Connecting Your Bank Account To an App is Now a $3-Billion Business (latimes.com)

← Back to Stories (view on slashdot.org)

Connecting Your Bank Account To an App is Now a $3-Billion Business (latimes.com)

Posted by msmash on Tuesday January 8, 2019 @08:47AM from the how-about-that dept.

When you link your checking account to Venmo or use it to buy bitcoin, a startup called Plaid is likely facilitating the connection with your bank. You punch in your user name and password; Plaid checks those credentials with the financial institution and, if they're accurate, passes banking information back to the app. That's it. From a report: This kind of software has been around for decades. But in the last year, Plaid has captured investors' attention. The San Francisco startup was the subject of a bidding war among venture capitalists and at least one tech company, ultimately resulting in a $250-million investment last month. That money will partly go toward the acquisition of one of its biggest competitors. Plaid announced Tuesday it was buying New York-based Quovo Inc. The deal could be worth about $200 million after performance bonuses, said three people familiar with the transaction, who asked not to be identified because terms of the deal were private.

Since starting Plaid in 2012, Zach Perret has sold the startup's nine lines of code to some of the most popular finance apps. Robo-advisor startup Betterment, cryptocurrency exchange Coinbase Inc., PayPal Holdings Inc.'s Venmo and stock-trading app Robinhood Markets Inc. have all used Plaid. Meanwhile, Quovo specializes in wealth management and brokerages. "This represents the merging of two complementary but both very important businesses," said Perret, Plaid's chief executive. Plaid is now valued at roughly $3 billion.

55 comments

Min score:

Reason:

Sort:

I would never.... by Anonymous Coward · 2019-01-08 08:50 · Score: 0

in a million years use a phone for any type of banking transaction.
1. Re:I would never.... by Anonymous Coward · 2019-01-08 08:54 · Score: 1
  
  I would use a phone, as in talking to my credit union. I would not use my phone to connect to their computer.
2. Re: I would never.... by Anonymous Coward · 2019-01-08 08:55 · Score: 0
  
  You have enough money to perform a financial transaction?
3. Re: I would never.... by Anonymous Coward · 2019-01-08 08:58 · Score: 0
  
  Bazinga, is that the word?
4. Re:I would never.... by Anonymous Coward · 2019-01-08 09:02 · Score: 0
  
  I agree, that's what public library, free access computers are for
5. Re: I would never.... by Anonymous Coward · 2019-01-08 09:04 · Score: 0
  
  Well, his mom does...
6. Re: I would never.... by Anonymous Coward · 2019-01-08 09:08 · Score: 0
  
  Library? What will they think of next?
7. Re: I would never.... by Anonymous Coward · 2019-01-08 09:40 · Score: 0
  
  I dont know dude. I would not want to wake up thinking I had money and see half of it missing.
8. Re:I would never.... by Anonymous Coward · 2019-01-08 09:46 · Score: 0
  
  You punch in your user name and password; Plaid checks those credentials with the financial institution and, if they're accurate, passes banking information back to the app. That's it.
  That's it for security as well. I wonder how they are handling one-time pins and pass codes, external authentication devices and such which many actual banks use, and if they separate access to reading the account status from performing actual transaction like paying for anything.
9. Re:I would never.... by ichimunki · 2019-01-08 09:59 · Score: 3, Interesting
  
  I would. I'm probably being a bit rose-colored glasses about it, but if my bank puts out an app that I can load on my phone, I'm happy to use it. What I'm not remotely happy to do is give my username/password information to anyone other than the institution that issued the account. I mean, think about it... even my bank shouldn't actually know what my password is. They should have taken the password I gave them, salted it, hashed it 10-20 times, and stored the resulting hash in the database for future reference. This has been widely known as best practice for well over a decade now. They should have absolutely no way to recover the actual password I used based on their stored information. And so, as if to thumb my nose at security best practices, I'm going to simply hand not only my username, but actual password, over to some stranger? Just so I can use some dumb app on my phone? No way in hell.
  We need to regulate this practice of giving third parties your username/password with your bank to use an app like Mint or whatever into oblivion-- with all the hackings of places like Target and Experian I'm actually sort of shocked that one of these third party backends hasn't been hacked (or more likely it has been, but keeping that fact secret is highly lucrative to the hackers, so we just haven't heard about it). Mostly what I understand these backends do with your login behind the scenes is a lot of screen-scraping to get your info. Last time I checked, it's not like there is an open format/API that financial companies are required to use to allow third party apps to access your data for you. I'm sure some banks have developed "relationships" with the Quickens of the world, but I'm guessing that many more have not, and it's probably still firmly in the pay-to-play realm, rather than an open standard that anyone can partake in.
  
