logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

Plaid-is-an-evil-nightmare-product.md (3785B)

    

  1. ---
  2. title: Plaid is an evil nightmare product from Security Hell
  3. date: 2022-02-19
  4. ---
  6. [Plaid] is a business that has built a widget that can be embedded in any of
  7. their customer's websites which allows their customers to configure integrations
  8. with a list of third-party service providers. To facilitate this, Plaid pops up
  9. a widget on their customer's domain which asks the end-user to *type in their
  10. username and password* for the third-party service provider. If necessary, they
  11. will ask for a 2FA code. This is done without the third party's permission,
  12. presumably through a browser emulator and a provider-specific munging shim, and
  13. collects the user's credentials on a domain which is operated by neither the
  14. third party nor by Plaid.
  16. [Plaid]: https://plaid.com
  18. The third-party service provider in question is the end-user's bank.
  20. What the actual fuck!
  22. Plaid has weighed on my mind for a while, though I might have just ignored them
  23. if they hadn't been enjoying a sharp rise in adoption across the industry. For
  24. decades, we have stressed the importance of double-checking the domain name and
  25. the little TLS "lock" icon before entering your account details for anything. It
  26. is perhaps the single most important piece of advice the digital security
  27. community has tried to bring into the public conciousness. Plaid wants to throw
  28. out all of those years of hard work and ask users to enter their freaking *bank
  29. credentials* into a third-party form.
  31. The raison d'ĂȘtre for Plaid is that banks are infamously inflexible and slow on
  32. the uptake for new technology. The status quo which Plaid aims to disrupt (ugh),
  33. at least for US bank account holders, involves the user entering their routing
  34. number and account number into a form. The service provider makes two small
  35. (\<$1) deposits, and when they show up on the user's account statement a couple
  36. of days later, the user confirms the amounts with the service provider, the
  37. service provider withdraws the amounts again, and the integration is complete.
  38. The purpose of this dance is to provide a sufficiently strong guarantee that the
  39. account holder is same person who is configuring the integration.
  41. This process is annoying. Fixing it would require banks to develop, deploy, and
  42. standardize on better technology, and, well, good luck with that. And, honestly,
  43. a company which set out with the goal of addressing this problem ethically would
  44. have a laudable ambition. But even so, banks *are* modernizing around the world,
  45. and tearing down the pillars of online security in exchange for a mild
  46. convenience is ridiculous.
  48. A convincing argument can be made that this platform violates the Computer Fraud
  49. and Abuse Act. Last year, [they paid out $58M][1] in one of many lawsuits for
  50. scraping and selling your bank data. Plaid thus joins the ranks of Uber, AirBnB,
  51. and others like them in my reckoning as a "move fast and break laws" company.
  52. This platform can only exist if they are either willfully malignant or grossly
  53. incompetent. They've built something that they know is wrong, and are hoping
  54. that they can outrun the regulators.
  56. [1]: https://www.jurist.org/news/2021/08/plaid-agrees-to-pay-58-million-in-data-privacy-class-action-lawsuit/
  58. This behavior is not acceptable. This company needs to be regulated into the
  59. dirt and made an example of. Shame on you Plaid, and shame on everyone involved
  60. in bringing this product to market. Shame on their B2B customers as well, who
  61. cannot, such as they may like to, offload ethical due-diligence onto their
  62. vendors. Please don't work for these start-ups. [I hold employees complicit in
  63. their employer's misbehavior][0]. You have options, please go make the world a
  64. better place somewhere else.
  66. [0]: https://drewdevault.com/2020/05/05/We-are-complicit-in-our-employers-deeds.html