Plaid paid people $500 for their employer payroll logins
vice.com> https://www.eff.org/cases/facebook-v-power-ventures
While it is bad and unethical to encourage sharing credentials, I really hope we don't continue to criminalize intermediary services that act on the user's behalf. User's should be able to use whatever product and services they want. If you don't want consumer's to use third party tools then either improve your own tools or implement better security.
On the bright side it sounds like in the Power Venture's case they did a few other things to sort of 'impersonate' Facebook in order to encourage user's to use their product. So maybe things haven't escalated too far yet... the outcome of this & Plaid will certainly be interesting.
Financial institutions should all be required to provide API with various permissions so consumers can connect whatever 3rd party tools they want. Coinbase has a good API where you can specify read-only access to whichever accounts and wallets you want.
Look up PSD2. Exactly that is required in EU
And it's a net-negative for everyone not using any such service. The UX for my online banking has gone down significantly. Banks require now a lot of additional 2fa authorizations for various actions, even when you are already authenticated.
Not just EU. Also Australia, Brazil, Japan, Saudi Arabia, Mexico, Singapore, Hong Kong, India. Canada is rumoured to have this soon as well.
Many banking apps won't even run on a rooted phone 'for my own safety', yet not so long ago the same banks allowed aggregation services that store my login credentials to have access to my accounts?
The difference is liability. If something happens due to the bank's app, the bank is liable. If you give your account credentials to some third party and something happens, that's not the bank's problem.
Seems a bit counter-intuitive to brand Plaid's behavior as unethical and then argue that users should have agency to share their own passwords.
At a meta-level, using unethical as a qualifier seems like an attempt to bolster an argument without having to provide a logical argument. I think most discussions are cleaner without broaching the thorny topic of ethics. Such discussions usually devolve into ideological battles, which by HN guidelines, "trample curiosity".
The difference IMO is that Plaid is often used for e.g. tenant applications, where the person requiring the use of Plaid and the person forced to disclose credentials are not the same. That's bad.
If I choose to give my credentials to e.g. Mint to aggregate information for my own benefit, that's good because it was entirely my choice.
As I used the wrote the word 'unethical' I knew it was sort of the wrong choice. At best it is unclear and lacks substance. The logical argument explicitly phrased would have been:
> Plaid's behavior works against the social norms that the majority of the tech community supports; in this case it deviates from the norm of keeping login information private.
But actually after re-reading the article, everything seems perfectly fine. The number of participants was only 12 who were all related in some fashion to Plaid employees & everything was pretty well disclosed. So the updated logical argument would be:
> Plaid's actions were limited in scope such that it had little chance of undermining norms regarding account login security. The purpose behind their actions was to increase the interoperability of their software and other software which is seen as a legitimate and net-positive goal in the software community.
> At a meta-level, using unethical as a qualifier seems like an attempt to bolster an argument without having to provide a logical argument.
I seemed like more of a disclaimer to avoid such ideological battles and deliver a nuanced view. "I agree the practice is shady, but..."
On the consumer side I can’t imagine ever giving my bank credentials to Plaid or any other company. Super unnerving that this is even a thing, it’s like the number one rule of passwords.
I agree.
I really wanted to use mint, but couldn't bring myself to give away my bank password.
I resorted to writing my own tooling using puppeteer running on my machine to automatically login to my bank accounts and download the CSV exports of my transaction data for each bank. I then normalize that transaction data, and import the data into Lunch Money.
It was a pretty big hassle to write and get working reliably(ish), but I'm super happy now that it's done. Every 2-3 weeks I run the script, and 5 minutes later all of my transactions are available in Lunch Money. I have the peace of mind of knowing that I'm not exposing my banking credentials to random third parties.
I've been doing this for a couple years, just with Selenium rather than Puppeteer. Banks are generally okay, and they don't change their websites that often which is nice. A couple banks force phone 2FA and deliberately hide the "email confirmation" option which makes full automation difficult. Also nag screens, Selenium unreliability, etc.
