Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Use at own risk* [1]

[1] https://github.com/plaid/link/issues/68



https://blog.plaid.com/aisp/

They are PSD2 compliant which means they're using the Open Banking API I linked to in my other comment.


There's legitimately no alternative, "secure" way to access someone's banking data other than by asking for a username/password and then 'impersonating' them / asking for 2FA codes etc etc. As a commenter on the issue says, there is no oauth-esque mechanism implemented by banks.

I think plaid is the lesser evil when compared to rolling all of that on your own for N different banking institutions.


Have you read about https://www.openbanking.org.uk/

The nine largest banks and building societies are required to participate. Many others do so voluntarily.


If I was plaid, I would use things like open banking if it's available, because it cost less to implement and maintain than the current html scraping norm we have now.

I'm guessing plaid uses oauth & open banking when available, and falls back to scraping when it's not.


What percentage of the world's banks are covered? Or perhaps what percentage of the world's population banks in those covered institutions? Or perhaps what percentage of the total banked wealth (terminology?) is held in covered institutions?


On an article titled "Plaid Launches in the UK" I would assume the most relevant territory is "the UK".

But if instead the question is "what's the alternative" the answer is "government intervention" as shown by the UK.


It depends on the audience. Many businesses don't want to restrict themselves exclusively to the subset of UK banks that follow that initiative. And government intervention is hardly a pragmatic solution (how many companies can afford to lobby every government in which they'd like to do business?).


>> There's legitimately no alternative, "secure" way to access someone's banking data other than by asking for a username/password

Not so true under Open Banking and other systems. Open Banking uses OAUTH2 style stuff, and a variety of certificate schemes (Open Banking's own, and EU ETSI qualified certificates) to allow participants to be delegated various forms of access and roles, in a much more granular way.

>> As a commenter on the issue says, there is no oauth-esque mechanism implemented by banks.

There is in the UK, and PSD2 solutions are rolling out all across the EU. Australia is also getting in on the action.


This is super cool! I was totally unaware of Open Banking.


I think soon banks may be forced to provide an API - https://en.wikipedia.org/wiki/Open_banking, not sure how long that'll take though.


Not sure why the downvotes. What he says is true in the US and in Europe Plaid is relying on psd2/open banking.


I feel that until there is a secure way to do it, it shouldn't be done at all


I generally feel that way too, but the US banking system just isn't built for it. It's hard to get too mad at Plaid for spoofing when my checking account's ID number is the only password required for authorizing electronic transfers.


That’s ‘legitimately’ not true.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: