馃攳
This Company Has All Your Financial Data (they just got sued) - YouTube
Channel: All Things Secured
[0]
- Without knowing it,
when you use popular apps
[2]
like Venmo, Betterment,
YNAB, Acorns, Wise,
[5]
or even crypto apps like
Coinbase, BlockFi, crypto.com.
[10]
You've trusted both your financial data
[12]
and your personal information
[13]
to a company called played Plaid.
[16]
Plaid, Plaid whatever.
[18]
In early 2022, it was announced
[19]
that a $58 million
settlement had been reached
[22]
in a class action lawsuit against Plaid,
[24]
alleging that the company
[26]
had gathered more info about you
[27]
than they actually needed,
[29]
and misled consumers
on their sign-in form.
[31]
I'm not here to discuss
the settlement, honestly.
[33]
I wanna ask and hopefully answer,
[36]
three very important questions.
[37]
First, who is Plaid anyway?
[40]
Is it safe to give them our data?
[42]
And finally, what other
options do we have?
[45]
(dramatic percussion)
[47]
Welcome to "All Things
Secured," my name's Josh.
[49]
And today we're taking a closer
look at the infrastructure
[51]
that supports a lot of the
FinTech or financial technology,
[56]
it has become such an
integrated part of our lives.
[59]
And before you think to yourself,
[60]
"He's not talking about
me, I don't use Plaid."
[62]
Yes, I am talking about you.
[64]
And more than likely you have used Plaid
[67]
at least once over the last decade.
[69]
But even if you've somehow managed
[70]
to keep your financial data
away from their servers,
[73]
there will come a time
when you will be asked
[76]
by a service you use to
connect your bank via Plaid.
[79]
But before we get into
whether or not this is safe,
[81]
and what options you have,
if any, to protect yourself.
[85]
Let me explain why a company
like Plaid even exists.
[88]
(dramatic music)
[90]
So let's say you're being
fiscally responsible,
[92]
and you wanna use a budgeting app
[93]
like mint.com or YNAB.
[96]
Now ,this can all be done
offline, requiring you
[99]
to manually input every
financial transaction you make.
[102]
Or you can make things
a lot more convenient
[105]
by connecting your budgeting
app directly to your bank.
[108]
When you do this,
[109]
they can automatically pull new banking
[111]
and credit card transactions
[112]
for you to review, categorize, and clear.
[116]
Now, they can't actually
make payments on your behalf,
[118]
but they do have the ability
[119]
to view what is happening in your bank.
[122]
Now, the problem for
companies like Mint and YNAB
[125]
was that connecting directly
to your bank was a hassle.
[127]
I mean, there are tons of different banks
[129]
and every bank had its own
connection rules or API,
[133]
which made it almost impossible
[134]
to provide connections to every
bank their customers used,
[137]
not to mention the legal
liability for collecting
[140]
and storing your customer's banking data,
[142]
which was probably a headache.
[143]
So what Plaid does is
work like a middleman
[146]
between your bank and any other app
[148]
that wants to see your banking data.
[149]
When you're using that budgeting app,
[151]
instead of giving them your bank login
[153]
and all of your financial data,
[154]
you're giving it to Plaid instead.
[156]
They securely store
your logging information
[159]
and only give the budgeting app
[160]
the data that they really need,
[162]
or at least what they're requesting.
[164]
So in theory, this sounds really good.
[167]
I mean, as opposed to handing
out your bank login info
[170]
to every app that asks for it,
[171]
and the risks associated with doing that,
[173]
and them storing that data.
[175]
You're providing it to one company
[177]
whose sole job is protect your information
[180]
by only giving out what
is absolutely necessary.
[183]
Of course, giving one company
[185]
that much power over your
data is a risk in itself,
[187]
so that begs the question.
[188]
(upbeat music)
[190]
I wish I could answer this question
[192]
with a very easy, yes it is.
[194]
or no, absolutely not.
[196]
But as with all things in life,
[197]
the answer is just a little more nuanced.
[200]
You see, at least at the time
[202]
that I'm standing here recording this,
[203]
Plaid hasn't been hacked,
data hasn't been leaked.
[206]
And even if it had been,
[208]
banks have security measures
in place to stop a thief
[211]
from using any stolen logins
[213]
they might somehow obtain.
[214]
So strictly speaking, yes,
[217]
Plaid is safe to use and convenient.
[219]
I mean, goodness, that's
what makes this service
[221]
so popular is just how convenient it is.
[225]
But this recently settled lawsuit
[226]
highlights some of the biggest problems.
[229]
Let me show you what I mean.
[230]
Let's say that I want to connect my bank
[232]
to a funding source for privacy.com,
[234]
which is the company I use
[235]
to create disposable virtual credit cards.
[238]
As I go through the connection process,
[240]
you'll see exactly what kind
of data is being requested.
[243]
They will need my
account number and names,
[245]
which is understandable.
[247]
And they even need to
know my account balance
[249]
to make sure that I have
enough money in my account
[250]
for any transactions
I'm trying to complete.
[253]
In this case, it kind of makes sense
[254]
because privacy.com is
making payments on my behalf,
[257]
and they wanna make sure
[258]
that I have enough money in my account,
[260]
but honestly that's
between me and my bank.
[261]
That's what overdraft is
for, you know what I mean?
[263]
But here's where it gets tricky.
[265]
They also want my bank
[266]
to give them personally
identifiable information,
[269]
including my full name,
my physical address,
[272]
email address, and even
my phone number, why?
