The Sorry State of Fintech Privacy: Visa Wants to Buy Plaid, and with it, Bank Transaction Data for Millions of People. DOJ Sues

Plaid asks for your bank credentials, logs into your account, and obtains your banking data, such as balances, assets, transaction history, and debt. Visa wants to buy it all.

By Bennett CyphersElectronic Frontier Foundation:

Visa, the credit card network, is trying to buy financial technology company Plaid for $5.3 billion. The merger is bad for a number of reasons. First and foremost, it would allow a giant company with a controlling market share and a history of anticompetitive practices to snap up its fast-growing competition in the market for payment apps. But Plaid is more than a potential disruptor, it’s also sitting on a massive amount of financial data acquired through questionable means. By buying Plaid, Visa is buying all of its data. And Plaid’s users—even those protected by California’s new privacy law—can’t do anything about it.

Since mergers and acquisitions often fall outside the purview of privacy laws, only a pointed intervention by government authorities can stop the sale. Thankfully, this month, the US Department of Justice filed a lawsuit to do just that. This merger is about more than just competition in the financial technology (fintech) space; it’s about the exploitation of sensitive data from hundreds of millions of people. Courts should stop the merger to protect both competition and privacy.

Visa’s Monopolistic Hedge

The Department of Justice lawsuit outlines a very simple motive for the acquisition. Visa, it says, already controls around 70% of the digital debit card payment market, from which it earned approximately $2 billion last year. (Mastercard, at 25% market share, is Visa’s only significant competitor.) Thanks to network effects with merchants and consumers, plus exclusivity clauses in its agreements with banks, Visa is comfortably insulated from threats by traditional competitors. But apps like Venmo have started—just barely—to eat away at the digital transaction market. And Plaid sits at the center of that new wave, providing the infrastructure that Venmo and hundreds of other apps use to send money around the world.

According to the DoJ, a Visa executive predicted that Plaid would undercut its debit card processing business eventually, and that buying Plaid would be an “insurance policy” to protect Visa’s dominant market share. The lawsuit alleges that Plaid already had plans to leverage its relationships with banks and consumers to launch a new debit service. Seen through this lens, the acquisition is a simple preemptive strike against an emerging threat in one of Visa’s core markets. Challenging the purchase of a smaller company by a giant one, under the theory that the purchase eliminates future competition rather than creating a monopoly in the short term, is a strong step for the DoJ, and one we hope to see repeated in technology markets.

But users’ interest in the Visa-Plaid merger should extend beyond fears of market concentration. Both companies are deeply involved in the collection and monetization of personal data. And as the DoJ’s lawsuit underscores, “Acquiring Plaid would also give Visa access to Plaid’s enormous trove of consumer data, including real-time sensitive information about merchants and Visa’s rivals.”

Plaid, Yodlee, and the sorry state of fintech privacy

Plaid is what’s known as a “data aggregator” in the fintech space. It provides the infrastructure that connects banks to financial apps like Venmo and Coinbase, and its customers are usually apps that need programmatic access to a bank account.

It works like this: first, an app developer installs code from Plaid. When a user downloads the app, Plaid asks the user for their bank credentials, then logs in on their behalf. Plaid then has access to all the information the bank would normally share with the user, including balances, assets, transaction history, and debt. It collects data from the bank and passes it along to the app developer. From then on, the app can use Plaid’s services to initiate electronic transfers to and from the bank account, or to collect new information about the user’s activity.

In a shadowy industry, Plaid has tried to cultivate a reputation as the “trustworthy” data aggregator. Envestnet/Yodlee, a direct competitor, has long sold consumer behavior data to marketers and hedge funds. The company claims the data are “anonymous,” but reporters have discovered that that’s not always the case. And Finicity, another financial data aggregator, uses its access to moonlight as a credit reporting agency. A glance at data broker listings shows a thriving marketplace for individually-identified transactions data, with dozens of sellers and untold numbers of buyers. But Plaid is adamant that it doesn’t sell or monetize user data beyond its core business proposition. Until recently, Plaid has often been mentioned alongside Yodlee in order to contrast the two companies’ approaches, when it’s been mentioned at all.

Now, in the wake of the Visa announcement, two new lawsuits (Cottle et al v. Plaid Inc and Evans v. Plaid Inc) claim that Plaid has exploited users all along. Chief among the accusations is that Plaid’s interface misleads users into sharing their bank passwords with the company, a practice that plaintiffs allege runs afoul of California’s anti-phishing law. The lawsuits also claim that Plaid collected much more data than was necessary, deceived users about what it was doing, and made money by selling that data back to the apps which used it.