Some companies like Azure use a different account name every time they bill me. I ended up having to regex the credit card transactions for that. Others have something completely nonsensical like "BS 03-6743-2266" (<- this was iTunes), or use a 3rd party processor that puts their own name in the transaction.
The real issue for me is getting itemized purchases to do categorization on. Stuff like restaurants are okay since everything is food, so I can just categorize the whole transaction. Amazon banned me and forced me to change my password while trying to grab my purchase history (and only my purchase history!). I was trying to grab it from email receipts but then I realized they don't send receipts for Subscribe & Save purchases (!).
I'd kill for something better, but for now it's this or manually enter every transaction or give up on financial responsibility.
Yep, I haven't been able to get to full automation either.
I integrate with 1pw, so I don't have to enter my credentials which is nice.
I handle all the 2FA through cli prompts, so as a user you basically need to stick around as it's running because you might get a 2FA prompt as it logs in to banks.
The worst for me has been irregular marketing or other reminder popups from some banks. The kind of thing where they put some interstitial page up once per month or so after you sign in and want you to respond in some way.
You're doing this for personal or business expenses?
I'm curious to check this out, do you have a GitHub repo/account?
Personal, and no repo at the moment. The code is a huge mess, from scattered multiple generations of wrappers around Selenium's "click this element" functionality to custom accounting code to bit rotted parsers for old receipt email formats, etc. My thinking was largely "as long as I have the data I can make the code better later" and that later has yet to come. I don't have any passwords in the code at least but I think I do have email address whitelists/blacklists for email management stuff and lists of merchants for credit card transaction categorization...
I'll see if I can maybe make a repo by the next time there's a thread about how customer hostile banks are.
Did you release the sources for this by any chance?
I have been playing with the idea of doing something like this for a long time. But it seems like a huge job and I haven't been able to motivate myself towards it yet.
My bank even supports showing a lot of those spending stats as in Lunch Money, but it is entirely on their end and I'm not in control of it at all. I can look at the graphs and numbers in the app but I can't export or store it in any way.
I haven't released it. I've considered it, and it's written in a way that others could use it, but I know if it gained significant popularity it would be a really high value target to compromise. I don't have the time to dedicate to the vigilance necessary to defend that kind of a target.
If you're interested, I'd be happy to share the source with you as a starting point
Sure, if you don't mind that would be great! My email is my hn username @noodfive.com
Thanks!
I need to jump through a few hoops to send it, since Github won't let me add a user with read access to a private repository, but I'll send that over tonight
Some banks now offer proper APIs, allowing Mint to redirect you to their OAuth flow-equivalent. So it's slowly improving.
I actually think the opposite is happening. Yes, a few are adding OAuth flow-equivalent, but even more are adding 2-factor and other security measures that prevent a third party.
Maybe Plaid has enough clout to prevent it, but other services have dropped functionality for more and more accounts over the past 2-3 years in my experience.
IIRC, OpenBanking in the UK requires a re-auth every 90 days with the 2FA. I think thats a very reasonable balance, and means services don't have perpetual access.
Oh, I'd be ecstatic if that's how it worked. Instead, I have to go through 2FA every time I want to update with some providers. Others say "Apologies, we're working with the provider to restore support" and have stopped working for years. Others I can transfer money but can no longer see the balance.
On rare occasion I see banks that have a revocable token. I can't remember the exact linking process, but presumably they don't get my credentials, I can specify read-only access and specify specific accounts, it need periodic renewal, and from the bank end I can see who I gave permission to and revoke access from there. This doesn't seem common and I'm not sure if all the clients support those banks (or if it's a limited "in-group").
None of this is especially novel. It's just the incentives and efforts aren't there.
It's frankly annoying. I wish they enforced a notification by some means instead (X still has access unless you do Y), at least for services that only need read-only access.
Yep, but unfortunately it's only a small handful of the banks. And it tends to be the larger national banks that offer proper APIs, and I tend to avoid banking with those.
