Is it, though? I’ve given Plaid the user name and password to my bank account. The same set of credentials that I use to log in, to pay bills, transfer money, etc. Plaid stores this information for future use in some sort of reversible encryption. So now we trust Plaid to keep both their data set of user names and encrypted passwords secure, and also to keep their decryption keys secure. Forget that noise. Like the previous commenter , they’re one breach away from exposing millions of bank account credentials. It doesn’t matter if the Plaid API is read only for the integration side - somebody has MY credentials, and that’s not read only.
Eh, it’s herd security. Hackers with credentials may pick off a few people’s accounts, but the odds of you being hit are low since it’s a hard problem to scale and there’s so many targets.
If all Plaid's customers accounts were emptied in one go, I suspect banks would reverse those transactions and tell any counterparties that lost money to pound sand.
I believe the cool kids call it a "hard fork", as in, if you are the bank that received the stolen funds and let someone withdraw them, you get forked, hard.