EFF is not involved in either lawsuit against Visa/Plaid, nor are we taking any position on the validity of the legal claims. We’re not privy to any information that hasn’t been reported publicly. But many of the facts presented by the lawsuits are relatively straightforward, and can be verified with Plaid’s own documentation. For example, at the time of writing, still hosts example sign-in flow with Plaid. Plaid does not dispute that it collects users’ real bank credentials in order to log in on their behalf. You can see for yourself what that looks like: the interface puts the bank’s logo front and center, and looks for all the world like a secure OAuth page. Try to think about whether, seeing this for the first time, you’d really understand who’s getting what information.

Who’s getting your credentials? Not just Citi.

Many users might not realize the scope of the data that Plaid receives. Plaid’s Transactions API gives both Plaid and app developers access to a user’s entire transaction and balance history, including a geolocation and category for each purchase made. Plaid’s other APIs grant access to users’ liabilities, including credit card debt and student loans; their investments, including individual stocks and bonds; and identity information, including name, address, email, and phone number.

A screenshot from Plaid’s demo. What, exactly, does “link” mean?

For some products, Plaid’s demo will throw up a dialog box asking users to “Allow” the app to access certain kinds of data. (It doesn’t explain that Plaid will have access as well.) When we tested it, access to the “transactions,” “auth,” “identity,” and “investments” products didn’t trigger any prompts beyond the default “X uses Plaid to link to your bank” screen. It’s unclear how users are supposed to know what information an app will actually get, much less what they’ll do with it. And once a user enters their password, the data starts flowing.

Users can view the data they’re sharing through Plaid, and revoke access, after creating an account at This tool, which was apparently introduced in mid-2018 (after GDPR went into effect in Europe), is useful—for users who know where to look. But nothing in the standard “sign in with Plaid” flow directs users to the tool, or even lets them know it exists.

On the whole, it’s clear that Plaid was using questionable design practices to “nudge” people into sharing sensitive information.

What’s in it for Visa?

Whatever Plaid has been doing with its data until now, things are about to change.

Plaid is a hot fintech startup, but Visa thinks it can squeeze more out of Plaid than the company is making on its own. Visa is paying approximately 50 times Plaid’s annual revenue to acquire the company—a “very steep” sum by traditional metrics.

A huge part of Plaid’s value is its data. Like a canal on a major trade route, it sits at a key point between users and their banks, observing and directing flows of personal information both into and out of the financial system. Plaid currently makes money by charging apps for access to its system, like levying tariffs on those who pass through its port. But Visa is positioned to do much more.

For one, Visa already runs a targeted-advertising wing using customer transaction data, and thus has a straightforward way to monetize Plaid’s data stream. Visa aggregates transaction data from its own customers to create “audiences” based on their behavior, which it sells to marketers. It offers over two hundred pre-configured categories of users, including “recently engaged,” “international traveler – Mexico,” and “likely to have recently shifted spend from gasoline to public transportation services.” It also lets clients create custom audiences based on what people bought, where they bought it, and how much they spent.


Plaid’s wealth of transaction, liability, and identity information is good for more than selling ads. It can also be used to build financial profiles for credit underwriting, an obviously attractive application for credit-card magnate Visa, and to perform “identity matching” and other useful services for advertisers and lenders. Documents uncovered by the DoJ show that Visa is well aware of the value in Plaid’s data.


Illustration by a Visa executive of Plaid’s untapped potential, included in Department of Justice filings. The executive “analogized Plaid to an island ‘volcano’ whose current capabilities are just ‘the tip showing above the water’ and warned that ‘what lies beneath, though, is a massive opportunity – one that threatens Visa.’” Note “identity matching,” “credit decisioning,” and “advertising and marketing”—all data-based businesses.

Through Plaid, Visa is about to acquire transaction data from millions of users of its competitors: banks, other credit and debit cards, and fintech apps. As TechCrunch has reported, “Buying Plaid is insurance against disruption for Visa, and also a way to know who to buy.” The DoJ went deeper into the data grab’s anticompetitive effects: “With this insight into which fintechs are more likely to develop competitive alternative payments methods, Visa could take steps to partner with, buy out, or otherwise disadvantage these up-and coming competitors,” positioning Visa to “insulate itself from competition.”

The Data-Sale Loophole

The California Privacy Rights Act, which amends the California Consumer Privacy Act (CCPA), was passed by California voters in early November. It’s the strongest law of its kind in the U.S., and it gives people a general right to opt out of the sale of their data. In addition, the Gramm-Leach-Bliley Act (GLBA), a federal law regulating financial institutions, allows Americans to tell financial institutions not to share their personal financial information. Since the CPRA exempts businesses which are already subject to GLBA, it’s not clear which of the two governs Plaid. But neither law restricts the transfer of data during a merger or acquisition. Plaid’s own privacy policy claims, loudly and clearly, that “We do not sell or rent personal information that we collect.” But elsewhere in the same section, Plaid admits it may share data “in connection with a change in ownership or control of all or a part of our business (such as a merger, acquisition, reorganization, or bankruptcy).” In other words, the data was always for sale under one condition: you had to buy everything.