I'd really like to see Open Banking API laws passed in the US to require banks to offer this kind of API.
When your company uses Carta you'll be forced to use Plaid under time pressure to exercise your stock options. Companies need to stop enabling Plaid because they are too lazy to implement their own payment systems.
Ugh, this is how POLi Payments works in Australia, used by some businesses here and there and mostly by airlines. To do payments there, you literally give them your internet banking username and password, and they impersonate you to transfer money out of your account into the seller’s account. There are multiple bald-faced lies in their marketing (such as calling it a proxy like Opera Mini, and stating that they do not capture usernames or passwords, which… uh, hello, maybe you don’t store them, but you absolutely capture them).
I learned that this actually was what they were doing three years ago, and promptly complained to them, and was politely ignored (“Security is very important at POLi”… “Although it does not look like your traditional internet banking screen, the POLi interface is just as secure (if not more so)”…).
I’m baffled that the banks haven’t shut POLi down since it’s fundamentally predicated on ToS breaches, this man-in-the-middle attack and training users to do catastrophically stupid things, even including undermining 2FA (“give us your username and password; oh, looks like you have 2FA enabled, give us that token too?”). I complained to my bank (NAB) at the same time, and they said of using POLi Payments that “NAB does not suggest this course of action as this will be a breach of security” and that I should talk to POLi instead, as they “are unable to put a full block on this service as customers can still authorise transactions themselves at their own risk however NAB has advised in the terms and conditions of a breach this may cause”. In other words, they’re just covering their ears and ignoring it. Yet I’m sure they could block POLi without much difficulty if they actually wanted to, since all requests will be coming from POLi servers and are sure to be easily detectable (even their usage pattern would be trivial to detect). So why don’t they want to kill off this security menace?
Perhaps the worst part of it all is that Australia Post purchased POLi Payments some years back, thereby legitimising this abomination that should be terminated with prejudice.
Seriously, how do you end up with such a major player in the payments space being predicated around lies and evasion, terms-of-service violations and security malpractice? (And they even got exempted by ASIC from holding a financial services license.)
Another silly thing about it these days is that half the reason for the MitM attack (rapid confirmation that the transaction has taken place) is no longer needed, because almost all banks in Australia now support rapid transfers and linking email addresses to bank accounts, so they could just say “transfer the money to sales@example.com.au with description 12345” and reconcile it within a minute at least as an alternative to the MitM attack.
That's terrible. I've never used it though, as an Australian. The name does sound vaguely familiar though. Are there any businesses that actually require you to use it? I've never seen one.
I usually pay for airlines with my credit card, now they aren't allowed to charge as large fees as they used to. Before that, I'd used BPay instead (which I still use for a lot of bills).
I don’t think I’ve ever seen POLi presented as the only option, but it’s commonly the only fee-free option (BPay isn’t always offered). For myself, as soon as I learned what POLi was (because it asked for my bank username and password) I decided I hate it enough to pay a few extra dollars of credit card fees.
Agreed. The name sounds vaguely familiar but I haven't come across it either. They actually have an interactive demo [0]. It feels super sketchy and wrong being asked for the bank login.
> On the consumer side I can’t imagine ever giving my bank credentials to Plaid or any other company. Super unnerving that this is even a thing, it’s like the number one rule of passwords.
Yeah, and it's also the number two and three rules with bank passwords.
I sold Bitcoin for the first time a few months ago on Coinbase. Their only bank integration is via Plaid, and I did a double-take and noped the fuck out of that right away. It boggles my mind that's even a thing. Luckly I was able to get my money out via Paypal instead without too much hassle.
> I can’t imagine ever giving my bank credentials to Plaid or any other company
It's another tax on the poor, same as advertising. No service targeting sophisticated, wealthy people would use this. But if you have someone desperate for liquidity, of course they'll hand you the keys to their kingdom.
Plaid is used a lot of places, including services mostly for the wealthy. For example, a previous startup I worked at used Carta to manage employee stock options.
The default mechanism to transfer cash into Carta to exercise your options was with Plaid.
