I’ve been asked to sign up to plaid by clients three times. Each time I’ve said no. I’m not giving a 3rd party access to my bank account. I don’t understand how people enable this total loss of friction for direct account egress. There needs to be friction.
Hijacking this comment to complain about fintech apps / saas providers requiring Plaid - please stop.
For example, Coinbase requires logging in with Plaid to... setup auto-pay for their credit card statements. No way to just provide account/routing numbers the good ole way.
There's lots of issues with Plaid but one big one is that banks (e.g big ones like BofA) can lock your account due to suspicious login with Plaid.
Airbnb requested Plaid access to my entire Chase account and all transactional data to "verify my credit card" a few years ago, and wouldn't budge until I tried Apple Pay, where they apparently weren't able to figure out the underlying issuer and accordingly left me alone.
Needless to say that it was my last stay with Airbnb.
I don’t know why they are on there, but YC startups list their batch and year in parentheses on job posts, e.g. (W25). Example: https://www.workatastartup.com/jobs/88812
The Plaid listing you linked doesn’t have a batch by their name.
Depending on the rate difference, I'd be tempted to setup a 'burner' checking account at a separate financial institution and just auto-transfer the loan amount from my primary bank to the burner every month.
My bank's underwriter/loan officer actually said to get the best rate with them to specifically setup an account with them (They aren't my day to day bank) and just use it for my house payment. For the past decade the only transactions it has ever seen has been the direct deposit and the auto-withdraw for the mortgage.
Really? Both times I got a loan they wanted bank statements from all of my main accounts and verifiable income history, but they didn’t care that I was paying from an account that I had just opened for the specific purpose of paying the loan.
I'm not OP, but I assumed from their post that they meant the loan provider wanted Plaid access in order to perform underwriting - as in give us access to your account(s) so we can pull your banking history via an automated manner instead of sending PDFs.
Could be wrong though, as I never considered it'd be used for payments at all.
same. maybe it just depends on the bank, but i can't imagine why that would matter at all. they have the whole picture of your financial history, generally. what does it matter whether that one bank account has only enough in it to pay off the loan every month.
BMO offered the ability to link plaid and some other company to automate it vs me sending updated statements manually. I chose manual. I hate that this is the only option for convenience.
They do because their banks are largely not offering anything more fine grained, because they don’t have to, and in fact doing so would cannibalize their debit card business.
Requesting full account access for anything other than maybe budgeting software should just not be legal.
Have you ever entered your routing+account number into HR software for direct deposit? Doesn't that qualify as handing a third party essentially the same access as Plaid gets? I think bank accounts are generally more accessible in the modern era, it's just a risk that you take.
Of course, you're not obligated to use Plaid but I do find the concerns around this quite strange since you're likely exposing account information already.
Plaid wants you to enter your bank username-password into their form. If it was just routing+account it would be truly no different than other bank connection methods.
That's not how it worked last time I used it with Chase Bank. It used something like Oauth with my bank where I logged in on my bank website and asked what accounts I wanted to share with Plaid.
Plaid works a lot like PSD2-based services in the EU then, which also typically consist of a form hosted by the service using Times New Roman and the original padlock.gif from Netscape asking for your IBAN and online banking password and then a TAN/2FA number. Obviously there are no technical controls at that point to what the service can do in your account. I tend to avoid anything PSD2 for much the same reasons as Plaid, it's extremely sketchy. Somehow we can have scoped access using OAuth for random webservices but for a credit check it's "please just give us your online banking login despite everyone telling you since 1995 that you're not supposed to hand that to anyone and always double check the URL in the address bar to be yourbank.com... we assure you nl-gwlogin.xs2a.openbankingservices.co.net is an entirely legitimate place to enter your PIN"
At this point, it's often OAuth, but in my view, the exact means of access is a red herring: The only thing that changes between screen scraping and OAuth is that Plaid doesn't get my banking password, which is literally the least of my concern compared to persistent access to my account transactional data.
The same info is also on checks, and there's an established story around fraud there -- if I didn't authorize an ACH withdrawal then my bank is legally required to make me whole. If I hand over my username+password to a third party, I'm on my own.
Also, the routing+account numbers just let them deposit/withdraw money, not snoop on all my transactions and harvest my data...
This is a common belief, but the CFPB has stated your bank is still legally required to make you whole in the event of fraud even if you handed over your username and password to a third party, and that any bank TOS stating otherwise are not valid. This is covered on the CFPB Electronic Fund Transfers FAQ, under the Error Resolution: Unauthorized EFTs, Question 8: https://www.consumerfinance.gov/compliance/compliance-resour...
In Germany, there was a similar antitrust-based ruling, but it even went further: They disallowed banks to block screen scraping services, as they considered the existence of screen-scraping-based confirmed instant bank transfers a valuable competitor to the (bank-led) card payment schemes.
In retrospect, they were maybe right on the competitive part, but the data privacy impact was disastrous.
Whenever I have seen the Plaid integration it will also ask permission to your transactions. HR software won't get those when I provide it my account & routing numbers.
With plaid they get access to all of your account numbers.
HR just sees a single savings account that I strictly use for direct deposit. They don’t see my actual savings account or my other purpose-specific checking accounts.
Sure, but GP mentioned direct account egress which is why I brought up the typical method for doing that. I figured banks are already selling / reporting the other information (account types, amounts, transactions, etc.)
