Connecting Your Bank Account To an App is Now a $3-Billion Business

When you link your checking account to Venmo or use it to buy bitcoin, a startup called Plaid is likely facilitating the connection with your bank. You punch in your user name and password; Plaid checks those credentials with the financial institution and, if they're accurate, passes banking information back to the app. That's it. From a report: This kind of software has been around for decades. But in the last year, Plaid has captured investors' attention. The San Francisco startup was the subject of a bidding war among venture capitalists and at least one tech company, ultimately resulting in a $250-million investment last month. That money will partly go toward the acquisition of one of its biggest competitors. Plaid announced Tuesday it was buying New York-based Quovo Inc. The deal could be worth about $200 million after performance bonuses, said three people familiar with the transaction, who asked not to be identified because terms of the deal were private.

Since starting Plaid in 2012, Zach Perret has sold the startup's nine lines of code to some of the most popular finance apps. Robo-advisor startup Betterment, cryptocurrency exchange Coinbase Inc., PayPal Holdings Inc.'s Venmo and stock-trading app Robinhood Markets Inc. have all used Plaid. Meanwhile, Quovo specializes in wealth management and brokerages. "This represents the merging of two complementary but both very important businesses," said Perret, Plaid's chief executive. Plaid is now valued at roughly $3 billion.

Re:

[Anonymous Coward]

I would use a phone, as in talking to my credit union. I would not use my phone to connect to their computer.

Re:I would never....

[ichimunki]

I would. I'm probably being a bit rose-colored glasses about it, but if my bank puts out an app that I can load on my phone, I'm happy to use it. What I'm not remotely happy to do is give my username/password information to anyone other than the institution that issued the account. I mean, think about it... even my bank shouldn't actually know what my password is. They should have taken the password I gave them, salted it, hashed it 10-20 times, and stored the resulting hash in the database for future reference. This has been widely known as best practice for well over a decade now. They should have absolutely no way to recover the actual password I used based on their stored information. And so, as if to thumb my nose at security best practices, I'm going to simply hand not only my username, but actual password, over to some stranger? Just so I can use some dumb app on my phone? No way in hell.

We need to regulate this practice of giving third parties your username/password with your bank to use an app like Mint or whatever into oblivion-- with all the hackings of places like Target and Experian I'm actually sort of shocked that one of these third party backends hasn't been hacked (or more likely it has been, but keeping that fact secret is highly lucrative to the hackers, so we just haven't heard about it). Mostly what I understand these backends do with your login behind the scenes is a lot of screen-scraping to get your info. Last time I checked, it's not like there is an open format/API that financial companies are required to use to allow third party apps to access your data for you. I'm sure some banks have developed "relationships" with the Quickens of the world, but I'm guessing that many more have not, and it's probably still firmly in the pay-to-play realm, rather than an open standard that anyone can partake in.

Re:

[ichimunki]

I should note that there is an open data format that every bank I've worked with uses to allow me to download my data in a form I can then load it into a program like Quicken or GnuCash: OFX/QFX, but this requires me to login into every separate bank web site myself. Which is what I actually do. Only I didn't like either Quicken or GnuCash much last time I looked into them, and I strongly considered working with the GnuCash code base, but I wanted enough different features that it seemed easier to implement

Re:

[ichimunki]

According to Wikipedia, HBCI is now called FinTS and it's a German thing, not USA.

Re:

[Anonymous Coward]

I would use a phone, as in talking to my credit union. I would not use my phone to connect to their computer.

You're just like those old people writing checks at the grocery store while the rest of us are waiting for you.
You're not being smarter than anyone, or being more secure than anyone else.
You're just living in the past.

Re:

[Luthair]

Why? To me using a general purpose computer is much more likely to have been compromised given the permission model. I think the ideal solution would be a dedicated ChromeOS system but patched iOS or Android devices are probably safer for most users than Mac or Windows.

Paypal is enough

[DarkRookie2]

Its the only thing that is link to my bank account. It can stay that way.

Re:

[account_deleted]

Comment removed based on user account deletion

Impressive valuation

[jrumney]

You punch in your user name and password; Plaid checks those credentials with the financial institution and, if they're accurate, passes banking information back to the app.

I know there is a big dark market for these things, but a $3 billion valuation for a MITM exploit still seems a bit steep to me.

Re:You deserve better !

[jrumney]

Australia has a similar service called POLi (formerly Centricom). All major banks warn against using it, as it is basically operating as a phishing site to get your internet banking credentials and log onto your internet banking on your behalf to make payments on your behalf and give the retailer instant verification that the payment has been made.

These days any transfer made is instant anyway, so the retailer can get the verification from their own bank without this security nightmare. Banks are now officially setting up their own consumer payment system where you can register a phone number to accept payments to your account, which will result in an SMS to your phone informing you of successful transactions. So the lifespan of these third party security risk solutions is hopefully coming to an end. With the banks' apps integrated into Android and iOS payment APIs, the app side of making payments should be taken care of too.

lolz - app to impulse buy bitcoin linked to bank

[iggymanz]

even if your app access gets hacked and your money is stolen it's the same as investing in bitcoin

no downside

Re:

[d0rp]

A local gas station chain has an app that lets me save $0.10/gallon by charging my checking account directly (since they don't have to pay the credit card fee). But that required me putting in my bank's routing number and the account number, so they essentially just send an electronic check.

I would never type in my bank account credentials to anything other than my bank's website, that's just all kinds of dumb. But, I've seen some "financial services" companies / web-apps that require you to do that (becau

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Only 9 lines of code?

[Anonymous Coward]

Itâ(TM)s perl

Re:

[bob4u2c]

Yep, 9 lines of code. Of course, each line is over 2 million characters.

The next version will be just 8 lines of code (at almost 2.5 million characters per line).

Re:

[DarkRookie2]

Gods.
They should be shot for doing that.

Re:

[fibonacci8]

It continues until there's only a single line of code, containing one bug.

dumb

[fluffernutter]

You mean to tell me people give third parties access to their bank accounts? Wow, that's dumber than using Facebook.

Re:

[fluffernutter]

That's a lot of people with your password.

Re:

[torkus]

You do that every time you hand someone a check too. Routing and account number? Yep, right on there along with your name and address too. On every check. Ever. Forever...unless you change accounts that check from a 20 years ago has enough info to access your bank account funds.

So when you're done fear mongering, look at the broader picture for 2 seconds.

Re:

[fluffernutter]

That's not a direct comparison. If someone forges a check I call the bank and have the checks cancelled. If someone malicious gets your bank account password there is no telling what they could do, or if you would even find out about it right away.

Why would you do that?

[mcmonkey]

I assume the figure in the title is the amount that has gone "missing." Link my checking account to buy bitcoin? Sure. Extended warranty? Absolutely. I won the lottery and just need to send you $3000 to collect my millions? Where do I sign up.

You do what?!

[zdzichu]

You give your credentials to some third party and it tries them? Like, you break your contract with the bank and forgo all your rights to complain on fraudalent charges? Check the ToS of you bank – all of them make sharing your credentials a "game over" situation for account owner.
Almost every single bank provide and API for external parties to initiate payments (in this situation authorisation is processed by Bank). Pay-by-link is standard in all banks, and OpenAPI (PSD2) will force rest of them to comply.
But if you share you credentials, you are lost.