Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

privacy/security concerns #68

Closed
benissimo opened this Issue Feb 11, 2016 · 21 comments

Comments

Projects
None yet
@benissimo
Copy link

benissimo commented Feb 11, 2016

From what I can tell, Plaid Link injects a login form onto a website and asks the user to supply their credentials for logging in to their bank.

Doesn't that clash with the recommendations from banks to never provide credentials except when visiting the bank's website?

How can a user be sure they aren't being tricked into supplying their credentials by a hacker spoofing the Plaid Link UI?

When I visit my bank's site, I can check the SSL certificate to be sure it's really the bank. How can I be sure that the Plaid Link UI is authentic? (And even if it is authentic, how can the user know their data is secure?)

@michaelckelly

This comment has been minimized.

Copy link
Member

michaelckelly commented Feb 11, 2016

@benissimo -

Thanks for opening this issue, great questions all around. The security of our users and their data is at the heart of everything that we do at Plaid and drives every engineering decision that we make (check out our security page for more). Link uses SSL for all communication and sensitive data never touches the app's servers. Instead, they are routed to Plaid's API (over a secure connection) which then communicates directly the bank. I'd also recommend reading up on the security policies and practices of each app or service that you use.

If you have any questions about security or feel that someone is using Link in an insecure way, please don't hesitate to drop us a note at support@plaid.com. We want to hear from you!

@rubendinho

This comment has been minimized.

Copy link

rubendinho commented Feb 11, 2016

I think the question is more about someone impersonating Link on an app that normally uses it.

How would a user know that the data she is entering into the "Link" form is actually going to Plaid, instead of going to someone who might have hacked into my site and injected a form that looks identical to Link.

@benissimo

This comment has been minimized.

Copy link
Author

benissimo commented Feb 12, 2016

Here, in order from best to worst, are some scenarios in which an end-user might provide their Bank of America (BofA) account information to Lawnmower.io via Plaid:

  1. BofA User credentials are supplied only while visiting the BofA site
    a) Lawnmower.io payment page includes Plaid Link which inserts a link or button on the page which when clicked leads to:
    b) a redirect to the BofA site where, OAuth-style, the user is prompted to login to BofA and grant access to Plaid (on behalf of Lawnmower.io) to retrieve an explicit list of information (bank accounts, history, balances, etc.)
    c) user enters BofA credentials, clicks OK to grant consent to share the information with Plaid and Lawnmower.io
    d) user is redirected back to Lawnmower.io

This is the best scenario because the user never has to type their BofA credentials except while visiting the BofA site. The user can see that the site is in fact bankofamerica.com, can check the SSL certificate in their browser. This is similar to the experience a user has when they are prompted to login via Google or Facebook for a 3rd party site. Nobody asks a user to provide their Google or Facebook credentials while on a 3rd party site. Instead, the user authenticates directly with Google or Facebook, etc.

This is clearly the most secure option, but it has the downside of requiring the banks to implement OAuth, or some functional equivalent.

  1. User enters BofA credentials while visiting the Plaid.com site
    a) Lawnmower.io payment page includes Plaid Link which inserts a link or button on the page which when clicked leads to:
    b) a Plaid.com page where the user is asked to enter their BofA credentials. A disclaimer explains all the care Plaid takes in treating their data securely.
    c) user enters BofA credentials
    d) user is redirected back to Lawnmower.io

This is not as good because it requires the user to enter their BoFA credentials on a non-BofA site. Plaid may be very conscientious, follow all the best practices, but even so the user is being asked to enter their credentials from another site. I would not enter my BofA credentials on any non-BofA site, nor would I recommend anyone else to do so. Entering BofA credentials into Plaid goes against the basic principle of never sharing user credentials with a 3rd party, no matter how trusted.

This issue is compounded if the user is browsing via a mobile app (can't even check the address bar).

It's one thing to share one's credit card number with a 3rd party during e-commerce. That's a risk consumers are generally willing to take. But sharing one's online banking credentials? If that somehow led to identity theft, fraud, or what not, would the bank still assume the costs even though the user provided their credentials to a 3rd party?

If the BofA site explicitly listed Plaid.com as a trusted vendor and said it was OK to enter BofA credentials via Plaid.com, ensuring the same level of identity theft and fraud guarantees, then I might feel comfortable with this scenario. Otherwise no.

  1. User enters BofA credentials while visiting Lawnmower.io
    a) Lawnmower.io payment page includes Plaid Link which injects a form into the page
    b) user enters BofA credentials while visiting a Lawnmower.io page

This seems like the worst of these scenarios. In addition to the concerns raised in (2), the end user has the problem of how to tell whether the injected form is, in fact, passing their information to Plaid and not to some other site. The address bar of the browser simply lists Lawnmower.io. There is no way for the typical user to tell whether the injected form will in fact post to Plaid.