As an aside, I think each permission has to be granted explicitly in Plaid so it's not just getting "root" access to do simple transactions (unless you grant it)
routing+account numbers are not that sensitive. that's been API for how we transact money since pre-historic times.
plaid gets access to your online account with access personal data, security details, documents, transactions, statements, write-access etc.
Plaid requires your bank username and password, so they have full read-write access to your account. They can do anything you can do when logged in to the bank's website, and so can anyone else who gains access to Plaid's database.
Plaid's login flow also requires a 2FA code if your bank requires it. The same 2FA code that banks say to never provide to anyone else.
They're literally proxying the bank's login page just like a phishing site would, and I assume they're also selecting the "trust this computer" option so their access is more persistent. My bank does require re-2FA for larger transfers, but there's still a lot of damage I can do on a "trusted" computer without triggering another 2FA prompt.
Doing re-2FA for every outbound transfer, and mentioning the consequences of entering the 2FA code out of band (e.g. "enter code 123456 to confirm transfer of x$ to y" or "press OK to confirm transfer..." in a mobile app) should be the bare minimum these days.
While I understand the risk of sharing sensitive information (e.g. bank login) with a 3rd party. But the current situation is such that your bank currently monopolize your bank information to improve your loan offer, to give you better service at better rate based on their understanding of your bank transaction history.
Currently, there is no aligned format for sharing your bank transaction history with other financial institution of your choice. Your current bank is the one who purposely makes it hard (only allowing you to share it through the same bank login) so that you are more locked-in in their eco system.
I used to work with Plaid as a provider, and you will notice certain banks who really do not like their customers using Plaid in sharing their bank transaction history with competitors will often have unscheduled maintenance that Plaid wouldn’t work so that you as a user would find friction using someone else and stay with only using products within their ecosystem.
I think the real question is less about why are we using Plaid to share our transaction information. If we are to have an open format to share our banking transaction history, what should be that format and what would be the lock and key for it?
What a statement. What a statement. How many financial institutions do they support? How many different vendors supply the platform for those institutions? How many of those financal institutions (FI) don’t support oauth or other APIs? A lot!
Then ask yourself: how do they talk get the data if no api? Web scraping. Then ask yourself how they build the scrapers for those? Where do those accounts come. Employees of the company who open up accounts at those FIs? What about all the other FIs? Where do you think those come from…? How do you think that process is secured? Think the process is secured enough to make you feel warm and cozy? When the scrapers are working, how do you think they get past the security measures? Do you think those financial institutions might think it’s odd that you’re logging in from multiple IPs and that one or more of those ips might be from a residential proxy network?
The result is that I attempt, at all cost to not use anything that requires plaid or their competitors since I know how that sausage is made.
But what comes after? Can users decline or at least downgrade the level of access requested by whoever wants to peek into their bank account? Do banks clearly indicate (and periodically remind the user about!) all parties currently having access to their account?
It's usually still persistent full access, and given that, the question of whether the user's password also leaks in the process is almost besides the point.
I was repeatedly pressured to hand my bank account logins over to plaid when I bought a house. People always seemed surprised when I refused. Maybe they were just acting that way to pressure me into making their sale process slightly easier, but I got the impression most people just go along with it.
Handing my finances over to a company like that is a hard no for me, I can't imagine ever doing business with someone who required it.
> OpenAI did this with your health data in January. Now it wants your financial data too.
This is far more valuable, they can see what political affiliation you have based on your campaign donations, predict things like cheating on your wife & the impending divorce, what vices you have and they can also build shadow profiles of all the people you give and receive money from even if they don't use the product.
"could"? They for sure bought already all data they could put their hands-on, it's logical on a business perspective, they probably have a giant DB with a ton of world citizen, because why not?
>they can see what political affiliation you have based on your campaign donations
You can get a pretty good estimate just by looking at other demographic factors like age, education level, income, and zip code. Moreover, how many people actually donate to campaigns?
>predict things like cheating on your wife & the impending divorce, what vices you have and they can also build shadow profiles of all of the people you give and receive money from even if they don't use the product.
Google has all this capability for at least a decade. What concrete harms have actually materialized?
Okay, what concrete harms has Meta done with this information? At best you have some creeps using it to stalk their exes, which is bad, but a far cry from the AI takeover scenario implied by OP.
I haven't implied an AI takeover, this data will be repackaged into a product for military/intelligence, political applications, insurance companies that can charge you more because they know you're willing to pay, and many more.
These things already exist and happen, it's about the data getting better and not having to build tools to query it and make projections, since you can just type a query into a box even if you're not a data scientist.
>I haven't implied an AI takeover, this data will be repackaged into a product for military/intelligence, political applications, insurance companies that can charge you more because they know you're willing to pay, and many more.
Any evidence google or meta actually sells customer data like that?
They target toxic ads at people with poor mental health who are especially vulnerable. They do this intentionally because it's profitable.
There's plenty of reporting on this if you care to look it up. It "works" too. Spending more time on Meta products results in having more body issues, poor self esteem, and suicidal ideations.
But if I remember right you work for a big ad tech company and have previously gone to the mat to defend such practices, so I suspect you aren't genuinely asking.
They have done shit like target weight loss drugs at teenage girls who have posted and then quickly deleted selfies (i.e. using that as one analogue for "self-confidence issues").
Meta has also decided "functionality needs to be provided though we have explicit confirmation from the (Burmese) government that they're going to use it against dissidents" which has historically included imprisonment and torture, so...
I'm not sure if Plaid still is- but when they first came out they were pretty evil. They would go into your accounts and download all activity. I spent many hours e-mailing them, trying to get a clear answer of what data they collect- and they never said no to anything.