That’s what Visa is doing. It’s acquiring everything Plaid has ever collected and—more importantly—access to data flows from everyone who uses a Plaid-connected app. It can monetize the data in ways Plaid never could. And the move completely side-steps restrictions on old-fashioned data sales.

Stop the Merger

It’s easy to draw parallels from the Visa/Plaid deal to other recent mergers. Some, like Facebook buying Instagram or Google buying YouTube, gave large companies footholds in new or emerging markets. Others, like Facebook’s purchase of Onavo, gave them data they could use to surveil both users and competitors. Still others, like Google’s acquisitions of Doubleclick and Fitbit, gave them abundant new inflows of personal information that they could fold into their existing databases. Visa’s acquisition of Plaid does all three.

The DoJ’s lawsuit argues that the acquisition would “unlawfully maintain Visa’s monopoly” and “unlawfully extend [Visa’s] advantage” in the U.S. online debit market, violating both the Clayton and Sherman antitrust acts. The courts should block Visa from buying up a nascent competitor and torrents of questionably-acquired data in one move.

Beyond this specific case, Congress should take a hard look at the trend of data-grab mergers taking place across the industry. New privacy laws often regulate the sharing or sale of data across company boundaries. That’s great as far as it goes—but it’s completely sidestepped by mergers and acquisitions. Visa, Google, and Facebook don’t need to buy water by the bucket, they can just buy the well. Moreover, analysts predict that this deal, if allowed to go through, could set off a spree of other fintech acquisitions. It may have already begun: just months after Visa announced its intention to buy Plaid, Mastercard (Visa’s rival in the debit duopoly) began the process of acquiring Plaid competitor Finicity. It’s long past time for better merger review and meaningful, enforceable restrictions on how companies can use our personal information. By Bennett CyphersElectronic Frontier Foundation

Internet of Things at Home: Ring sends the surveillance data of its own customers to third parties, including Facebook. Read... Ring Doorbell App Packed with Third-Party Trackers to Surveil its Own Customers

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.

  46 comments for “The Sorry State of Fintech Privacy: Visa Wants to Buy Plaid, and with it, Bank Transaction Data for Millions of People. DOJ Sues

  1. Mr Wake Up says:

    Plaid = you been played!

    Ring – there should be a big warning label on all devices sold. Warning we are spying on you!

    Home Depot had a giant display of we spy on you devices. I explained to my children what those devices are intended for and people looked at me like I was nutso. So sad the state we are in and how clueless the average citizen is.

    Maybe someone should call there local politicians hahaha

    • Joe Saba says:

      WHY IS VISA/MC so EXPENSIVE TO SMALL BUSINESS(all businesses)?????

      seems to me these banksters(and VISA/MC/AMEX/DISCOVER) as they ‘franchise’ them thru their BANKER CABAL

      I hate EU but I agree 1000% with their rules – each TRANSACTION whether $1 or $1,000,000 costs same to PROCESS thru network

      .35 cents seems more than GENEROUS per transactions

      • Nacho Libre says:

        >> “each TRANSACTION whether $1 or $1,000,000 costs same to PROCESS thru network”


        If EFF had brains it would file a class action lawsuit for this 2.9% price fixing.

    • Morty Mc Mort says:

      Scott Mc Nealy? – Sun Microsystems.. 1999
      Privacy is Dead… you don’t have any..
      Get Over It..

      That battle is long over.. this issue is moving on..
      The Genie is long out of the Bottle..
      I still say – Reverse the Script.. Transparent Block Chain Enablement of total personal and financial tracking for all public servants, and groups that receive and spend Taxpayer money…
      It is a start..
      They spy on us..
      We Monitor Them…

  2. 2banana says:

    It is getting harder and harder to pay by cash/check, use no social media and to stay below the radar.

  3. lenert says:

    Meh – small taats at just over one percent of Visa’s market cap. It’ll go through no big deal.

    • Tony22 says:

      Whatever you do Brer Rabbit, don’t try and clean a Ring lens spying on your property with rough sandpaper.

  4. Zantetsu says:

    Is it possible to have a discussion about whether or not there is any personal risk associated with having transaction information shared? And whether or not the value of services provided by virtue of sharing that data is worth that “risk”?

    Or will I just get shouted down by the tin foil hat wearers?

