The popular financial aggregator uses a surprisingly clumsy method of connecting to your bank accounts.
If you've used a personal finance app or needed to connect your bank accounts to a third-party application, you've probably come across Plaid. Plaid and similar services called aggregators are the glue that enables most modern personal finance and budgeting apps. About once a day, Plaid pulls data from your connected bank accounts.
When you use Plaid to connect a bank account to a third-party service, there are two methods Plaid may use, depending on the bank. If the bank and Plaid have an arrangement that allows direct access to the bank's data, you'll authorize Plaid to access your data by logging into your bank directly. This method is secure, as Plaid never sees your bank username and password.
Unfortunately, the world of banking is messy. Most banks do not allow direct access. In these cases, connecting your bank account involves giving Plaid your username and password. Plaid stores your credentials in an encrypted format, so it can periodically log into your bank account on your behalf and scrape financial data.
In cases where Plaid and your bank have a data access agreement, Plaid is reasonably safe. The fintech company did settle a $58 million class action lawsuit in 2022 related to harvesting and selling user data, so from a privacy perspective, Plaid doesn't receive high scores.
However, in cases where Plaid requires you to give them your bank username and password, Plaid is not safe. The company will say otherwise, touting all sorts of certifications and security audits. Plaid certainly goes to great lengths to keep your bank credentials secure, but the reality is that it's one data breach away from an unmitigated disaster.
When you log into your bank, the password you enter is hashed. Hashing is a one-way process that takes some text and outputs a scrambled, nonsensical, deterministic string. This hashed password is useless if it falls into the wrong hands because there is no way to go in reverse, as long as you've chosen a password that isn't easily guessable. Your bank compares the two hashes, what you entered and your actual password, and logs you in if they match.
Plaid can't hash your bank passwords because it needs to use those passwords to log into your bank accounts. So instead, Plaid encrypts your bank credentials using state-of-the-art technology. The key difference between encryption and hashing is that encryption is reversible. Given an encrypted password and the correct encryption key, the plain text password can be retrieved no matter the encryption technology used.
Somewhere on Plaid's systems are your bank passwords, and somewhere else are the encryption keys necessary to decode those passwords. The two must come together for Plaid to log into your bank account. If that doesn't scare you, it should.
Fancy security credentials don't stop resourceful hackers. Okta, an enterprise identity management platform, was hacked last year. Microsoft, a multi-trillion-dollar cybersecurity leader, bungled its way to allowing Chinese hackers access to U.S. government emails. No company's cybersecurity is airtight.
If you want to use a personal finance or budgeting app to track your spending and stay on top of your finances, most of the options available use Plaid or another equally insecure aggregator. Latwy is different. Instead of connecting to your bank accounts, Latwy uses AI to parse purchase and withdrawal information from alert emails sent directly from your bank. This enables real-time notifications through Discord, Slack, Telegram, or email, complete with helpful charts showing spending patterns and trends.
Latwy works with any bank that sends transaction alert emails. This is a standard feature that most banks support, and it's usually easy to set up. The Latwy quickstart goes over how it all works. When you're ready to give it a try, Latwy offers a free 30-day trial with no credit card required.