[276]
And it's not even like I have an option
[277]
to choose which data I give them,
[279]
which if either Plaid or
privacy.com are watching this,
[282]
that would be my biggest request.
[284]
I want you to differentiate
between which data
[286]
is absolutely necessary for you to have,
[288]
and that which is optional,
[289]
and then give me a choice
[291]
for which optional data I provide.
[293]
Anyway, do you see the issues here?
[295]
Within the settlement of the lawsuit,
[297]
Plaid admitted no wrongdoing,
[298]
but they did agree to
delete some of the data
[300]
they already collected on you
[302]
to minimize what they
collect in the future,
[304]
and to give us more control going forward.
[307]
Now, part of this control,
at least from what they say,
[309]
comes from creating an
account directly with Plaid.
[313]
So now they're a B2B company
[315]
that's trying to give me as the end user,
[317]
the option to create my own account.
[319]
It just doesn't really make
sense, but that's what I did.
[321]
I went ahead and did it.
[322]
It took me about 10 minutes
to get it all set up.
[324]
And before you go and run and do the same,
[326]
let me just tell you now
[327]
it doesn't give me any extra control.
[330]
Sure, I can look in and see
what data's being shared
[332]
with an app like Coinbase, for example,
[335]
but I can't actually control anything.
[337]
The only control I have is
to simply disconnect my app,
[340]
thereby severing the connection
[341]
between Coinbase and my bank,
[343]
which I could have done directly
within Coinbase, anyway.
[346]
In other words, when
you're dealing with Plaid,
[349]
it's an all or nothing game.
[351]
You either give them all your data,
[353]
and allow them to hand
over as much information
[355]
as the app you wanna connect requests,
[357]
or you don't use Plaid at all.
[359]
You don't really get to choose.
[361]
So hopefully at this point,
you're thinking to yourself,
[363]
"I'm not sure I'm willing to trust Plaid
[365]
"with all this data,
[366]
"especially since they
seem to have admitted
[368]
"to collecting too much of it in the past.
[371]
"So what are my options?"
[372]
Well, I'm glad you asked.
[373]
(gentle music)
[375]
Let's continue with
Coinbase as an example here.
[378]
Let's say that I'm logged
into my Coinbase account,
[380]
and I'm trying to connect
a funding source to the app
[382]
so that I can add money
and invest in crypto.
[385]
As you can see here, it tells me that
[387]
of the various options available,
[389]
connecting my bank account
directly is the fastest.
[391]
And it honestly is the cheapest option.
[394]
You'll notice that the
first thing that opens up
[396]
is a Plaid connection request.
[398]
What I've found is that in most cases,
[400]
when you exit out of this request,
[402]
you'll be offered the option
[403]
to manually link your bank account.
[405]
In this case, you give them
[406]
only your routing
account number, and name,
[409]
which is much less information
[411]
than what Plaid retrieves
and provides them.
[412]
It's basically the same as
[413]
if I'd given them a voided check.
[416]
You know what a check is, right?
[417]
It's that paper thing you
used to sign, nevermind.
[420]
Going back to privacy.com.
[422]
The process is very similar,
[424]
instead of using the Plaid service,
[426]
which is what would happen
if I click that button here.
[428]
I have the option to connect
my debit card instead.
[431]
Now, obviously this carries its own risks,
[433]
but at least I'm able
to control my data more.
[436]
Here's the reality,
Plaid equals convenience.
[440]
No Plaid equals inconvenience.
[444]
It's as simple as that.
[445]
Some apps such as the budgeting apps
[447]
won't automatically pull your transactions
[449]
unless you're using Plaid.
[451]
Other investing apps, I've noticed,
[452]
won't allow for instant
funding unless I use Plaid.
[455]
Otherwise I'm forced to
wait for a couple of days
[457]
for my money to appear in the account.
[459]
As with pretty much
anything related to privacy,
[462]
it comes down to a decision
that you need to make
[464]
between privacy and convenience,
[466]
and that delicate balance between the two.
[469]
I can't make that decision for you.
[470]
And I won't judge you if you decide
[472]
that you wanna keep using Plaid.
[474]
In the end for a company like Plaid
[476]
that is valued at an
estimated $13 billion,
[479]
as of their latest round
of funding in 2021,
[482]
this $58 million settlement is laughable.
[486]
They get off the hook
for any legal liability,
[488]
and we, as consumers
might get a few dollars
[491]
if you wanna make a
claim on the settlement.
[492]
I'll put a link in the below,
[494]
but it literally might
only be a few dollars.
[497]
The only other people who
gain here are the lawyers
[499]
who have billed hundreds
of thousands of dollars
[501]
in legal fees during this whole lawsuit.
[504]
Meanwhile we, the consumers,
are still left wondering
[507]
how we're supposed to protect our data
[509]
while still using all of
these great finance apps?
[512]
There is no easy solution,
as I've explained here.
[514]
But it all starts with
you being aware of how,
[518]
and with whom you're sharing your data.
[520]
That more than anything,
[522]
is what I hope you've
learned from me today.
[524]
Hey, if you've enjoyed this explanation,
[525]
please consider subscribing
to "All Things Secured,"
[527]
and then make sure you watch
[529]
the latest online in security
privacy video right here.
[532]
Go ahead and click right now.
Most Recent Videos:
You can go back to the homepage right here: Homepage