web: when it comes to paying, backward USA! backward USA!

Someone asked me to donate to the Center for Youth Wellness, a worthy cause. Give Lively, a free fundraising system, organizes the donations at https://secure.givelively.org/donate/center-for-youth-wellness/friends-name . The donation page’s “Suggested donation method” is “Donate by bank account” because “We get more from your donation when you pay via your bank account.”  The web page draws my bank’s logo and asks me to enter my bank username and password, but I am not on my bank’s web site.

WTF? y’all have got to be kidding me!

What’s actually happening is a third[*] company called plaid.com (never heard of ’em, some tech bro fintech startup), actually displays the form, technically within an <IFRAME> in GiveLively’s page. I don’t care what security promises plaid.com makes, they are completely insane if they think asking for my bank username and password on their (nested) web site is acceptable. Basic web security: never ever enter your username and password for one web site on another web site. If the browser’s location field doesn’t display yourbankname.com with a padlock icon, don’t do it! But much the same way every company says don’t trust links in our name that go to other web sites, until they send you a survey or ad that links to crappyThirdPartyMarketingCompany.com and hope you ignore their own advice, somehow it’s OK to fake customers out because it’s for a worthy cause.

It’s nobody’s fault, though Plaid sure has some chutzpah. Neither the worthy charity nor I want PayPal and some credit card company delaying funds and skimming off money from my charitable donation. Give Lively doesn’t have the in-house expertise to organize a bank transfer so they hand it off to Plaid. Plaid undoubtedly got frustrated trying to organize bank transfer with every stodgy bank under the sun, so they decided to present like my bank, ask for my login, and then order a low-cost Electronic Funds Transfer by impersonating  me.

But what makes no sense is why can’t I give my bank the same transfer instructions, the ones Plaid wants to make by impersonating me? Well, if I could then there’s less need for Plaid to be working away in the background. In every other developed country, you just log in to your bank and tell it to give money to any person or organization and It Just Works without any third parties or handing out your credit card details to strangers. I’m not sure why the USA makes it so complicated, to no one’s benefit but middlemen. There’s PayPal’s Venmo (big fees) and more banks are supporting Zelle but it feels that the USA is a decade behind.

Obviously I’m not the only person freaked out by this, see e.g. this Hacker News thread. To its credit Plaid has an open bug tracker on GitHub in which issue 68 is this “privacy/security concerns.” Huffington Post has an entire article about whom you should trust with your banking sign-on. That article says “[Plaid is] a system used by most personal finance apps, like Venmo, Robinhood and Acorns. Plaid, in turn, is trusted by a long list of banks and credit unions.” GiveLively responded on Twitter “Plaid is a secure & trusted industry-leading service that allows donations via bank account. Your bank is on the Plaid platform—like most US-based banks—because it trusts Plaid.” But I don’t see any indication on my bank’s site that it actually trusts Plaid. I just have to hope that if my bank didn’t trust Plaid (or more likely stopped trusting Plaid), it would revoke whatever API authorization it gave Plaid so transfers would fail. And again, a company using a third party that uses my credentials to ask my bank to do some transaction for me is completely back-assward . It only works this way because everyone involved is too ^%$#@! lazy to do the right thing which is: I go to my bank, authenticate myself, and tell my bank to give someone money using the bank details they gave me.

One other thing: Give Lively/Plaid’s interface defaults to making a monthly donation. If you don’t pay attention Plaid will be taking money out of your account forever even if that wasn’t your intent. Because you are not in the driver’s seat, the organization wanting your money is, and their temptation is overwhelming to tweak the system to maximize the amount you donate, including defaulting to monthly giving.

[*] Update: I was wrong, there’s a fourth company. Give Lively uses Stripe, Stripe takes 0.8%, Stripe uses Plaid. Crazy.

This entry was posted in web. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.