  --
  I do not have a signature
10. Re:I would never.... by ichimunki · 2019-01-08 10:08 · Score: 2
  
  I should note that there is an open data format that every bank I've worked with uses to allow me to download my data in a form I can then load it into a program like Quicken or GnuCash: OFX/QFX, but this requires me to login into every separate bank web site myself. Which is what I actually do. Only I didn't like either Quicken or GnuCash much last time I looked into them, and I strongly considered working with the GnuCash code base, but I wanted enough different features that it seemed easier to implement my own accounting software, which is what I did.
  
  --
  I do not have a signature
11. Re:I would never.... by Anonymous Coward · 2019-01-08 10:11 · Score: 0
  
  I do phone based banking all the time. Like you said through the financial institution's app. Things like taking a picture of a paper check to deposit it. Things like moving money between checking and savings. I agree with you that I am not about to give those credentials to a third party. I can't believe anyone would do that. If a third party wants to use ACH transfers then they can do it the old fashioned way (if they are some entity I feel I can trust - those are few and far between, but for example direct deposit from work). They get the account number and they put in a small deposit. Then I "verify" it by telling them how much they deposited. Then it is enabled for transfers. They don't get my ID and password though - ever. Even web stores get virtual credit cards generated by Privacy.com.
12. Re:I would never.... by Luthair · 2019-01-08 10:11 · Score: 1
  
  Why? To me using a general purpose computer is much more likely to have been compromised given the permission model. I think the ideal solution would be a dedicated ChromeOS system but patched iOS or Android devices are probably safer for most users than Mac or Windows.
13. Re:I would never.... by Anonymous Coward · 2019-01-08 10:34 · Score: 0
  
  My credit union's app isn't on F-Droid. Yes, I can still install it, but I can't trust it.
14. Re:I would never.... by Anonymous Coward · 2019-01-08 11:02 · Score: 1
  
  I would use a phone, as in talking to my credit union. I would not use my phone to connect to their computer.
  You're just like those old people writing checks at the grocery store while the rest of us are waiting for you.
  You're not being smarter than anyone, or being more secure than anyone else.
  You're just living in the past.
15. Re: I would never.... by Anonymous Coward · 2019-01-09 02:49 · Score: 0
  
  I suppose now we know how many stupid comments can be put on a single article. Its why people get permabanned mainly for persistently stupid comments even if any one comment is not egregious
16. Re: I would never.... by Anonymous Coward · 2019-01-09 05:32 · Score: 0
  
  Actually I should note that there is such a format for doing at least some standard things. Itâ(TM)s called HBCI. Go look it up. Your bank might not support it though.
17. Re: I would never.... by ichimunki · 2019-01-09 08:07 · Score: 1
  
  According to Wikipedia, HBCI is now called FinTS and it's a German thing, not USA.
  
  --
  I do not have a signature
Paypal is enough by DarkRookie2 · 2019-01-08 08:50 · Score: 4, Interesting

Its the only thing that is link to my bank account. It can stay that way.

--
http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
1. Re:Paypal is enough by Anonymous Coward · 2019-01-08 08:57 · Score: 0
  
  You're making a rookie mistake...
2. Re:Paypal is enough by Anonymous Coward · 2019-01-08 09:21 · Score: 0
  
  Good luck in a dispute...
3. Re: Paypal is enough by Anonymous Coward · 2019-01-08 09:25 · Score: 0
  
  So sorry your dispute has been rejected because you did not use the technology human
4. Re: Paypal is enough by houghi · 2019-01-08 10:00 · Score: 1
  
  For me the only app connected to my bank is my banks app. I seeno reason why somebody else would have access to it.
  Disclaimer: living in Europe where we have SEPA.
  
  --
  Don't fight for your country, if your country does not fight for you.
5. Re: Paypal is enough by Anonymous Coward · 2019-01-09 01:42 · Score: 0
  
  PayPal has my credit card information, not my bank account information. That has never presented any problems to me in using PayPal to pay for things.
  My bank's app is not on my phone. It wants way too many permissions for one. It is on my tablet. I use it to cash checks. Otherwise I use my bank's website to manage my account. Furthermore, I have not saved my credentials for my bank on the tablet, I re-enter them every time. Since I only use it when there are checks to cash, this is not very often.
  I really don't know what the rest of you are doing with bank information on your phone.
Impressive valuation by jrumney · 2019-01-08 09:00 · Score: 4, Insightful