@whockey

This comment has been minimized.

Copy link
Member

whockey commented Mar 7, 2016

@benissimo - appreciate the concerns and ideas. We're always working towards a better and more secure solution.

However, while solutions like OAuth with the bank are definitely on the horizon, the financial sector moves a bit more slowly than other technology companies. I understand how this can be frustrating at times so I'll make sure to update this issue and reach out as things change. In the mean time feel free to drop me an email at william [at] plaid.com if you have any more questions thoughts!

@whockey whockey closed this Mar 7, 2016

@tekrajhvn

This comment has been minimized.

Copy link

tekrajhvn commented Dec 15, 2017

How Can we Iink credit cards with Plaid.
Instead of entering Bank account details user will insert Credit card Info. Is this possible?

@skierpage

This comment has been minimized.

Copy link

skierpage commented Nov 13, 2018

2 1/2 years later, givelively.org prompts me to provide my banking password on a web donation page. Browser inspector shows it's putting up a plaid.com iframe. That even renders my bank's logo to fool me into thinking I'm accessing my bank's site. This is absolutely unacceptable, regardless of what claims you make on your security page.

@briangordon

This comment has been minimized.

Copy link

briangordon commented Nov 22, 2018

This is horrible, horrible, horrible, horrible, horrible practice. Any malicious actor can copy your design and present a perfectly genuine-looking Plaid input form and gather bank credentials from victims. There's absolutely no way to tell whether a Plaid input form is genuine without examining the HTML source of the page, which is far beyond the ability of almost all users. What good is your $1000 EV cert and your brand's hard-won trust if the user just sees Wacky Joe's Discount Dolphin Assholes, secured by letsencrypt.org in the area of the address bar where we've been telling them to look for a trusted name for about the last decade?

You guys need to get your act together and realize that you're not in the business of hosting Wordpress blogs or building marketing pages for the latest Barbie Rides Horses Again game somehow still coming out for the Nintendo DS. You collect bank credentials. Re-read the previous sentence. Do it again. Essentially my entire net worth is kept in my Schwab brokerage account which shares the same login as my Schwab checking account. If someone gets my Schwab credentials and I don't notice before they empty me out, my life is over. You simply cannot half-ass security best practices for the sake of UX convenience.

Yes, stripe.js does the same thing. They probably shouldn't. But they're collecting credit card numbers - their users have exactly zero liability for fraud committed on their cards. You, on the other hand, are asking for credentials to log in to a bank account! You have a responsibility to your users not to pull this kind of shit. Any non-techie user who encounters a scam like I described above:

  1. Can do literally nothing whatsoever to distinguish between a scam and a legitimate Plaid input form.
  2. Immediately forfeits every dollar in their bank account and linked savings and brokerage accounts upon entering their credentials, with liability potentially far exceeding even their total balance.

This is actually serious business. Please @zperret task someone competent to at least look at this.

@michaelckelly

This comment has been minimized.

Copy link
Member

michaelckelly commented Dec 7, 2018

@skierpage and @briangordon we appreciate your concerns, which is why our compliance team vets anybody who uses Link. As to malicious knock offs, this is a matter that most successful companies lookout for and deal with -- as we and our security team do. If you see someone impersonating Link in such a way, please drop us a note at security@plaid.com. It’s also worth noting that, in addition to the security we provide, banks protect their users from credential-based attacks via multi factor authentication, fraudulent activity detection, and other measures.

Like @whockey said above in the thread, while solutions like OAuth with the bank are definitely on the horizon, the financial sector moves a bit more slowly than other technology companies. I understand this response may be frustrating. In the meantime feel free to drop me an email at michael [at] plaid.com if you have any more thoughts!

@devsaikan

This comment has been minimized.

Copy link

devsaikan commented Dec 8, 2018

I would rather enter a debit card to fund the account rather than my bank credentials.

Even if there’s a transaction fee involved I won’t mind paying.

@briangordon made an excellent point. A lot of folks have bank accounts connected with other sub-services provided by the same financial institution, using one set of credentials.

@briangordon

This comment has been minimized.

Copy link

briangordon commented Dec 8, 2018

@michaelckelly Your actual customers paying to use Plaid aren't the issue, so the vetting is nice but not relevant.

My point is that the malicious knock off issue is intractable with your current design. There's no way that you can "lookout for and deal with" an entire Internet of web pages that can appear at any hostname or IP address at any time without warning. Even if you find a malicious page, getting it taken down for good is not practical, as the constant whack-a-mole of domain seizures trying to shut down sites like The Pirate Bay and Sci-Hub has shown.