Now to be fair, you also had the option to use check routing numbers to perform the transfer. But I have to imagine that most people use plaid without a second thought.
So this sounds like Plaid wanted to learn how to interface with the client-facing web interface of these payroll systems. So it paid people who have their own payroll on the system for access to that individual's login to study the user interface in order to develop a system that can interoperate with it. This sounds... not so bad?
I think the biggest issue is that they were paying employees for login credentials to sensitive systems. Imagine you’re an IT manager and you find out that an employee is giving the company’s* usernames and passwords - to a 3rd party at their own discretion. I think this is a HUGE deal. Unless the employees had explicit permission from the employer (the article strongly insinuates they did not), I don’t see how this is anything besides a giant mess.
*if you log into a company system, with a company provided username and password, those credentials belong to the company
I got the impression it was the employee side of the app. As in me logging into ADP so they can figure out how to scrape ADP
Yes, but I'm sure most employment contracts say something to the effect of "you will not grant unauthorized access to company property or systems."
And the fact that the employee was paid, shows that the interest was in the employee's favor, not the businesses. (conflict of interest)
It's the same as if a salesperson said "I'll give you $500 to help me get into your office building, and navigate me to the payroll department's desk. I just wanna understand the layout for a meeting I want to have in a few weeks."
They say their lawyers approved it, so I assume they verified they were getting credentials from higher ups who had the authorization and not just rank and file employees.
>Plaid told Motherboard 12 people participated in the test and that it was vetted by the company's legal counsel. Plaid added that participants' login credentials have since been deleted and that the test was only open to friends and family of existing Plaid employees.
This sentence is loosely worded. Plaid's lawyers may have approved it, but did the lawyers of the company systems that were accessed approve it?
I cannot imagine the company's I've worked for allowing a non-partner 3rd party to pay me, an individual, for access to company systems, let alone approving it even if I wasn't getting paid...
Additionally, as a Senior Manager in my org, I could not accept a payment like this as it's a conflict of interest. It's even more egregious if plaid "got approval from a higher up for $500"
I thought duping customers [0] to think they were entering their credentials at their bank website while they were giving them to Plaid was bad. But this is some next level malice. How are they still in business?
[0] https://www.ctvnews.ca/business/td-bank-files-lawsuit-agains...
They got me with that one once, the frame looked exactly like my bank's login and I thoughtlessly assumed it was some kind of federated authentication handoff. This is apparently enough of a problem that my bank is flagging them as likely fraud.
Seems like this is going to wind up in court sooner rather than later.
I don't understand how this hasn't resulted in criminal charges when they went after Aaron Schwartz for so much less...
If you trick someone into giving your their credentials and use them, how is that not the textbook definition of unauthorized access?
I bet many banks have similar language prohibiting sharing logins, so you could make the argument that the core business of Plaid could be considered hacking under CFAA. I hope that the legitimate use of tools to do things on the Internet will be normalized before this argument is tried in court.
It's a matter of having regulators require interoperability as Europe did with PSD2 [1]. Plaid is a hack due to legacy financial institutions not being required to provide these interfaces by regulatory bodies.
[1] Revised Directive on Payment Services (PSD2)https://en.wikipedia.org/wiki/Payment_Services_Directive#Rev... (Revised Directive on Payment Services (PSD2))
Yodlee (used by Mint and likely others) has been around for over a decade, and AFAIK nothing happened to them.
The fact that Plaid even exists, and that their core business will probably continue to thrive for another decade makes me almost certain that the US will lose its stranglehold on innovation soon.
In the US, I have to pass through so many rent seekers to move some digits over (Plaid, Stripe, and Visa/MasterCard). Meanwhile Europe has PSD2 now and China AliPay/WeChat Pay. Even India, which in the past 3 months has unfortunately proven dysfunctional has UPI, which is orders of magnitude better than what we have.
When has the US recently passed legislation or standards that fosters innovation? (this is a serious good faith question - there seems to be a lot of govt grants for stuff like basic research, but a whiff of money churns out stuff like repealing net neutrality).