Whenever I've been forced to use Plaid, I use a throw away "free-checking" bank account that has $1 in it.
Plaid is criticized because it’s a public-facing mechanism for third-party access into your finances, but many companies already have access without you knowing. In the US, many banks share nonpublic info such as transactions with retailers, marketers, government agencies, and others. They’re allowed to do so under the Gramm-Leach-Bliley Act. Report from the GOA:
It’s like we are trying to run as fast as possible towards an AI controlled disaster by connecting absolutely everything we can to the AI… even in the worst sci-fi the robots need to steal codes to get access to systems and we are just leaving the door wide open.
We're not trying to run as fast as possible towards anything. It's a bunch of investors trying to run as fast as possible towards the AI controlled disaster, or as they see it, an AI controlled unlocking of value.
I read about a post that in dn42 community where a dude set up an AI agent with access to his Amazon API, which eventually deployed servers generating a bill of $6000.
Honestly, given that your bank most likely is processing your data using AI/LLMs anyway (after all, credit scores were one of the first applications of "big data" and "machine intelligence", back when that was mostly logistic regression over a handful of data points), why should I not also reap the benefits of that?
I think until proven otherwise, it's fair to consider financial data public information at this point. If we want to change that, I think it'll take way more than just not granting ChatGPT access to your bank account (although it'll definitely include it).
Cannot you feed your financial info to an LLM rather than give it full access to your account? The point of not giving it full access is also a matter of security of your account, more than about privacy.
While openai's use of Plaid's spying on bank accounts is framed as a service it's real use case will be identification. Very few people if any will sign up to use this voluntarily. But it is a way to get users used to Plaid's spying and start slowly boiling the frog.
The endgame I see is that it will be illegal to communicate on the internet without having a proven bank account. At least in the USA where all ID verification is settling on banks (ie, Plaid). And the banks will tolerate 10,000 false positive denials of service to avoid a single false negative and be happy about it. Plaid even more so. Human beings will have no recourse as they are private companies. This really should be a service that the states of the federal government provide. It's a dark future we're speeding towards.
Most people don't care at all about their privacy. Apps like Venmo by default will share basically who you are spending time with and what your doing, Strava basically exposes where you live and your sleep/ workout schedule by default.
I wouldn't want to share my financial data with OpenAI but for the average consumer the ship has sailed.
A single web search through LLM can now pull malicious instructions from the web into LLM context, and instruct it to exfiltrate financial information. This has been done already with LLM email integrations.
That feels like the natural choice. I’m sure they could claim they’re more advanced by building their own integrations but I prefer that they use Plaid since I know it as a trusted entity.
I used to use copilot.money which was a nice app. Nowadays though using a GUI is fairly tedious so I’d rather use an assistant but I want mostly personal cash flow and net worth visualization, and transaction review and this isn’t going to do it I think.
What do you get out of it that a csv or access to another service that allows you to do readonly access does this give you that you’d trust. What happens when they hallucinate a payment with an extra digit in it. This will be seen as another example of tech companies acting out of touch.
In a few years Plaid will not be a thing. "Local" banks are already permitting their outsourced online banking systems to sell information on each line item. Soon it will be assumed that your transaction history will be easier to obtain than your credit.
Unrelated to Plaid, openai use stripe for payment and it is a real pain in the ass.
For example, when you travel in Asia and needs to use your card to pay for your account, that is European, the transaction will go on to be accepted by the bank and Stripe reject it in the last step if you don't use a local credit card.
Man, I remember when the common wisdom was that there would NEVER be enough people willing to put their credit card into a web browser to support a business.
Uh, debit cards are the worse as they (technically) don’t allow you to dispute charges like in a credit card. Money comes right out of your account first, and then you have to try to get it back.
> debit cards are the worse as they (technically) don’t allow you to dispute charges like in a credit card.
That's a commonly propagated falsehood. Both legally (Regulation E) and practically (all large card networks require issuers to extend a zero-liability policy to debit cards), consumer protections are very similar.
The big difference is that, as you say, with a debit card you're potentially out the money for a few days, which can be unpleasant if it makes the direct debit or check for your rent bounce.
I once had an issue where they drained the account (transactions weren’t blocked by the bank until the account didn’t have sufficient funds), and it took the bank a full month to investigate and refund.
That's unfortunate, and almost certainly a Regulation E violation on their side. They're supposed to provide a provisional credit within 10 business days.
It seems like every three years or so I need to use a tool with a plaid link feature, I try it, it gives some internal plaid error, then I find some other way of solving the issue.
Plaid is glitchy enough that whenever I hit a workflow that has no alternative, I just call the customer support line and tell them I get an error when trying to link my account via plaid, and they invariably have a manual way to do the thing on their end.
It won't go wrong if you don't wanna use this feature but if you do then its upto you that you''re trusting a for profit company that much that you provide them with your confidential data.
All set for a perfect storm with a single exploit down the line. Which could take out so much and OpenAI with it. What a way to burst the bubble, not an if, more a when as so many eggs in that basket and they have yet to invent a solid lid.
I guess I’m not seeing the systemic failure mode with a Plaid hook-up? The worst case is it sends a bunch of peoples’ money into the aether. That sucks for them and for OpenAI. But I’m not seeing it e.g. collapsing a bank.