MFA is irrelevant- the malicious form can simply prompt for the MFA token exactly like the genuine Plaid form does. The only point in your response that has any merit is the point about automated fraud detection but that's necessarily based on unreliable heuristics and shouldn't be literally the only thing standing between a bad actor and your users' bank accounts.

What you have to acknowledge is that you're training users to trust the Plaid brand so that when they see that login form with the familiar logo and colors and layout they can be relax and be comfortable entering their bank credentials. This is incredibly unfair to users who can't know how dangerous this is.

I'm being a huge asshole about this, but it's because this is shockingly bad. At some point you're going to have a shaken and confused retiree call you up and tell you about a letter they got from their bank saying that $20k of their nest egg has been transferred, and ask if you know anything about it. This is an inevitability at your scale and with this design the responsibility is not on the user for failing to check that they were sending their credentials to a trusted source, it's with Plaid for building a poor design that makes it impossible for them to do so.

@jcanizales

This comment has been minimized.

Copy link

jcanizales commented Dec 13, 2018

I just found the Plaid form when trying to get money via Venmo. I couldn't believe my eyes when I saw that the iframe that showed the Citibank logo and color theme, prompting for my credentials, wasn't from citi.com, but plaid.com impersonating it 😳 Surely, someone at some point got in the back of their neck the feeling that this wasn't a good idea, when part of their job was "mimic as closely as possible the web login of certain banks, so the user can't distinguish"?

Comment #68 (comment) by @benissimo describes perfectly the pros and cons of 3 ways of doing it, from best to worst. Plaid is doing the worst one, and @michaelckelly and @whockey only respond that option 1 is unfeasible at this moment.

Well, what about option 2, so that at least the users can see plaid.com with a security lock in their address bar? Maybe even a Plaid-brand theme in the form. Would that produce less revenue for Plaid, on account of some users not going "oh, I recognize my bank logo and colors, this is probably safe"? But if it does, how do you put a value to the externality of training all those users in an insecure practice?

@lauri-elevant

This comment has been minimized.

Copy link

lauri-elevant commented Dec 23, 2018

I cannot decide if this is reckless or just naive. According to Hanlon's razor one should not assume malice when stupidity provides an adequate explanation. But not in this case. Not this stupid. Even if you fooled yourself into creating such a service, you must have realized the consequences by now.

So it must be a deliberate reckless ploy to grow your startup at the expense of some folks losing their life savings or their privacy being violated. You know, move fast and break things.

You cannot fix it. It is insane to the core.

@NSExceptional

This comment has been minimized.

Copy link

NSExceptional commented Dec 25, 2018

Everything Plaid does goes against basic security teachings. I had to get my bank to admit liability before deciding to use Plaid.

No one should have to enter their password anywhere but on the host site, for any kind of service where security is important.

@pcouy

This comment has been minimized.

Copy link

pcouy commented Dec 27, 2018

I am horrified by this thread. People are concerned by a very serious issue, sending long messages that must have taken quite some time to write in order to clearly explain what the issue is, and it is like @michaelckelly does not even read the explanations and just spits out automated answers...

@kielni

This comment has been minimized.

Copy link

kielni commented Feb 9, 2019

@briangordon @devsaikan @jcanizales @lauri-elevant @NSExceptional @pcouy (and anyone else concerned by this)
I agree that asking people to provide credentials goes against the most basic security advice. https://blog.plaid.com/improved-search/ is basically a phishing clinic: "you’ll see logos and brand colors for even more institutions in Link so that end-users feel a greater sense of security and familiarity when they recognize their institution’s look-and-feel."

I doubt Plaid will do anything, but maybe your financial institution will. I contacted Charles Schwab to ask what they could do about Plaid using Schwab's brand image to encourage customers to give up their credentials. They seem to be taking it seriously; I'd be interested to hear how other financial institutions react

@NSExceptional

This comment has been minimized.

Copy link

NSExceptional commented Feb 20, 2019

@michaelckelly: It’s also worth noting that, in addition to the security we provide, banks protect their users from credential-based attacks via multi factor authentication, fraudulent activity detection, and other measures.

I can't speak for every bank, but I know that Plaid entirely bypasses my bank's 2FA. If someone got my password, they could use Plaid to transfer funds from my account.

@briangordon

This comment has been minimized.

Copy link

briangordon commented Mar 6, 2019

In case there was any doubt that bad actors are using the "present a realistic looking bank login" attack vector-

https://blog.checkpoint.com/2017/05/16/the-mobile-banker-threat-from-end-to-end/

@alex-taffe

This comment has been minimized.