Hell even here in Canada we have the Interac system, which from what little I know of the US banking system, is consistently 10+ years ahead of the game. I've had "Chip & PIN" on my cards since at least 2008, and distinctly remember getting my first "tap" card in ~2011 or so. I genuinely couldn't tell you the last time I inserted my card into a machine because anything under $100 (>99% of my in-store purchases) can be tapped for, and >99% of businesses support tap (looking at you, Walmart and Pilot/Flying J. Get with the times!). From what I understand tap is still barely on the docket at a lot of the US banks.
The big kicker for me is Interac e-Transfers, where you simply log into your banking and can email (or text) money to anyone in the country - they click the link in the email/SMS they receive, log into their bank account, and choose where the money is deposited. We've had this system in place since at least 2014? Hell I pay my rent and buy weed just by sending e-transfers, they're treated the same as cash and happen instantly. I reminds me of something that happened recently, I stumbled into a conversation with some of my American friends trying to figure out how the one person was going to pay the other >1000 miles apart; it was absolute lunacy listening to them decide between PayPal, Cash App, Venmo, etc., trying to figure out who had the lowest fees for both parties, factoring in the time it takes for the transaction to happen and transferring to/from their bank account if necessary. It's insane to me how the banking system underlying the world's largest economy is so far behind the times.
I think you're painting a rosy picture of the Interac system.
It's not instant. Transfers can be delayed for hours in some cases.
It has ridiculously low limits that cannot be raised.
Until recently it had a cumbersome question and answer system with strange character limits for each.
Virtually no businesses use it. You can buy weed (illegally) using it because they can't use credit card processing.
A revamp to the Interac system is in the works which looks similar to the UK faster payments. A frankly much better system.
https://www.theglobeandmail.com/business/article-interac-cho...
Interac E-Transfers are great, except that I wish they didn't train people to click a link from their email and type in their bank password. Sure, it redirects to a login page on your own bank's web site, but how does a non-technical user know it's not a phishing lookalike?
Really, the existing autodeposit feature would be perfect if it let you log in to your online banking and confirm pending transactions before autodepositing them. For that matter it would be nice if the email gave me a string I could paste into my online banking to get to the existing confirmation page.
It's all much better than having to link your bank account to some third party or give away your credentials though.
I suggested to a big bank back in 2011 that they should have an iPhone app that sends a push notification to alert me to debit or point-of-sale transactions so I could approve them as they happened, and they only recently did so. But in their defense, security can be cumbersome and hardware-integrated tokens like Apple Pay are just as good and simpler to explain, assuming we can get rid of legacy plastic at some date in the future.
Similarly, we won't be able to get rid of email but if clicking a link in an email opened an app instead of a webpage, it would be a lot harder for phishing websites to pretend to be my bank. (Assuming I'm expecting a mobile app, of course. A second line of defense is that my password manager might not prompt me to fill in the password because the URL doesn't match. But even that's not foolproof.) Even better would be if Interac E-Transfer itself was an app I could sign up for, then it could send me a push notification and I could skip my inbox entirely for these sort of transactions.
Of course, the only reason I trust apps more than websites is that I went to download them previously, rather than clicking a link that just showed up in my inbox. To that end, Gmail and other email providers have immense power if they created a design which could highlight emails from senders I've seen before as "trusted" and those from unknown senders as unknown.
Things get more gray-area though when the system itself fails: You can request money from anyone using Interac E-Transfers, and that means spammers could hijack a bank account and request money from friends and relatives you've recently sent e-transfers to, for example. Those emails would then appear as "trusted" and there's not much you can do to stop that, it's the cost of making money transfer "easy".
Yeah, the technical security in all these systems is a bit half-hearted†. However, in my opinion the key is to legislate that the banks (who built or in some cases purchased said half-hearted system) eat the cost of that. Maybe they're comfortable with say $10Mpa of fraud in the system, if they really can't build a safer one for less than $10M you can see they'd have a point.
