Comment by Arrowmaster
2 hours ago
Yesterday I was renewing my vehicle registration through my US states website. They offered a range of payment options using embedded options on the site. The direct bank account option had the lowest fee but when I tried it I was immediately scared of the security. They used a 3rd party bank account transfer provider that asked me what bank I used and looked like it was going to prompt me for my login info before it errored out and I moved on.
Why can't the US have sane banking standards instead of this mess where you have to agree to a new 3rd party TOS and EULA for every purchase you want to make.
What you see is a glued or patchwork to make the things work somehow with the existing state of things. Strictly speaking, a lot of banks do not offer API support and yet these third party tools are able to orchestrate a flow with is nothing less than man-in-the-middle-attack.
The change if it happens at all, across the board to streamline can only from from government mandate. The industry is always going to go for finding some low cost option to achieve the target. The private players are always going to optimize for short term gains.
When using a government website, you were intimidated by the security posture of... Plaid? (Genuine question, maybe this was some other provider but Plaid's aggregator tool is the most common place I see this pop up in real life for ACH)
I personally have _no idea_ what the security posture of plaid is. I know they're a startup and made a bit of noise a few years ago, but if I was trying to buy something and a third party app popped up saying, "hey give me total access to withdraw directly from your bank account for a sec", why on earth would I say yes to that?
It also seems to go against common security advice. "Never log into your back account if redirected by a website you sort of, but don't really trust, except sometimes its alright and it's up to you to tell the difference" is a terrible way to secure banking.
If any site asks me for my bank login credentials, I run far away and start checking if I've made any security mistakes. So far Paypal is the only credentials I'll enter after a redirect.