You totally could, but the purpose of the OpenAI/Plaid integration is to help you analyze your spending and finances with OpenAI (using it as a budgeting/financial planning app), so if your spending isn't actually in the account you connected, it's not going to give you any value.
Little doubt the true motivation behind this is the advertising angle. What better way to advertise to consumers than seeing exactly what they're spending money on, historically and in near-realtime?
Generally banks and credit card companies let you download the statements in a machine-readable form. CSV, OFX, and so on. You're pretty much "clicking" "each portal" to download them, or paying an evil company for their services (and again letting 3rd parties snoop on your finances).
This tread's been incredibly insightful. I'm speechless as to the dystopian things which are happening throughout the world, which seemingly receive no friction whatsoever :/
Bad actor at plaid gets access to X accounts. Then sells data? Does unauthorized transfers? Create political or religious dossier on every account?
I assume my balance would be returned if someone hacked but what if they wrote checks with signatures which is fraud and that's different. My understanding is no. Fraud doesn't return the balance.
I have my money in 3 accounts. Most I lose is 33% of my total wealth.
The alternative that illegals in the area use are gold and cash and those ladies get mugged and robbed constantly because others know they stash their valuables on their neck and under their bed.
Without a bank the options are limited. Everything is online. Swiss accounts are toast. Crypto has similar problems as gold. Storage and protection is complicated.
I'm inclined to build an LLC type asset and insure the liquidity or something.
All my info can be purchased or captured through my phone or mail and that is enough info to write a check or take out a loan of $50k in my name.
I am not sure the laws and banks protect me in the event someone successfully claims to be me. I wouldn't mind mandatory in person wet signatures for anything over $1k-5k or >5% of my account
Until every web site and bank requires you to use it because their CTO saw an ad in an airport that said it was a good idea and makes line go up.
"Leadership" today is monkey-see, monkey-do.
See also: Sign in with Google on every web site, even if you don't have a Google account; and Cloudflare interrupting your web surfing every six minutes to make sure you haven't be absorbed by the Borg.
I feel like every single day OpenAI and Anthropic are entrenching their slopware in everyday products and workplaces with little to no way to opt-out. This is getting dystopian.
I now think AI is a virus, which infects whatever it touches. Not just software, but the books (there're already slopbooks printed, and I'm not talking about fiction books, but rather real textbooks, history, music, art, etc...). In XX years what can you even trust? We will adapt and get around it, but I'm not yet sure how.
I’ve been asked to sign up to plaid by clients three times. Each time I’ve said no. I’m not giving a 3rd party access to my bank account. I don’t understand how people enable this total loss of friction for direct account egress. There needs to be friction.
Hijacking this comment to complain about fintech apps / saas providers requiring Plaid - please stop.
For example, Coinbase requires logging in with Plaid to... setup auto-pay for their credit card statements. No way to just provide account/routing numbers the good ole way.
There's lots of issues with Plaid but one big one is that banks (e.g big ones like BofA) can lock your account due to suspicious login with Plaid.
https://x.com/kanateven/status/1973793740331368841
Airbnb requested Plaid access to my entire Chase account and all transactional data to "verify my credit card" a few years ago, and wouldn't budge until I tried Apple Pay, where they apparently weren't able to figure out the underlying issuer and accordingly left me alone.
Needless to say that it was my last stay with Airbnb.
What will you do once all of the accommodation providers start doing this AND they figure out how to see through Apple Pay?
They're a YC company so every other YC company is going to use them, that's how YC companies operate.
This isn't at all how YC companies operate (source: I did YC), but also... Plaid is not YC.
Seems kinda weird then that they're listed in workatastartup.com: https://www.workatastartup.com/jobs/15283
Plaid is not a YC company. You can just google it to confirm.
Yet they are listed on the site that claims to only have YC companies. Very odd.
I don’t know why they are on there, but YC startups list their batch and year in parentheses on job posts, e.g. (W25). Example: https://www.workatastartup.com/jobs/88812
The Plaid listing you linked doesn’t have a batch by their name.
Funnily enough, Flock has stopped doing that.
Still kinda weird that a non-YC company gets to have job listings on a site for only YC companies.
I don't know; I'm not involved. Just noticed the UI affordance.
Clearly you are not involved lol. The suggestion seems to be that YC is involved in some way; perhaps untraditional.
Plaid has an option to let the client/provider accept plain account + routing numbers, a lot of apps for whatever purpose don't use it.
Plaid is not a YC company
They have job listings in workatastartup.com but maybe any startup can now be listed even if they're not a YC company: https://www.workatastartup.com/jobs/15283
Refinancing a loan I passed on the lowest possible rate I could get, for a slightly higher one, specifically because they used Plaid.
I'm not the most privacy-focused individual, not nearly as paranoid as I could be, but Plaid's model is an OBVIOUS step too far.
Depending on the rate difference, I'd be tempted to setup a 'burner' checking account at a separate financial institution and just auto-transfer the loan amount from my primary bank to the burner every month.
That generally wouldn’t pass underwriting. They want the account the money is coming from to be the account with history and money in it already.
My bank's underwriter/loan officer actually said to get the best rate with them to specifically setup an account with them (They aren't my day to day bank) and just use it for my house payment. For the past decade the only transactions it has ever seen has been the direct deposit and the auto-withdraw for the mortgage.
Really? Both times I got a loan they wanted bank statements from all of my main accounts and verifiable income history, but they didn’t care that I was paying from an account that I had just opened for the specific purpose of paying the loan.