The problem comes when banks are able to argue that their half-hearted security means they aren't liable to pay for the consequences. Consumers need protecting against that.
† In the UK we have a lot of 3-D Secure, developed by Arcot. But of course the average consumer has no idea who "Arcot" are, and so no reason why they should distinguish an arcot.com site (legitimate, you're supposed to give them credentials if necessary to authenticate you) versus say badguy.example (a hypothetical phishing fraud). Both of them can show you branded imagery from your bank, both have a padlock, both claim they're keeping you safe. How should an ordinary person know?
I was under the impression that chip and pin is more common in the UK and Canada because fraud is more of an issue, so the cost benefit works out in favor of it.
Even now you never have to pin in the US.
I think it's more common in europe because the first industrial producer of chip card was created in France (Gemplus, now Gemalto). In France, payment cards are "dual network" : any card is either Visa OR Mastercard AND also "CB". "CB" is a payment network managed by the "GIE Carte Bancaire" owned by all french banks.
CB dealt with Gemplus to add chip to all new cards emitted since 1992 so we had them for a long time. I don't know how it spread over europe, but as we had the industrial capacity to provide chip cards to everyone and a free market, I think it was easy to sell that to lots of european banks. CHIP+PIN is a really great deal for banks : it's cheap and the responsibility of all payments made with the PIN is on the card owner and are really hard (or impossible) to dispute.
In the US, interchange fees are an order of magnitude more than in the EU, where they are capped. So there is a lot more fraud the system can silently swallow before anyone has to consider upsetting customers and vendors with PINs.
I thought it was the US that was still considered a hot bed for card fraud.
I've been to stores in the US where they just swipe your magstrip and hand you back the card. No signature, no pin, they don't even look at it, so you can basically clone cards like it's still 1985.
This is consistent with how my UK bank treats any transaction occurring in the US: usually it's an instant card block and a polite phone call from them to check that it was actually me.
That just sounds like basic geo-fencing. I'm sure the opposite applies too.
Sounds like the other response about transaction fees is on the right track.
In the UK it's mostly likely because of EU regulations. I've never had anything but chip and pin in the EU, got my first card ~2006
Chip and PIN was rolled-out in the UK in late 2003
Interac e-transfer seem fraught with scams and fraud. There were a few Reddit threads on how to protect transfers from being intercepted.
Walmart added tap during the pandemic, as people did not want to touch the console to enter their pin. It's a welcome change.
It boggles my mind how far behind the payments curve the US is. If you go to India or Indonesia you can pay guy cooking street food at the side of the road by scanning a QR code but in New York you still have people paying for sandwiches in Pret a Manger using a cheque.
Unbelievable, I can't remember why last saw a cheque in the UK.
Don’t believe everything you read online, especially when the parent commenter is clearly not even American based on their spelling. I live in the US and have only used a “check” a couple of times in the past 5 years.
And almost nobody would ever use one at a retail store or restaurant or food truck, if anything they’re only used for sending large sums of money to small businesses who want to avoid the 3% card processing fee. It’s still bad that this fee is so high on our primary payment rails, but it’s not as ridiculous as people in this thread are making it sound.
I didn't just read it online- this is based on my experience as a UK citizen who used to live and work in Manhattan a lot up to 2 years ago (think: not permanently but enough in any given year to have to pay Federal and NY state income tax). More than once I saw people do this to buy sandwiches in the financial district and near to Madison square park, and I've even see people pay for groceries by cheque and get cash back the way that that people used to before ATMs existed. I can dimly remember my parents doing this maybe 40 years ago but have certainly never done myself. I was also for some time the unhappy owner of an extremely small number of shares and the company insisted on sending me my dividend (less than $5) every quarter by cheque.
When I opened my US bank account they asked me how many cheques I wanted "to get started". I said none. Like why would I ever use one for anything? I don't use a quill pen either.
