privacy.com, plaid, and your bank. Is your info really safe?

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

brookbphx

New member
Mar 13, 2021
3
1
So listening to the Security Now podcast, I hear the ads for "Privacy.com" a way of generating custom credit card numbers that can have monetary limits, time limits, and vendor limits to allow its users to safely control payments made via credit cards. The concept is great. I used to use it with MBNA and Bank of America before they discontinued the service.

So I was excited to sign up, but wanted to better understand the technology. Here's a very high level gist of what I understand:

Privacy.com and other financial tech services, such as Venmo, use a company called 'plaid' to act as a third party intermediary between privacy.com and your bank. They provide direct access to your checking account for payments and transfers. Privacy.com, venmo, and others, do not handle your bank account usernames and passwords. Instead plaid handles the intermediary work - somewhat like a proxy. Between privacy.com (or Venmo) and plaid, special tokens are used that are NOT your banking credentials. So you don't have to worry about giving privacy.com or venmo your bank login credentials. But between plaid and your bank, there's a different story.

Apparently there are different options for providing banking credentials to plaid to set things up: 1) Your banking username and password, 2) routing codes, 3) debit card numbers. I believe the most flexible method is #1. But wow, that seems awfully risky giving this company your bank credentials. Once they have them, it seems that they effectively have full access to your bank account.

So doing a bit of google research, I found an article on this, that asks the question: does Plaid store your bank Usernames and Passwords so that it can use them in plain text format to access your account? See https://security.stackexchange.com/...-user-s-banking-login-information-safe-to-use . The original author and plenty of commenters to that article all seem to have different opinions, but nobody actually seems to know the answer. Rather than repeat everything said there, please read it.

So this seems like the perfect kind of article for Steve and/or like-minded security researchers to investigate and report on. This is a good place for us security folks to discuss it. And it would really be great if Steve would reach out and figure out just how safe use of the 'plaid' middleman service for financial tools like privacy.com and Venmo is. Since privacy.com is an advertiser on Security Now, a segment about 'Privacy.com' and 'plaid' on Security Now could be like a really in-depth advertisement for them (assuming the answer to the 'is it safe' question turns out to be 'yes').

Does anyone know if plaid stores your actual banking usernames and passwords, or do they have some other kind of secure API between themselves and the bank, and they never see your passwords?
 
  • Like
Reactions: QualityCleverTech

PHolder

Well-known member
Sep 16, 2020
710
2
340
Ontario, Canada
Does anyone know if plaid stores your actual banking usernames and passwords, or do they have some other kind of secure API between themselves and the bank, and they never see your passwords?
There is an integration question here. Logically, for the most seamless sign-up process, you wouldn't give Plaid the credentials, you'd give them to Privacy, the service you're signing up for, and they would process them, on your behalf, through Plaid. That would really make me uncomfortable though. So the next logical thing would be to go to Plaid and give them the credentials and something from Privacy (a client code or something) and they would make the interconnection for you.

The most secure option would be to go direct to your bank, with a code from Plaid, that would allow Plaid the necessary access to your bank account. Then you would go to Plaid with a code from Privacy and that would allow Plaid to make the necessary connection(s). The benefit with that approach is that you now have more control. You could break the connection at your bank, at Plaid or at Privacy.

In any case, I'm not sure it really matters about the credentials because the bank is all about transactions anyway. If there is any connection, the transaction can be attempted, and it's up to the bank to authorize it or not. Since Plaid has a business to run, they certainly don't want to jeopardize the willingness of the banks to trust it and do business with it. Based on that assumption, they're unlikely to do anything strange as a company... but I suppose there is always the risk of a rogue employee. Since they should be aware of their own risk profile, I can't imagine they'd allow any single employee the access that would be necessary. It would good to know for sure what precautions they've taken... I wonder what they say in their various terms of service and privacy documents?
 

Lob

What could possibly go wrong?
Nov 7, 2020
81
16
Home - Open Bank Project

I think what you want is to permission services from within your secure environment to others without password sharing. To do this is nuts and comes at a grave risk.

This will allow you to add accounts and view your portfolio beyond your primary banking partner and allow you to manage and revoke permissions between the institutions. Yourself. And with need-to-have permissions.

Does this sound useful?
 

FlyingPenguin

Member
Sep 26, 2020
5
1
I started using Privacy.com about a year ago (free option). I was NOT comfortable with giving them direct access to my checking account via login credentials so I opted for using the debit card I have attached to that account. I don't use the debit card for anything else (I used credit cards for all purchases) so I figure I can easily reset that debit card if something goes south.

Overall I do like the service. It gives me a lot more control over who I give REAL credit card numbers to. About a year ago I went through a spate where I had to change my Amex card number 7 times in a month because it was getting compromised somewhere.

I have several Privacy 'cards' setup for retailers I do regular business with, and I also often make use of the one-time use cards, particularly when ordering from an unfamiliar retailer that I don't expect to do business with again.