You punch in your user name and password; Plaid checks those credentials with the financial institution and, if they're accurate, passes banking information back to the app.
I know there is a big dark market for these things, but a $3 billion valuation for a MITM exploit still seems a bit steep to me.
1. Re:Impressive valuation by Anonymous Coward · 2019-01-08 10:40 · Score: 0
  
  Not to mention their shit doesn’t work with most brokerage accounts. Whatever happened to two small trial deposits. That actually worked.
2. Re:Impressive valuation by Anonymous Coward · 2019-01-08 11:22 · Score: 0
  
  They forgot to mention that the fact you signed up for service X and have a bank account with Y gets sold to data curators who then add the info to your profile and resell access to advertisers. Then you get a bunch of mail for similar services, like you'd for some reason switch services a week after signing up...
3. Re:Impressive valuation by Anonymous Coward · 2019-01-08 15:31 · Score: 0
  
  Hahahaha. Yep. It's worth something, because YOUR DATA is the product. Sold to other companies. Why does anyone trust them?
You deserve better ! by Anonymous Coward · 2019-01-08 09:03 · Score: 0

Oh no That's all bit bararic. banks in EU (including UK) have to have ways for third parties to act on your behalf. The Japanese government have strongly suggested it and I think it happening in AUS as well.
they are following the model used by Open banking uk an industry body trade authority. The open banking approach now being incorporated in to the FAPI standard by Open ID
1. Re:You deserve better ! by jrumney · 2019-01-08 09:44 · Score: 4, Informative
  
  Australia has a similar service called POLi (formerly Centricom). All major banks warn against using it, as it is basically operating as a phishing site to get your internet banking credentials and log onto your internet banking on your behalf to make payments on your behalf and give the retailer instant verification that the payment has been made.
  These days any transfer made is instant anyway, so the retailer can get the verification from their own bank without this security nightmare. Banks are now officially setting up their own consumer payment system where you can register a phone number to accept payments to your account, which will result in an SMS to your phone informing you of successful transactions. So the lifespan of these third party security risk solutions is hopefully coming to an end. With the banks' apps integrated into Android and iOS payment APIs, the app side of making payments should be taken care of too.
lolz - app to impulse buy bitcoin linked to bank by iggymanz · 2019-01-08 09:06 · Score: 0

even if your app access gets hacked and your money is stolen it's the same as investing in bitcoin
no downside
Why.. by Anonymous Coward · 2019-01-08 09:11 · Score: 0

on Earth would anyone connect their bank account to any third (or by default fourth or fifth) party? I don't even use my bank's credit card linked to my account. If there's a dispute, I'll pay it once we've resolved it and not before.
1. Re:Why.. by d0rp · 2019-01-08 09:52 · Score: 2
  
  A local gas station chain has an app that lets me save $0.10/gallon by charging my checking account directly (since they don't have to pay the credit card fee). But that required me putting in my bank's routing number and the account number, so they essentially just send an electronic check.
  I would never type in my bank account credentials to anything other than my bank's website, that's just all kinds of dumb. But, I've seen some "financial services" companies / web-apps that require you to do that (because apparently banking institutions haven't figured out or are allergic to Oauth), and then they analyze your spending for you and try to offer you advice / services... and apparently people do this.
2. Re: Why.. by houghi · 2019-01-08 10:08 · Score: 1
  
  There are plenty of people wh l have my bank account. They just can't do anything withit. Just like you see plenty of companies that put their banking information online.
  You cannot just call them and say: Hi, my name is houghi, tranfer money from account X to Y.I can not even do that
  
  --
  Don't fight for your country, if your country does not fight for you.
3. Re: Why.. by Anonymous Coward · 2019-01-08 10:46 · Score: 0
  
  It is way easier than you think. Printing checks is not rocket science.
4. Re: Why.. by Anonymous Coward · 2019-01-08 18:54 · Score: 0
  
  Finding a bank that still accepts cheques isn't, though.
5. Re: Why.. by houghi · 2019-01-08 23:36 · Score: 1
  
  Printing what now? Isn't that a nationality?
  Joking aside, we don't use them.
  
  --
  Don't fight for your country, if your country does not fight for you.
Only 9 lines of code? by Anonymous Coward · 2019-01-08 09:11 · Score: 0

I guess that is the implementation code? Surely the company has more than 9 lines of code in their repo?
1. Re: Only 9 lines of code? by Anonymous Coward · 2019-01-08 09:15 · Score: 2, Informative
  
  Itâ(TM)s perl
2. Re:Only 9 lines of code? by bob4u2c · 2019-01-08 10:09 · Score: 1
  
  Yep, 9 lines of code. Of course, each line is over 2 million characters.
  