It is literally not believable. I live in New York and have absolutely never seen anyone pay for sandwiches by check. Maybe, maybe if they were paying for a catering order of 50 sandwiches. But even then they'd probably be using a corporate credit card.
I got my first ever checkbook when I moved to the UK in 2000 and marveled at how quaint and old fashioned it seemed - in Norway my parents had them in the 1980s, but they'd been phased out by the time I got my first adult bank account in the 90s.
I still have a UK checkbook, but haven't written a cheque in a decade.
I kind of feel like China has already passed us. The US defines "innovation" as patents but in reality innovation is so much more than that. The US feels like its slowly grinding to a halt, and when I see how China is growing, I think we're already behind. I have been shopping for machine tools, and the stuff in China isn't just cheap knock offs anymore. It's good enough for them to use in country to build bullet trains and passenger jets. Of course they do import machinery from elsewhere too, but I just get the sense that they are moving very fast. If they'd passed us on daily innovation, we wouldn't exactly know it. Its hard to quantify.
By the way I blame patents for this. Patents are a legal blockade on third party innovation. But that's how progress is made! Everyone copies everyone. You see something and you make a better version. Patents gum up the works and drive things to a standstill. They don't have this problem in China. Some people think investment won't happen without IP restrictions, but I think it will, just differently. There's no more unicorns and whales, but there's a lot more fish.
More like implementation inertia, most other countries have leapfrogged from their primitive systems directly to the latest and greatest, while in the US they are still making do with decades old technology.
At best, being able to build things that are built elsewhere would indicate parity. Further, for passenger jets, the C919 is far from being 100% domestically built (e.g., the engine comes from an american/french venture).
I'm hopeful we'll see all countries converge onto a similar pace of innovation and progress. Large countries/regions (as a simple proxy for population and access to raw resources) will hopefully reach this parity sooner than later. At that point, I also hope that 1 country/ideology will never be able to pull far ahead of another - short of some fluke breakthrough that can be kept secret.
Well to be clear, I am responding specifically to the phrase "makes me almost certain that the US will lose its stranglehold on innovation soon."
Imagine two nations. A wealthy nation that used to innovate but has completely stopped innovation. It could continue to make advanced things using existing infrastructure and people, but could not improve beyond its current state. (This is the extreme, for illustration).
Then imagine a larger poorer nation that is rapidly advancing. Even before the poorer nation has surpassed the other in technological capabilities, it would be producing more total innovation per year. Growing requires lots of innovation. Stagnating... not so much.
So I am suggesting that the rate of innovation could be slowing in the US, and the rate of innovation could be higher in China. Even if absolute output is more advanced in the US, which would be a different metric. But the rate of innovation is important for projecting where each nation will be in the future, and I do believe intellectual property restrictions slow the rate of innovation.
I think the problem with forcing financial companies to develop interoperable systems is that the rules governing the standards are often set by the regulator who really don't have any skin in the game.
If you take UPI, for instance, it's a fairly robust standard that has been developed by a non-governmental body that has been ruined by the regulator insisting that banks charge 0 transaction fees even for individuals that do a large number of transactions. This is because the regulator believes even a small fee will hamper adoption. This results in a relatively high failure rate because banks refuse to invest in servers and technologies that can handle the huge volume of transactions.
I am happy that technological standards are largely untouched by the government.
Most of the time government standards are based on "advice" from industry so it ends up as regulatory capture. A case of forcing fees to zero sounds less bad than usual.
Payments in the US are more of a minor nuisance than a serious problem. And the rise of companies like stripe, Shopify, plaid, and PayPal before them seem to be doing a fine job filling the gaps. I’m sure eventually we’ll get better low level payment rails, but I don’t think it would actually affect the day to day life of the average American much if at all which is why it hasn’t happened yet.
If anything is going to kill the US it will be something like the collapse of fair elections or the huge ballooning healthcare and education costs, not the payment rails.
I feel like this is just a more general trend of US legislators deadlocked so hard that it provides rent seekers the opportunity to step in and entrench themselves. I would argue that healthcare - which you mentioned - is another prime example of this.
