from Hacker News

Plaid settled $58M lawsuit over alleged consumer data sharing

by exotree on 8/16/21, 4:45 PM with 147 comments

by akarma on 8/16/21, 6:22 PM
I actually mentioned in a thread about Plaid in 2018 that they sold transaction history to third parties, and the cofounder came onto HN to explicitly deny that [1]. I actually felt convinced they didn't afterwards, as I couldn't imagine such a direct and clear refutation if it were true.
[1] https://news.ycombinator.com/item?id=18655417
by ve55 on 8/16/21, 5:09 PM
It is particularly sad how common scenarios this are for users, especially in the US. I have known how terrible applications like Plaid (and alternatives) were, but at various points have been required to use them to do something like pay my rent (this is also a very common theme in my life: I strongly dislike a certain company or app, but find myself required to use them regardless, even knowing that my usage and information will be abused).
Giving my full credentials and my security question answer in plaintext to a third party in order to 'link my bank accounts', and then having them scrape every bit of information they can from my personal banking statements and sell it is... nothing short of a nightmare scenario, from many standpoints (user security, user privacy, user education, anti-phishing, and so on).
I guess it's nice to see this class-action lawsuit, but that it amounts to an average of $0.60 per affected user is, well, not particularly inspiring with respect to my hope that things will ever get better here.
Plaid is used by many industry leaders including Venmo, Robinhood, and Coinbase. When it's not used, usually a similar alternative is. Perhaps the most frustrating part of this is that placing blame on these companies is difficult, as there's no interoperability or open banking APIs that can be used as an alternative.
by a-priori on 8/16/21, 7:28 PM
I just read the settlement document, and it looks like this is being reported incorrectly or at least ambiguously.
The allegation is NOT that they shared/sold data to any third parties but that their Plaid Link user interface, where people enter their banking information to add it to Plaid, looks like the customer's financial institution (i.e, uses the bank's branding colours and logo).
Because of this branding, people can reasonably assume that they are sending that data directly to their bank without knowledge, and therefore consent, to share their information with Plaid itself.
If that understanding is correct then this isn't a business practice or security issue, but a user consent issue. That's a problem that definitely needs to be fixed, and the injunctive relief requires them to change the branding and disclosure to make it clearer that people are interacting with Plaid rather than their bank.
But to me it's definitely not a reason to cancel your account or boycott Plaid or whatever.
https://newmedialaw.proskauer.com/wp-content/uploads/sites/2...
by cmer on 8/16/21, 5:22 PM
It is absolutely crazy that in 2021, banks still don't have proper secure APIs for other software to interface with. Plaid is a major disaster waiting to happen.
Are there any banks moving in that direction? I know of exactly zero in Canada.
by bananapub on 8/16/21, 5:24 PM
it's so frustrating that this sort of shit keeps happening.
1. banks create gap in market by not providing useful access to their customer's data by...their customers
2. regulators don't step in to fix this market failure
3. some company steps in! yay!
4. company decides that charging customers for providing a good and/or service is insufficient, they need to do something creepy with selling off the customers data
5. lawsuit after the fact to maybe stop them being dickheads and definitely enriching a lot of lawyers
why hasn't the FTC or something stepped in to make banks provide some secure read-only access?
by prepend on 8/16/21, 5:15 PM
Plaids terms are really concerning to me as a user and I’m not willing to give them my bank credentials. My main fear is that they get hacked and my credentials are used to drain my accounts. Plaid waives any liability and my bank doesn’t do much if my credentials are used to do stuff like initiate wire transfers.
Venmo is doing this weird thing where for some transactions they are saying they require plaid to get my bank credentials to log in and “verify.” Of course that breaks my first issue. But it also allows them to suck up and use all of my bank transactions forever.
Seems like a shitty tradeoff just to Venmo money to people.
by w4llstr33t on 8/16/21, 5:37 PM
I think companies should still provide a way to link accounts via small deposits. It takes a few days, but at least you don't have to share your credentials. (This applies to US accounts, maybe there are better solutions elsewhere.)
If you use Plaid, I think it should only be if there's no other option and you change your credentials after. I've always thought giving away your credentials to a screen scraping company like Plaid was crazy.
