2021/03/17
Last year Gregg Tavares posted about Github’s permission model, frustrated with how it blindly grants the ability to request data from users to anyone that asks for the permissions. Yesterday it was trending on Hackernews. I think from a privacy standpoint it’s an interesting read. Something they touched on, however, gave me that weird gut feeling…
Let’s imagine your bank let you sign in to 3rd party services in a similar manner. How many people would click through on “Let ACME corp act on your behalf on your Citibank Account”. I think most people would be super scared of permissions like that. Instead they’d want very specific permission like, only permission to deposit money, or only permission to read the balance, or only permission to read transactions, etc…
Oh, you sweet summer child. Oh, no, no, no. It’s much worse when it comes to banking.
Enter Plaid.
You might know Plaid because their Visa acquisiton was recently blocked.
Plaid operates as an “in-between” for their customers to allow end-users to sign into banks - surfacing information about account numbers, routing numbers, current balance, recent transactions, and other related banking information.
Cool, right?
Well, let’s pull apart how that works. Let’s take Venmo as an example. Venmo embeds Plaid’s SDK. A user will want to link their bank account to Venmo. The SDK interacts with and then Plaid performs a Man in the Middle attack on the end-user. Within an app (not the bank’s) app, Plaid’s embeddable code will simulate a fake bank login, collect credentials - including many 2FA - and then falsify a login as if they were an end user. At this point they scrape all data they can get access to, storing it all in their servers. This is how their customers, like Venmo, would be able to verify you own your account and can peek at your account balance to verify you have funds to pay for that pizza / rent / drugs / fantasy football.
Plaid’s codebase itself has a distinct issue, too. The underlying code for their scrapers are thousands upon thousands of Python files that connect together like spaghetti. Updates get patched in at random, so following security practices is attempted but… it’s a moving target.
As far as permissioning - it’s nonexistent. Plaid gives every single one of their customers full access to the accounts of users that authenticated. With Venmo - account verification? Sure! Account balance? Uh.. weird, but okay. Loan status? Credit card statements? Transactions unrelated to Venmo? Identity documentation? Initiate transfers? Uhh.. Why?! For anyone?!!
Is this legal? Well, maybe. That doesn’t stop banks from suing Plaid. This is also not great for consumers because it opens up new vectors for threat actors to gain access to accounts and could void agreements banks have with their customers around fraud.
Lots of financial services apps like Mint also work in this way.
Don’t worry, though, at least we can use alternatives. Like, I’ve heard of “Yodlee” to do this, right? Oh…
At the end of the day, services like Plaid provide features that users want.
Do I think plaid is a security nightmare? Yes.
Can I think of a reasonable alternative for their features? No.