  The next version will be just 8 lines of code (at almost 2.5 million characters per line).
3. Re:Only 9 lines of code? by DarkRookie2 · 2019-01-08 10:17 · Score: 1
  
  Gods.
  They should be shot for doing that.
  
  --
  http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
4. Re:Only 9 lines of code? by fibonacci8 · 2019-01-08 11:18 · Score: 2
  
  It continues until there's only a single line of code, containing one bug.
  
  --
  Inheritance is the sincerest form of nepotism.
dumb by fluffernutter · 2019-01-08 09:19 · Score: 1

You mean to tell me people give third parties access to their bank accounts? Wow, that's dumber than using Facebook.

--
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
1. Re:dumb by Anonymous Coward · 2019-01-08 09:35 · Score: 0
  
  It isn't 3rd party access, it is 4th party access. You (1st party) give your bank(2nd party) USERNAME and PASSWORD to app (3rd party). Then the app gives it to Plaid (4th party). Then plaid logs into your bank account with the USERNAME and PASSWORD you gave them. Then gives the app all the information they want about your bank account(s).
  It is remarkable to me that people would put their say Well Fargo Username and Password into any app that is not the Wells Fargo app. I mean why not just post it to Facebook.
2. Re:dumb by fluffernutter · 2019-01-08 13:43 · Score: 1
  
  That's a lot of people with your password.
  
  --
  Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
3. Re:dumb by Anonymous Coward · 2019-01-08 13:43 · Score: 0
  
  Generally speaking, financial institutions with an asset size under $100B don't write their own publicly facing software and have outsourced such to either hosted or on-premise to connect back to the banking system, aka core. The general breakdown is: online banking, mobile banking, bill pay, remote deposit, audio banking, and statement provider (online & print). There aren't many vendors in the US and it's common to mix and match vendors. Usually online banking, audio banking, and mobile banking are handled by the same vendor but sometimes mobile banking is handled by another. Companies such as Mint then have to interface with all of these other vendors.
4. Re:dumb by torkus · 2019-01-09 04:39 · Score: 1
  
  You do that every time you hand someone a check too. Routing and account number? Yep, right on there along with your name and address too. On every check. Ever. Forever...unless you change accounts that check from a 20 years ago has enough info to access your bank account funds.
  So when you're done fear mongering, look at the broader picture for 2 seconds.
  
  --
  You can get rich if you own a politician, but you have to be rich to buy one in the first place.
5. Re:dumb by fluffernutter · 2019-01-09 08:34 · Score: 1
  
  That's not a direct comparison. If someone forges a check I call the bank and have the checks cancelled. If someone malicious gets your bank account password there is no telling what they could do, or if you would even find out about it right away.
  
  --
  Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Blame Democrat party by Anonymous Coward · 2019-01-08 09:27 · Score: 0

Bank regulation is so insane and complicated that all transaction for AMAZING bitcoin are expensive and hard to do. Sad!
Why would you do that? by mcmonkey · 2019-01-08 10:41 · Score: 1

I assume the figure in the title is the amount that has gone "missing." Link my checking account to buy bitcoin? Sure. Extended warranty? Absolutely. I won the lottery and just need to send you $3000 to collect my millions? Where do I sign up.
You do what?! by zdzichu · 2019-01-08 17:47 · Score: 4, Informative

You give your credentials to some third party and it tries them? Like, you break your contract with the bank and forgo all your rights to complain on fraudalent charges? Check the ToS of you bank – all of them make sharing your credentials a "game over" situation for account owner.
Almost every single bank provide and API for external parties to initiate payments (in this situation authorisation is processed by Bank). Pay-by-link is standard in all banks, and OpenAPI (PSD2) will force rest of them to comply.
But if you share you credentials, you are lost.

--
:wq
Serious problems by Anonymous Coward · 2019-01-09 03:36 · Score: 0

If this function is valued at $3b this economy is in deep trouble.
A healthy economy can't rely on more and more middle men taking more and more slices of the profit.
Like heavy pollution, it's not sustainable long term.
Nine lines of code by Anonymous Coward · 2019-01-09 04:29 · Score: 0

If you think nine lines of code can be worth billions there's a problem.
Jason anonoymous hacker are the best hackers by Anonymous Coward · 2019-01-09 13:00 · Score: 0

Just right now i just made 83,200 pounds through a paypal hack transfer from http://jasonanonymoushacker.wordpress.com/. visit their website right now for other amazing features like western union hack transfer, bitcoin hack transfer and many more.