Tiller may get some of the way there, but I'm not sure how secure they are.


One problem I have with plaid is that the most common use for them that I see is a company using them in order to setup direct deposit. It's also really hard to figure out how to manually set it up (I usually have to click deny on plaid and then I can input it myself)

I'm not interested in handing over all my info when I can copy and paste two numbers instead


Isn't there a standard API used in the US? GNU cash talks about it some in their documentation but I've never tried using it.


Nope!

US banks seem to have zero interest in doing so because it doesn't bring them money and Congress isn't interested in forcing them to. EU though is working on a solution between themselves. [0]

US banks solutions range between "screw off, no scraping allowed even on your account" to (probably) "here's an undocumented SOAP API last touched in 1998"

[0]: https://www.americanbanker.com/opinion/europes-new-api-rules...


Well this is what I was thinking of: https://wiki.gnucash.org/wiki/Setting_up_OFXDirectConnect

I know someone claims my bank supports it but I've never tried.


If that's something you're interested in, I'd encourage you to send me an email (check profile). This is exactly what we've been working on for the better part of the year.


So in US if you have enough money you can do anything and then settle in court if problem arise.


Most of the world works this way.


No, the US is actually much worse.


I disagree somewhat to this - it's certainly true to an extent but when it comes to gross negligence or malicious intent most of the world will seriously come down on you. Only in the US is intentional malice generally written off with fatalist cries of "It was inevitable that some market participant would abuse this system."


The cost of doing business.


> Giving my full credentials and my security question answer in plaintext

FWIW: I've resorted to using a formula to derive my security question answers from the real answer (kept secret) and the text of the question itself. This seems to help mitigate the damage of the q's and a's getting exposed.


I don't provide honest answers to them and discourage my family from doing so as well. I simply treat them as an additional set of passwords to be written down using pen and paper.


Isn't giving your credentials to a third party also a violation of the terms of service with your bank? It seems, at the very least, the bank will just tell you "too bad" if there's a breach and someone drains your bank account using the credentials you gave Plaid. You'd be left suing Plaid.

In fact, this seems like a _terrible_ liability for them. I guess they're hoping it won't happen and if it does then they'll just go bankrupt anyway?


Could we all open an Arbitration Case which may be in their TOS (I'll have to look). Edit: California JAMS

Remember that one company that got "crushed" with bills cause a bunch of consumers use the Arb-Clause as intended? Supposed to block law-suits



On the flip side, if banks are not going to make my data available on a better basis, what choice is there?


Something that doesn't fleece and abuse its customers and then expose their data irresponsibly?


Required to use to pay your rent? Don’t think that is enforceable, is it?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: