Why Plaid is a scam

By William Entriken

5 minutes

Plaid.com is a company that collects bank account logins and passwords to “verify” your login to other quasi-banking institutions. They are a service provider to other companies, and here is what it looks like:

[[ plaid.com phishing attempt IMAGE ]]

Following are some reasons plaid.com is a complete scam, is based entirely on phishing, and should be shut down.

(Cross posted to https://www.reddit.com/r/plaidcompany/comments/dp7yli/why_plaidcom_is_a_scam/)

This blog post was drafted in 2019 and some parts may outdated by the time I finished publishing in 2022. Unfortunately in the meantime Visa has purchased Plaid for $5.3B, probably because they did not see this blog post.

They have no location

Plaid is collecting bank logins for everybody across all banks in the US and probably other countries. But they do not publish their physical address anywhere. You can run a WHOIS query on plaid.com and it is “privacy protected”. Their website also does not list an address.

Every bank has a physical address. Yes, even in California. But Plaid does not have public physical address.

A company that collects this much actionable login information for this many financial accounts, and does not have the accountability of posting their own physical address is a scam.

They have no privacy policy

This company collects your bank login password. Which gives them full access to your bank accounts, all transaction history, and all your money. They have a page listed as a “privacy statement” on their website at https://plaid.com/legal/#privacy-statement which includes this sentence:

We retain information we collect about you for as long as necessary to fulfill the purposes for which we collected it, unless a longer retention period is required OR PERMITTED under applicable law. [Emphasis added]

If there is a no privacy policy, then a company is permitted to use your information to the maximum extent permitted under applicable law. So a privacy policy such as Plaid’s which says a bunch of words and then “OR PERMITTED UNDER APPLICABLE LAW” is literally the same as not having any privacy policy whatsoever.

Also since Plaid has jurisdiction in USA, England and Amsterdam, this means they can use whatever is the worst combination of jurisdictions to screw you. (E.g. maybe if the applicable law is in USA then it okay to screw people in Amsterdam, but then if applicable law is in Amsterdam then it is okay to screw pepole in USA.) Don’t think this language was added by accident.

A company that wastes your time by adding a bunch of words into a “privacy policy” which is the same as not having any privacy policy is a scam.

They have no restriction on usage

The privacy and/or end user agreement statements include:

We may update or change this Policy from time to time.

Any policy which includes this sentence is not a policy. Just like water, when it is boiled, loses its form and it is no longer water.

It also includes this wonderful:

Plaid will use reasonable efforts to notify you of the modifications, and you may be required to agree to the modified version.

An optimal business strategy for this company is simply to:

  1. Modify the user agreement to say “you allow Plaid to take all your retirement money for its own use and you are required to agree to this effective today.”
  2. “Reasonably notify” you by sending you an email which also includes “TRUMP 2024/2028 fundraiser” in the subect so it definitely doesn’t go spam.
  3. That email doesn’t matter anyway because Plaid uses computers and they can just have them take everybody’s retirement money from every account one second after the policy update.

If you think Plaid is not going to take all your money because something, something, well just replace “all your retirement money” with “full details of any financial transaction you made in your life at that bank.”

Plaid is headquartered in San Francisco. Now think about companies in San Francisco for a second and tell me if you think this isn’t their main strategy.

You have to help them if you sue them

When using Plaid you agree to not sue them unless you provide all relevant information you have available, document your strategy and requested remediation and wait up to 20 business days.

This reduces the available options you have and the ability to keep information close to your chest if you will sue Plaid, which you should because it is scam.

A company which specifically reduces your rights when you sue them is a scam. And even asking pepole to give up these kind of rights should be a crime.

Your bank recognizes any activity on your account as authorized if you gave your password

If you give your password to anybody, and they use it to do things, then you have authorized that thing. There is no “oh, I didn’t think they were going to use my password to add themself as an authorized signer on my account.”

Here is part of the online banking agreement for Wells Fargo:

Event: Loss or theft of Access Device (including username and password)

If you notify us… More than 60 days after we send you a statement showing first unauthorized EFT made with Access Device.

For transfers occurring AFTER the 60 day period, you may have unlimited liability, until you notify us.

This means if Plaid will make a $1 transaction to Starbucks using your account (which you authorized, since you gave your password to Plaid) all they need to do is wait 90 days.

After 90 days they make a second transfer taking $3M from your retirement fund and sending it to… wherever scam companies in San Francisco put money after they scam you. I guess hiring lawyers, grayballing regulators, or just betting it on Bitcoin.

A company, or the prince of Nigeria, or somebody telling you about your extended car warranty… who asks for your bank password is a scam.

This is a scam

Scams include deceptive acts. By operating Plaid as a popup on other websites and showing bank logos they are posing as if this is some legitimate, authorized bank verification thing. This is deceptive because the words in their own user agreement and privacy policy show that suckers who use Plaid are getting into a much worse relationship than simply connecting their bank account to some other service.

Plaid obviouly is not authorized by (some or all) banks because banks tell you not to give out your password to anybody and that contradicts Plaid asking for your password.

A company which shows a bank logo to represent a relationship with that bank whereas no such relationship exists, or if it does exist it is contradiction that bank’s own user agreement… is a scam.

Summary

Plaid collects bank logins and passwords for millions of people, keeps them as long as legally allowed (“legal” in the jurisdiction having the loosest requirements), and is permitted to do anything with the information. If Plaid chooses to “lose” these details to a “hacker” who takes all your money then according to your bank’s policy this will have been authorized by you because you provided your password. No recourse will be available to you.

Comments

The official X thread

@fulldecent

Please discuss this topic anywhere and let me know any great comments or media coverage I should link here.