I'm not OP, but I assumed from their post that they meant the loan provider wanted Plaid access in order to perform underwriting - as in give us access to your account(s) so we can pull your banking history via an automated manner instead of sending PDFs.
Could be wrong though, as I never considered it'd be used for payments at all.
same. maybe it just depends on the bank, but i can't imagine why that would matter at all. they have the whole picture of your financial history, generally. what does it matter whether that one bank account has only enough in it to pay off the loan every month.
BMO offered the ability to link plaid and some other company to automate it vs me sending updated statements manually. I chose manual. I hate that this is the only option for convenience.
They do because their banks are largely not offering anything more fine grained, because they don’t have to, and in fact doing so would cannibalize their debit card business.
Requesting full account access for anything other than maybe budgeting software should just not be legal.
Have you ever entered your routing+account number into HR software for direct deposit? Doesn't that qualify as handing a third party essentially the same access as Plaid gets? I think bank accounts are generally more accessible in the modern era, it's just a risk that you take.
Of course, you're not obligated to use Plaid but I do find the concerns around this quite strange since you're likely exposing account information already.
Plaid wants you to enter your bank username-password into their form. If it was just routing+account it would be truly no different than other bank connection methods.
That's not how it worked last time I used it with Chase Bank. It used something like Oauth with my bank where I logged in on my bank website and asked what accounts I wanted to share with Plaid.
Plaid works a lot like PSD2-based services in the EU then, which also typically consist of a form hosted by the service using Times New Roman and the original padlock.gif from Netscape asking for your IBAN and online banking password and then a TAN/2FA number. Obviously there are no technical controls at that point to what the service can do in your account. I tend to avoid anything PSD2 for much the same reasons as Plaid, it's extremely sketchy. Somehow we can have scoped access using OAuth for random webservices but for a credit check it's "please just give us your online banking login despite everyone telling you since 1995 that you're not supposed to hand that to anyone and always double check the URL in the address bar to be yourbank.com... we assure you nl-gwlogin.xs2a.openbankingservices.co.net is an entirely legitimate place to enter your PIN"
At this point, it's often OAuth, but in my view, the exact means of access is a red herring: The only thing that changes between screen scraping and OAuth is that Plaid doesn't get my banking password, which is literally the least of my concern compared to persistent access to my account transactional data.
The same info is also on checks, and there's an established story around fraud there -- if I didn't authorize an ACH withdrawal then my bank is legally required to make me whole. If I hand over my username+password to a third party, I'm on my own.
Also, the routing+account numbers just let them deposit/withdraw money, not snoop on all my transactions and harvest my data...
This is a common belief, but the CFPB has stated your bank is still legally required to make you whole in the event of fraud even if you handed over your username and password to a third party, and that any bank TOS stating otherwise are not valid. This is covered on the CFPB Electronic Fund Transfers FAQ, under the Error Resolution: Unauthorized EFTs, Question 8: https://www.consumerfinance.gov/compliance/compliance-resour...
In Germany, there was a similar antitrust-based ruling, but it even went further: They disallowed banks to block screen scraping services, as they considered the existence of screen-scraping-based confirmed instant bank transfers a valuable competitor to the (bank-led) card payment schemes.
In retrospect, they were maybe right on the competitive part, but the data privacy impact was disastrous.
Whenever I have seen the Plaid integration it will also ask permission to your transactions. HR software won't get those when I provide it my account & routing numbers.
With plaid they get access to all of your account numbers.
HR just sees a single savings account that I strictly use for direct deposit. They don’t see my actual savings account or my other purpose-specific checking accounts.
Sure, but GP mentioned direct account egress which is why I brought up the typical method for doing that. I figured banks are already selling / reporting the other information (account types, amounts, transactions, etc.)
As an aside, I think each permission has to be granted explicitly in Plaid so it's not just getting "root" access to do simple transactions (unless you grant it)
routing+account numbers are not that sensitive. that's been API for how we transact money since pre-historic times. plaid gets access to your online account with access personal data, security details, documents, transactions, statements, write-access etc.
It’s roughly the difference between giving somebody your phone number and letting them eavesdrop on every single call.
Generally no. Plaid access generally includes whatever name you put on the account, as well as transaction history.
plaid asks for your bank username and password not just your routing + account
One thousand times this. I am not giving away the keys to my bank accounts.
It’s worse than keys, it’s a persistent read-only view of all account data.
At least there is a process for unauthorized ACH debits. For this blatant breach of privacy, there is nothing.
Plaid requires your bank username and password, so they have full read-write access to your account. They can do anything you can do when logged in to the bank's website, and so can anyone else who gains access to Plaid's database.
> They can do anything you can do when logged in to the bank's website
Which is hopefully nothing beyond looking at transaction data without 2FA.
Plaid's login flow also requires a 2FA code if your bank requires it. The same 2FA code that banks say to never provide to anyone else.
They're literally proxying the bank's login page just like a phishing site would, and I assume they're also selecting the "trust this computer" option so their access is more persistent. My bank does require re-2FA for larger transfers, but there's still a lot of damage I can do on a "trusted" computer without triggering another 2FA prompt.
To be honest, that's on the bank then.
Doing re-2FA for every outbound transfer, and mentioning the consequences of entering the 2FA code out of band (e.g. "enter code 123456 to confirm transfer of x$ to y" or "press OK to confirm transfer..." in a mobile app) should be the bare minimum these days.
Lmao that must been an American thing. Here it just uses the open banking APIs.