If you think about it, the payments system is a 2+% sales tax! Levied by private corporations! I don't even have an alternative since by contract with Visa/MC stores can't provide a lower price for paying cash.
> I don't even have an alternative since by contract with Visa/MC stores can't provide a lower price for paying cash.
This hasnt been true for over a decade. Cash discounts are allowed by the Durbin amendment.
See: https://www.law.cornell.edu/uscode/text/15/1693o-2 (b)(2)(A)
Ahh thanks for the correction. This seems like it's still pretty consumer unfriendly though - you still have to advertise the card price in store and then you can take a discount at the register, as opposed to advertising a cash price and then adding a card charge.
There are a lot of small businesses around me that are cash only under $10/15 dollars. Given human psychology around advertised prices (i.e. most people don't think about opportunity cost), I'm not surprised cash discounts aren't common.
This is a problem that can only be solved by regulated open banking (i.e. regulator enforcing banks/FIs to build APIs following one standard). Until US has regulated open banking, users will be sharing bank credentials in plain text and providers will be screen-scraping bank accounts.
There's lots of good examples of regulated open banking. Europe has PDS2. Australia has Consumer Data Right Act. Several other countries that are now implementing open banking legislation: Brazil, Japan, Saudi Arabia, Mexico, Singapore, Hong Kong, India.
It would be great to see US on that list some day.
Australia’s open banking initiative is well captured by the big 4 banks. Good luck getting any access to it.
Having an act, and being able to use it any useful manner are two very different things.
Operation Warp Speed
PSD2 seems like a total disaster to me.
From my understanding, banks are required to provide an API. Not a specific one - any API. Which means each bank has a different one and you need yet another rent seeker that aggregates those APIs.
That's on top of requiring specific, often outdated security mechanisms, so now every time I want to pay something with a credit card I have to do extra authentication, >1 GB of my phone's memory is filled just with bank auth apps (again, each bank has their own).
> you need yet another rent seeker that aggregates those APIs.
If anyone can implement such an aggregator, market competition should drive the cost of that close to zero soon enough.
And indeed it is. Nordigen's product for example is free; they make money on upselling an optional product on top.
Since the aggregator will process sensitive data, you need a lot of audits etc.
If you'd like to use the API to access your own account using open source software, good luck (unless you find an aggregator that is certified and allows you to access your own account through them).
> Not a specific one - any API
Defining this is a job for industry bodies and suchlike, as is keeping it current. Lest we forget jokes like the 2020 Brexit agreement containing references to Netscape Navigator 4.0
Having a rule that banks need to agree on one and then implement it would be fine. What is not fine is allowing each bank to come up with their own, especially as banks have no interest of making usage of their API easy.
"Even India, which in the past 3 months has unfortunately proven dysfunctional"
what exactly does this mean? Other countries did not have a corona virus wave?
Indian here.
> what exactly does this mean?
That our response to the current wave has been tragic.
> Other countries did not have a corona virus wave?
Yes they did. However, we had the opportunity to learn from the tragic things that happened elsewhere and could have done stuff to prevent it/soften the blow but we didn't. The problem is not that we "allowed" another wave to happen, but that we allowed people to die due to a lack of oxygen and ICU beds.
When did we get unlimited resources, should we stop everything else and put everything into oxygen and beds. These kind of things can only be reacted to not prepare surplus before hand coz for a developing country like India resources are never enough.
Crypto innovation is mostly coming from the US, which is in the process of replacing the financial system.
It's hard to differentiate Plaids behaviour in getting user account details from those used by Amazon Refund Scams [1].
Their motive may be different but their actions just help make this sort of behaviour on the vulnerable (ie. non technically/security literate) easier to repeat by the more unscrupulous.
But people are fine with giving Plaid their bank credentials for some reason.
> this was part of a pilot program to build "consumer-permissioned tools that make it easier for consumers to securely share their information digitally."
What a useless statement. That could mean anything.
Probably why my employers payroll system is only available internally / via a VPN