Copy link

alex-taffe commented Apr 13, 2019

This whole thread is absolutely appalling. This sort of behavior should not be allowed and this project needs to be shutdown immediately. Without any sort of reasonable authentication like OAUTH, the questions start piling up immediately.

  • Is Plaid storing my banking credentials? If so, how do I remove them from Plaid's servers and how do I know that they are really gone?
  • If Plaid's servers are breached and my credentials are exposed, what liability protection is in place to prevent my entire life savings from being drained?
  • If the Plaid UI is replicated, how do I know that? It's a super generic UI with a logo slapped onto it and no way to verify any legitimacy. If it's impossible for security researchers and developers to tell, how is my 85 year old grandma supposed to?
  • What is stopping Plaid from in 5 years changing their privacy policy to collect awful data on me? I'm physically incapable of removing any of my details from your servers and stopping that, short of shutting down my accounts/changing every single password.

The quote

However, while solutions like OAuth with the bank are definitely on the horizon, the financial sector moves a bit more slowly than other technology companies.

keeps being thrown around here. That's not anyone's problem. If things in the banking industry cannot be done securely, they should not be done at all. This product is a liability and if it cannot be created properly, it should not exist at all. Sure you say

Link uses SSL for all communication and sensitive data never touches the app's servers. Instead, they are routed to Plaid's API (over a secure connection) which then communicates directly the bank.

I honestly don't care whether or not they touch the app's servers or yours, they shouldn't be touching EITHER. The only service that should see my credentials is the bank itself.

Plaid's employees seem to be either too naive or just delusional to see the problem here and will not own up to their mistakes. Something needs to happen here and happen fast. I'm appalled a company as large as Venmo would ever dream of using this service.

I am going to try to get in touch with as many large financial institutions (Chase, CapitalOne, Schwab, etc) and their security teams ASAP to get this nonsense shutdown. Someone is going to get seriously hurt by this insecure, and frankly immoral, product sooner rather later, and every single Plaid employee who knows about it will be responsible for that person's entire retirement and life being stolen.

@sschueller

This comment has been minimized.

Copy link

sschueller commented Apr 13, 2019

This whole thread is absolutely appalling. This sort of behavior should not be allowed and this project needs to be shutdown immediately. Without any sort of reasonable authentication like OAUTH, the questions start piling up immediately.

  • Is Plaid storing my banking credentials? If so, how do I remove them from Plaid's servers and how do I know that they are really gone?
  • If Plaid's servers are breached and my credentials are exposed, what liability protection is in place to prevent my entire life savings from being drained?
  • If the Plaid UI is replicated, how do I know that? It's a super generic UI with a logo slapped onto it and no way to verify any legitimacy. If it's impossible for security researchers and developers to tell, how is my 85 year old grandma supposed to?
  • What is stopping Plaid from in 5 years changing their privacy policy to collect awful data on me? I'm physically incapable of removing any of my details from your servers and stopping that, short of shutting down my accounts/changing every single password.

The quote

However, while solutions like OAuth with the bank are definitely on the horizon, the financial sector moves a bit more slowly than other technology companies.

keeps being thrown around here. That's not anyone's problem. If things in the banking industry cannot be done securely, they should not be done at all. This product is a liability and if it cannot be created properly, it should not exist at all. Sure you say

Link uses SSL for all communication and sensitive data never touches the app's servers. Instead, they are routed to Plaid's API (over a secure connection) which then communicates directly the bank.

I honestly don't care whether or not they touch the app's servers or yours, they shouldn't be touching EITHER. The only service that should see my credentials is the bank itself.

Plaid's employees seem to be either too naive or just delusional to see the problem here and will not own up to their mistakes. Something needs to happen here and happen fast. I'm appalled a company as large as Venmo would ever dream of using this service.

I am going to try to get in touch with as many large financial institutions (Chase, CapitalOne, Schwab, etc) and their security teams ASAP to get this nonsense shutdown. Someone is going to get seriously hurt by this insecure, and frankly immoral, product sooner rather later, and every single Plaid employee who knows about it will be responsible for that person's entire retirement and life being stolen.

Sadly I doubt that these institutions give a shit. They will blame the customer for giving their credentials to the wrong entity.

@alex-taffe

This comment has been minimized.

Copy link

alex-taffe commented Apr 13, 2019

That may be the case but they still don't want unhappy customers and people having their lives stolen. Plus for that matter, if companies like Venmo are using it, Venmo is going to be seen as liable, not Plaid. Consumers just see Venmo, not Plaid. Venmo doesn't want that

@briangordon

This comment has been minimized.

Copy link

briangordon commented Apr 13, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.