While I understand the risk of sharing sensitive information (e.g. bank login) with a 3rd party. But the current situation is such that your bank currently monopolize your bank information to improve your loan offer, to give you better service at better rate based on their understanding of your bank transaction history.
Currently, there is no aligned format for sharing your bank transaction history with other financial institution of your choice. Your current bank is the one who purposely makes it hard (only allowing you to share it through the same bank login) so that you are more locked-in in their eco system.
I used to work with Plaid as a provider, and you will notice certain banks who really do not like their customers using Plaid in sharing their bank transaction history with competitors will often have unscheduled maintenance that Plaid wouldn’t work so that you as a user would find friction using someone else and stay with only using products within their ecosystem.
I think the real question is less about why are we using Plaid to share our transaction information. If we are to have an open format to share our banking transaction history, what should be that format and what would be the lock and key for it?
Maybe the mechanism for sharing could be inspired by OpenBanking? In the UK and EU all the banks have to offer API access to accounts.
Instant transfer (sub-second) for free is available to everyone. (Up to a certain limit)
Many banks just OAuth with Plaid now.
What a statement. What a statement. How many financial institutions do they support? How many different vendors supply the platform for those institutions? How many of those financal institutions (FI) don’t support oauth or other APIs? A lot! Then ask yourself: how do they talk get the data if no api? Web scraping. Then ask yourself how they build the scrapers for those? Where do those accounts come. Employees of the company who open up accounts at those FIs? What about all the other FIs? Where do you think those come from…? How do you think that process is secured? Think the process is secured enough to make you feel warm and cozy? When the scrapers are working, how do you think they get past the security measures? Do you think those financial institutions might think it’s odd that you’re logging in from multiple IPs and that one or more of those ips might be from a residential proxy network?
The result is that I attempt, at all cost to not use anything that requires plaid or their competitors since I know how that sausage is made.
But what comes after? Can users decline or at least downgrade the level of access requested by whoever wants to peek into their bank account? Do banks clearly indicate (and periodically remind the user about!) all parties currently having access to their account?
It's usually still persistent full access, and given that, the question of whether the user's password also leaks in the process is almost besides the point.
I was repeatedly pressured to hand my bank account logins over to plaid when I bought a house. People always seemed surprised when I refused. Maybe they were just acting that way to pressure me into making their sale process slightly easier, but I got the impression most people just go along with it.
Handing my finances over to a company like that is a hard no for me, I can't imagine ever doing business with someone who required it.
easy - just keep a small amount (small %) in that account.
If it doesn't look like a real account, you usually won't get whatever you're signing up for.
If it happens for enough people, then plaid is proved to be not as efficient or as useful as advertised, and adoption slows or reverses.
> OpenAI did this with your health data in January. Now it wants your financial data too.
This is far more valuable, they can see what political affiliation you have based on your campaign donations, predict things like cheating on your wife & the impending divorce, what vices you have and they can also build shadow profiles of all the people you give and receive money from even if they don't use the product.
I’d be willing to bet that ChatGPT will know the average user’s political affiliation and vices about three messages in.
The difference is that banking records are harder to falsify, so there’s that.
Campaign donations are already public if you donate over $200 - https://www.opensecrets.org/donor-lookup
If all they wanted was to know more about your profile, they could already buy this information form the bank I presume.
"could"? They for sure bought already all data they could put their hands-on, it's logical on a business perspective, they probably have a giant DB with a ton of world citizen, because why not?
it is far more valuable to know the type of boring things boring people buy in their boring daily lives
>they can see what political affiliation you have based on your campaign donations
You can get a pretty good estimate just by looking at other demographic factors like age, education level, income, and zip code. Moreover, how many people actually donate to campaigns?
>predict things like cheating on your wife & the impending divorce, what vices you have and they can also build shadow profiles of all of the people you give and receive money from even if they don't use the product.
Google has all this capability for at least a decade. What concrete harms have actually materialized?
OpenAI is now run by former Meta executives.
Okay, what concrete harms has Meta done with this information? At best you have some creeps using it to stalk their exes, which is bad, but a far cry from the AI takeover scenario implied by OP.
I haven't implied an AI takeover, this data will be repackaged into a product for military/intelligence, political applications, insurance companies that can charge you more because they know you're willing to pay, and many more.
These things already exist and happen, it's about the data getting better and not having to build tools to query it and make projections, since you can just type a query into a box even if you're not a data scientist.
>I haven't implied an AI takeover, this data will be repackaged into a product for military/intelligence, political applications, insurance companies that can charge you more because they know you're willing to pay, and many more.
Any evidence google or meta actually sells customer data like that?
They target toxic ads at people with poor mental health who are especially vulnerable. They do this intentionally because it's profitable.
There's plenty of reporting on this if you care to look it up. It "works" too. Spending more time on Meta products results in having more body issues, poor self esteem, and suicidal ideations.
But if I remember right you work for a big ad tech company and have previously gone to the mat to defend such practices, so I suspect you aren't genuinely asking.
They have done shit like target weight loss drugs at teenage girls who have posted and then quickly deleted selfies (i.e. using that as one analogue for "self-confidence issues").
Meta has also decided "functionality needs to be provided though we have explicit confirmation from the (Burmese) government that they're going to use it against dissidents" which has historically included imprisonment and torture, so...
Plenty of concrete harms.
I'm not sure if Plaid still is- but when they first came out they were pretty evil. They would go into your accounts and download all activity. I spent many hours e-mailing them, trying to get a clear answer of what data they collect- and they never said no to anything.