Now all that said, I would much prefer if my bank's credit card company had this feature, but sadly they don't. Amex has virtual cards, but it's for business accounts and meant to be issued to employees.
 

brookbphx

New member
Mar 13, 2021
3
1
For some reason, when I tried using my debit card, privacy.com rejected it. And as I said, I was uncomfortable using Plaid and providing bank login credentials. I contacted privacy.com's support, and they said that if I was having a hard time with the debit card, they could enable access via the routing and account number (numbers at the bottom of a check). So they enabled that and I was able to sign up with that. So if your debit card doesn't work and you're not willing to give up you username and password, you can contact support and ask for access via Account and Routing Number. And then try not to keep too much money in that account in case something goes wrong . . .
 

dg1261

Member
Oct 22, 2020
6
1
I've always found Leo's ads for privacy.com a bit bemusing. Two of my credit cards provide free virtual numbers that do the same thing. I've been using their virtual numbers for about 10 years and I guess I just assumed everyone was familiar with them, so I just don't understand the fascination with privacy.com.

A decade ago there were several credit card companies offering them, but many eventually discontinued the service. Yet, CitiCard and Capital One still offer the feature, and I use both on a regular basis.

One notable difference is privacy.com acts as a debit card, while CitiCard and Capital One work as credit cards -- which means they have the same protection advantages as credit cards. They even work seamlessly for refunds, where the third-party vendor credits payment back to the virtual number.

The feature operates differently between the two, though, which is why I use both. Citi virtual numbers have a one-month expiration date so are appropriate for one-off purchases, while Cap-One numbers have a 5-yr expiration so are better for recurring use -- such as Amazon or your monthly phone bill. (I just took a look, and I have 74 virtual cards at Cap-One.)

Citi numbers can be generated from your online web account, and the number copy/pasted into the third-party website you're paying. Cap-One requires you to install a browser extension, which generates a virtual number when you get to the payment page of the third-party website. (FTR, Cap-One numbers can be locked afterward so they can be effectively used for one-off purchases too, but it's just an extra step.)

I can say I have never used my real credit card numbers anywhere online in the past decade (other than the card provider's own site). If a website gets breached, I sleep easy knowing nobody got my real card number, and any number they might have gotten is useless for use anywhere else. That won't protect me from a Target or Home Depot style of POS hack, so it's not perfect, but virtual numbers are still protection from the lion's share of breaches.
 

miquelfire

I like red!
Sep 26, 2020
53
5
www.miquelfire.red
The main reason Privacy.com is popular is because most credit card companies don't offer the virtual credit cards. I really wish this was a standard so Privacy.com didn't have a reason to exist in the first place.
 

PHolder

Well-known member
Sep 16, 2020
710
2
340
Ontario, Canada
The other side of Privacy, unrelated to its name, is because it withdraws from your bank account, there is no possibility of credit issues or financing/interest charges. This would be a boon for people with no credit, like those who just graduated from high school or university, say.
 

QualityCleverTech

New member
May 3, 2021
1
0
So listening to the Security Now podcast, I hear the ads for "Privacy.com" a way of generating custom credit card numbers that can have monetary limits, time limits, and vendor limits to allow its users to safely control payments made via credit cards. The concept is great. I used to use it with MBNA and Bank of America before they discontinued the service.

So I was excited to sign up, but wanted to better understand the technology. Here's a very high level gist of what I understand:

Privacy.com and other financial tech services, such as Venmo, use a company called 'plaid' to act as a third party intermediary between privacy.com and your bank. They provide direct access to your checking account for payments and transfers. Privacy.com, venmo, and others, do not handle your bank account usernames and passwords. Instead plaid handles the intermediary work - somewhat like a proxy. Between privacy.com (or Venmo) and plaid, special tokens are used that are NOT your banking credentials. So you don't have to worry about giving privacy.com or venmo your bank login credentials. But between plaid and your bank, there's a different story.

Apparently there are different options for providing banking credentials to plaid to set things up: 1) Your banking username and password, 2) routing codes, 3) debit card numbers. I believe the most flexible method is #1. But wow, that seems awfully risky giving this company your bank credentials. Once they have them, it seems that they effectively have full access to your bank account.

So doing a bit of google research, I found an article on this, that asks the question: does Plaid store your bank Usernames and Passwords so that it can use them in plain text format to access your account? See https://security.stackexchange.com/...-user-s-banking-login-information-safe-to-use . The original author and plenty of commenters to that article all seem to have different opinions, but nobody actually seems to know the answer. Rather than repeat everything said there, please read it.

So this seems like the perfect kind of article for Steve and/or like-minded security researchers to investigate and report on. This is a good place for us security folks to discuss it. And it would really be great if Steve would reach out and figure out just how safe use of the 'plaid' middleman service for financial tools like privacy.com and Venmo is. Since privacy.com is an advertiser on Security Now, a segment about 'Privacy.com' and 'plaid' on Security Now could be like a really in-depth advertisement for them (assuming the answer to the 'is it safe' question turns out to be 'yes').

Does anyone know if plaid stores your actual banking usernames and passwords, or do they have some other kind of secure API between themselves and the bank, and they never see your passwords?
There was an independent audit of Plaid's actual data retention vs it's privacy statement claims done by Michael Bazzel recently that breaks the issue down nicely. I believe it was number 210 of his podcast, listening to it agauin now and will update this if mistaken.

hxxps://inteltechniques.com/podcast.html

Would love to see Security Now bringing this issue to a larger audience, excellent suggestion brookbphx!

Update: I was mistaken and it's not the 'Privacy Security & OSINT' podcast number 210 after all, will go over the ones I've listened to recently and repost when I pin the episode down... Not meaning to spam for a non Security Now podcast, just a resource germain to the question and as with grc one of the public voices I have enough trust for to recommend. No compensation or even awareness of the plug from either seems approptiate to say.so... there's that.
 
Last edited: