aburka 🫣all security people forever: never enter your password on a different site
services nowadays: give your bank password to this sketchy third-party data harvesting company to enable payments
jiub 
@aburka when i first encountered plaid, i was like "oh ok, it must use some sort of an oauth type thing to do an api call to the banks it supports to get some limited info"
was i ever wrong that it actually does a mitm attack on your bank with the actual login info. fucking clown shit
and they don't delete that info either, made the mistake of using it once, then like a year later my bank listed a login from an aws ip. i contacted the aws abuse email and the login was from plaid, no idea what the fuck they were doing tho. immediately changed my password after that
it's unfortunately common to require using these services when getting an apartment now, so that's good info that you can bypass it by failing to login three times
was i ever wrong that it actually does a mitm attack on your bank with the actual login info. fucking clown shit
and they don't delete that info either, made the mistake of using it once, then like a year later my bank listed a login from an aws ip. i contacted the aws abuse email and the login was from plaid, no idea what the fuck they were doing tho. immediately changed my password after that
it's unfortunately common to require using these services when getting an apartment now, so that's good info that you can bypass it by failing to login three times
@jiub nope, banks have not even discovered the technology of app-specific passwords
@jiub Even still it blows my mind that mitm-as-a-service is a real segment of the industry and it's accepted by most people
@aburka exactly! i assumed that these banks worth hundreds of billions of dollars wouldn't like their customers giving out their passwords to random companies scraping their site
and i can't blame users for using these services, they're kind of forced to and aren't explained the implications of how it works
and i can't blame users for using these services, they're kind of forced to and aren't explained the implications of how it works