Whenever I've been forced to use Plaid, I use a throw away "free-checking" bank account that has $1 in it.
I guess birds of a feather flock together.
Plaid is criticized because it’s a public-facing mechanism for third-party access into your finances, but many companies already have access without you knowing. In the US, many banks share nonpublic info such as transactions with retailers, marketers, government agencies, and others. They’re allowed to do so under the Gramm-Leach-Bliley Act. Report from the GOA:
https://www.gao.gov/products/gao-21-36
It’s like we are trying to run as fast as possible towards an AI controlled disaster by connecting absolutely everything we can to the AI… even in the worst sci-fi the robots need to steal codes to get access to systems and we are just leaving the door wide open.
We're not trying to run as fast as possible towards anything. It's a bunch of investors trying to run as fast as possible towards the AI controlled disaster, or as they see it, an AI controlled unlocking of value.
I read about a post that in dn42 community where a dude set up an AI agent with access to his Amazon API, which eventually deployed servers generating a bill of $6000.
don't worry, we'll have plenty of human controlled disasters from this before we even get to agi
I’m generally positive towards AI and LLMs..
BUT there’s just things that nobody should be doing ever, like give it access to your production system or bank account.
I feel like we're now at a point where that's a hot take.
Honestly, given that your bank most likely is processing your data using AI/LLMs anyway (after all, credit scores were one of the first applications of "big data" and "machine intelligence", back when that was mostly logistic regression over a handful of data points), why should I not also reap the benefits of that?
I think until proven otherwise, it's fair to consider financial data public information at this point. If we want to change that, I think it'll take way more than just not granting ChatGPT access to your bank account (although it'll definitely include it).
Cannot you feed your financial info to an LLM rather than give it full access to your account? The point of not giving it full access is also a matter of security of your account, more than about privacy.
It's read-only data, fwiw
But LLMs are like humans!
Nothing wrong about with giving them access to your bank or savings accounts /s
People have been electing a clear grifter in multiple countries to do the same, so, you know, people gonna people.
While openai's use of Plaid's spying on bank accounts is framed as a service it's real use case will be identification. Very few people if any will sign up to use this voluntarily. But it is a way to get users used to Plaid's spying and start slowly boiling the frog.
The endgame I see is that it will be illegal to communicate on the internet without having a proven bank account. At least in the USA where all ID verification is settling on banks (ie, Plaid). And the banks will tolerate 10,000 false positive denials of service to avoid a single false negative and be happy about it. Plaid even more so. Human beings will have no recourse as they are private companies. This really should be a service that the states of the federal government provide. It's a dark future we're speeding towards.
People will pay for OpenAI to have access to their financial data??
Most people don't care at all about their privacy. Apps like Venmo by default will share basically who you are spending time with and what your doing, Strava basically exposes where you live and your sleep/ workout schedule by default.
I wouldn't want to share my financial data with OpenAI but for the average consumer the ship has sailed.
I wonder if I could pay someone to run me over with a bus.
Sure. But it's going to be expensive. It actually costs me a lot of money to provide a "running you over with a bus" service.
Didn't Matt Levine tell a story about Masayoshi Son doing that? https://news.ycombinator.com/item?id=21427688
What do you think plaid is doing?
OpenAI is just a new-ish player.
This extends the attack surface area for ChatGPT.
A single web search through LLM can now pull malicious instructions from the web into LLM context, and instruct it to exfiltrate financial information. This has been done already with LLM email integrations.
That feels like the natural choice. I’m sure they could claim they’re more advanced by building their own integrations but I prefer that they use Plaid since I know it as a trusted entity.
I used to use copilot.money which was a nice app. Nowadays though using a GUI is fairly tedious so I’d rather use an assistant but I want mostly personal cash flow and net worth visualization, and transaction review and this isn’t going to do it I think.
What do you get out of it that a csv or access to another service that allows you to do readonly access does this give you that you’d trust. What happens when they hallucinate a payment with an extra digit in it. This will be seen as another example of tech companies acting out of touch.
In a few years Plaid will not be a thing. "Local" banks are already permitting their outsourced online banking systems to sell information on each line item. Soon it will be assumed that your transaction history will be easier to obtain than your credit.
Do you have an article/source on this?
Search for various online banking privacy policies and read through them yourself.
Unrelated to Plaid, openai use stripe for payment and it is a real pain in the ass. For example, when you travel in Asia and needs to use your card to pay for your account, that is European, the transaction will go on to be accepted by the bank and Stripe reject it in the last step if you don't use a local credit card.
Man, I remember when the common wisdom was that there would NEVER be enough people willing to put their credit card into a web browser to support a business.
I never expected to be nostalgic for those days.
To be fair most frequently people online use debit cards which can be frozen if something goes wrong.
Uh, debit cards are the worse as they (technically) don’t allow you to dispute charges like in a credit card. Money comes right out of your account first, and then you have to try to get it back.
Don’t use debit cards online.
> debit cards are the worse as they (technically) don’t allow you to dispute charges like in a credit card.
That's a commonly propagated falsehood. Both legally (Regulation E) and practically (all large card networks require issuers to extend a zero-liability policy to debit cards), consumer protections are very similar.
The big difference is that, as you say, with a debit card you're potentially out the money for a few days, which can be unpleasant if it makes the direct debit or check for your rent bounce.
I once had an issue where they drained the account (transactions weren’t blocked by the bank until the account didn’t have sufficient funds), and it took the bank a full month to investigate and refund.
It’s not a trivial difference.