In terms of the class action lawsuit, the only one who will see a meaningful payout from this are the lawyers.
by paws on 8/16/21, 5:20 PM
I recently received a helpful reply about liability from an HN user who says they're a Plaid employee. Thanks @phoenixy!
https://news.ycombinator.com/item?id=27982516
While I'm still trying to understand the bigger picture implications, maybe you will find this helpful too.
by tehwebguy on 8/16/21, 6:47 PM
I say this basically every time it comes up but I cannot imagine handing my bank login + password over to Plaid or pretty much any third party ever for pretty much any reason.
by walrus01 on 8/16/21, 5:55 PM
The "Current" online-only bank insists on using Plaid if you want to transfer money from an existing account to Current. No thanks.
https://www.google.com/search?client=firefox-b-1-d&q=current...
Also apparently if you want to use Plaid with many different online banking portals, you need to permanently disable 2FA, also no thanks.
by meowtimemania on 8/16/21, 6:55 PM
I’ve used Plaid to login to my bank account. How do I delete all my data from Plaid??
by dmitrygr on 8/17/21, 12:22 AM
Can we, for a moment, talk about how evil the very concept of Plaid is? We are literally TRAINING people to turn OFF 2FA on their bank accounts and give someone else their passwords! Yes, you read that right!
And then we wonder why phishing works so well, and why 2FA is not widely used...
I already advised everyone I know against Plaid, and am working with my bank's local branch to disable any and all access from their IPs, and force anyone whose passwords have been compromised (make no mistake, giving your password away is a compromise) to change their passwords and enable 2FA.
by fasteddie on 8/16/21, 6:29 PM
I'm a bit confused reading this. Is the lawsuit that users signing up for e.g. Venmo didn't know that they were also giving their transaction history/whatever to Venmo, or that Plaid was then taking the data passed to Venmo and reselling to, I don't know, a hedge fund?
If it's the former -- I certainly think services need to clearly state what/why/how they are using the data, but it's on the services (like Venmo) and not Plaid.
by xyst on 8/17/21, 4:35 AM
Personally, services that ask for your bank account credentials are a “no go” for me. The passwords themselves are likely stored securely, but the fact they are stored at all is concerning.
All it takes is a bad actor within the company to re-write the screen scraping to then impersonate the users and have them wire out money to a foreign bank account. Some anti-fraud systems might catch this activity but for people that use the wire system on a frequent basis it might go unnoticed.
Or they may screen scrape the information and sell it on the black market. Wouldn’t be too hard to target a specific group (elderly, retired) since you already have their bank credentials which subsequently has reliable/verified demographic information and account balances.
by echopom on 8/16/21, 6:14 PM
> If all 98 million people were to file a claim, each would receive just 60 cents.
Thank you court of California to incentive startups and GAFA to use our data knowing their risk nothing.
Just to be clear , Plaid has raised 600+ Millions in it's lifetime , this is nothing for them.
by tommoor on 8/16/21, 10:34 PM
Top tip: If you don't want to give Plaid your banking credentials and all of your purchase history (you really shouldn't, irregardless of this lawsuit), just search for jibberish in the "search for bank" option in any app that implements Plaid to get the option to "link manually"…
by root_axis on 8/16/21, 11:06 PM
The bottom line is that users aren't aware that they're giving up 6 months of past and future transaction history to the Plaid integrator when they login using Plaid. This is obviously deceptive.
by jqpabc123 on 8/17/21, 3:50 AM
Just don't ever give your banking login credentials to anyone ... ever. Just don't do it. You knew it was a bad idea when you did it --- so don't repeat the mistake for any reason.
by hamburgerwah on 8/17/21, 12:14 AM
Modern business in the US: 1) Make big profit doing bad thing that harms consumers 2) Pay fine for doing bad thing that is 10% or less of the ill-gotten profit 3) Repeat
by zaptheimpaler on 8/16/21, 7:07 PM
98M customer accounts for $58M so 60c a piece. Sounds like they got a great bargain! Justice is served!
by vmception on 8/16/21, 8:34 PM
The worst thing about Plaid is the alternatives to Plaid that I've never heard of
There is no secure way to "connect your bank account" in an app. No matter how fancy it looks, or what logo they put up, you are really just giving your username and password to a random person. A random person who may or may not be malicious, but is absolutely a giant target for malicious people.
As for the rebuttals, be nice if there was a way for users to to verify.