That's unfortunate, and almost certainly a Regulation E violation on their side. They're supposed to provide a provisional credit within 10 business days.
It was Wells Fargo, and many years ago. It could have been them violating it, or it might not have been a law yet.
It was very irritating!
What good is freezing a card (regardless of debit or credit) after something has already gone wrong?
It seems like every three years or so I need to use a tool with a plaid link feature, I try it, it gives some internal plaid error, then I find some other way of solving the issue.
Plaid is glitchy enough that whenever I hit a workflow that has no alternative, I just call the customer support line and tell them I get an error when trying to link my account via plaid, and they invariably have a manual way to do the thing on their end.
What could go wrong
It won't go wrong if you don't wanna use this feature but if you do then its upto you that you''re trusting a for profit company that much that you provide them with your confidential data.
Sounds great! Everyone in these comments seems to be so out of touch with what people want out of computing.
All set for a perfect storm with a single exploit down the line. Which could take out so much and OpenAI with it. What a way to burst the bubble, not an if, more a when as so many eggs in that basket and they have yet to invent a solid lid.
Reminds me of the underpant gnomes in many ways
Collect underpants ???AI??? Profit
> Which could take out so much and OpenAI with it
I guess I’m not seeing the systemic failure mode with a Plaid hook-up? The worst case is it sends a bunch of peoples’ money into the aether. That sucks for them and for OpenAI. But I’m not seeing it e.g. collapsing a bank.
A meme prompt with a prompt injection in it would easily reach millions of ChatGPT users.
can you give an example of how it can work?
just takes a single corrupt prompt and a class action lawsuit is easily primed.
But yeah, can't have a systemic failure in the grift economy.
Stupid question, but what if you just open an account at a credit union, then have that one connected to plaid?
If it needs to see transactions, just have your salary deposited there, then an automatic transfer the same day to your real account?
You totally could, but the purpose of the OpenAI/Plaid integration is to help you analyze your spending and finances with OpenAI (using it as a budgeting/financial planning app), so if your spending isn't actually in the account you connected, it's not going to give you any value.
Today's edition of "What could possibly go wrong" presents ...
Little doubt the true motivation behind this is the advertising angle. What better way to advertise to consumers than seeing exactly what they're spending money on, historically and in near-realtime?
Why don’t you just ask for my blood? I can bottle it and send it over for Sama to drink for breakfast.
This exactly the same shit Zuck did with Facebook. Hell with them all.
This was done with 23 and me. Data was hacked and sold
Do not worry, that's coming next.
What's the local version of this? What's the best way to pull in my finance data locally, without clicking through to each portal? (USA)
Generally banks and credit card companies let you download the statements in a machine-readable form. CSV, OFX, and so on. You're pretty much "clicking" "each portal" to download them, or paying an evil company for their services (and again letting 3rd parties snoop on your finances).
The only better idea would be a Robinhood integration.
And Sports Bets and casino integrations.
Polymarket.
The actual title is
"ChatGPT Wants Access to Your Bank Account"
The comments here do seem to ignore that rocketmoney exists, and that many people use it
Lovely! It's probably inevitable this will fuck over people eventually. Sam may as well prepare his next blog post ahead of time.
This tread's been incredibly insightful. I'm speechless as to the dystopian things which are happening throughout the world, which seemingly receive no friction whatsoever :/
Only if it helps me buy more stock in GameStop
What’s the worst can happpen?
I wonder about this.
Bad actor at plaid gets access to X accounts. Then sells data? Does unauthorized transfers? Create political or religious dossier on every account?
I assume my balance would be returned if someone hacked but what if they wrote checks with signatures which is fraud and that's different. My understanding is no. Fraud doesn't return the balance.
I have my money in 3 accounts. Most I lose is 33% of my total wealth.
The alternative that illegals in the area use are gold and cash and those ladies get mugged and robbed constantly because others know they stash their valuables on their neck and under their bed.
Without a bank the options are limited. Everything is online. Swiss accounts are toast. Crypto has similar problems as gold. Storage and protection is complicated.
I'm inclined to build an LLC type asset and insure the liquidity or something.
All my info can be purchased or captured through my phone or mail and that is enough info to write a check or take out a loan of $50k in my name.
I am not sure the laws and banks protect me in the event someone successfully claims to be me. I wouldn't mind mandatory in person wet signatures for anything over $1k-5k or >5% of my account
Do we still have a choice to not use?
You absolutely do not have to use the new financial feature. Its optional
Until every web site and bank requires you to use it because their CTO saw an ad in an airport that said it was a good idea and makes line go up.
"Leadership" today is monkey-see, monkey-do.
See also: Sign in with Google on every web site, even if you don't have a Google account; and Cloudflare interrupting your web surfing every six minutes to make sure you haven't be absorbed by the Borg.
I feel like every single day OpenAI and Anthropic are entrenching their slopware in everyday products and workplaces with little to no way to opt-out. This is getting dystopian.
Was thinking the same recently.
It feels like an arms race on who’s gonna become the Microsoft of the 90s, trying to own and provide everything.
I think it will play out in the same way
I now think AI is a virus, which infects whatever it touches. Not just software, but the books (there're already slopbooks printed, and I'm not talking about fiction books, but rather real textbooks, history, music, art, etc...). In XX years what can you even trust? We will adapt and get around it, but I'm not yet sure how.
Kim Jong-il approves!
“Let the bodies hit the floor!”
[flagged]
[flagged]
[flagged]
[dead]