    On the likely naive hope that I won’t get shouted down, let me say that I generally don’t care much about my “private data” being shared in this way. If someone can utilize that data to provide me with better service, then by all means, have at it. Keeping private data like that private has no particular value to me, and I’d rather have the services that someone can leverage off of it.

    First principle: if I make an electronic transaction, I have already given up on keeping that transaction “private”. I engaged a third party to be explicitly involved in that transaction and so I’d be foolish to think that somehow I can keep the details completely private forever. If I want truly private transactions, I’ll pay in cash in a shady corner of a back alley while wearing sunglasses.

    Second principle: my private data will be used by an algorithm that treats everyone fairly equally; it will be run through some service to try to sell me something or find out something about me to help someone else sell me something. It’s not going to be used to ‘pick on me’, to expose my transactions to the world to shame me or for some other silly reason. Large corporations don’t find griefing customers to be a valid business model, so I would not expect to be griefed by a business that had my data.

    Third principle: my private data will not be released to the public, it will only be used within narrowly defined purposes for legitimate business reasons. I am pretty sure there are laws ensuring this is true, and I trust them. Businesses won’t engage in shady practices because they’d be sued under those laws.

    So I feel pretty confident that my private data is ‘safe’ even when used by corporations for the purposes that this article discusses. The privacy of that data is of no real value to me since as I established above, meaningful privacy is basically guaranteed anyway. The use of my private data for ‘business purposes’ is, in my eyes, just a way for me to get free value out of that data that I otherwise would not get.

    What kind of value would I get? Here are some examples I can think off of the top of my head:

    – More efficient and better targeted advertising so that I don’t have to see as much garbage advertising.
    – Lower costs of products as the companies that sell them can reduce the price of products by whatever amount they were able to monetize my data for.
    – Unique features of services that can only be offered if my “private transactional data” is used (for example nice graphs showing me transaction history).

    Now the tinfoil hatters will come along and simply state that all data should be kept private in every way possible “because we’re paranoid”. OK, be paranoid, then. But I don’t find that kind of paranoia particularly compelling.

    If you want to show me why sharing this kind of private data is bad, give me some examples of things that have specifically happened to individuals as a result of this data being used in corporate settings like that discussed in the article. Be sure to include the frequency of occurrence so that we can legitimately discuss whether a 0.0001% chance of something bad happening is worth worrying about.

    • buddhahacker says:

      This is the attitude of most people. A lack of understanding of the risk and trinkets for rewards. Once your data is out you can’t pull it back.

      I did a deep dive for client last year and was able to find out what they bought, where they lived and where their daughters lived. Who they worked for and how much they made. I was also able to get some idea around a medical condition via sales transactions and was able to predict when they would take their next vacation and where. I was also able to find media that they thought they never shared along with several fake social media IDs that they frequently used. All of this in less than 2 hours of my time.

    • 2banana says:

      China has backlisted 14+ million of its own citizens from the analysis of the exact data you just described.

      The have been deemed “untrustworthy.”

      They cannot buy plane or airline tickets, they are excluded from decent jobs, they cannot get car/house loans, their children cannot attend the better schools and they cannot even rent most hotel rooms.

      They even get their photo posted on “Deadbeat Map” for all to see.

      Yep – totally worth it for more “efficient” advertisements.

      • OutsideTheBox says:

        Not only China….

        Next time you apply for a job….guess what HR does ?

    • Tony22 says:

      –” More efficient and better targeted advertising so that I don’t have to see as much garbage advertising.”
      Use Firefox and an adblocker, you will not see any ads. Send Wolf some money to make up for it.

      –”Lower costs of products as the companies that sell them can reduce the price of products by whatever amount they were able to monetize my data for.” And if you live in a high income state or zip code, your prices will be higher than normal.

      –” Unique features of services that can only be offered if my “private transactional data” is used (for example nice graphs showing me transaction history).”For those with no pen and paper.

    • andy says:


      Why don’t you share your private data here if you’re so confident. Put your data where your mouth is.

      Let’s start with basics – full name, address, Social Security. I will wait..

      • Zantetsu says:

        Hi Andy, if you have a company bound by the rules, laws, and business practices that I mentioned above, let me know. I’ll share with that company.

        • Kurtismayfield says:

          What are the consequences if a company breaks those rules? A fine that is paid as “cost of business”.

          The rules mean nothing when there is more profit in it to break them. Call me when someone in a corporation actually gets jail time for breaking Ng those rules.

        • Sierra7 says:

          “…. if you have a company bound by the rules, laws, and business practices that I mentioned above, let me know.”
          Er, as an example of “trust” in “companies” I give you the history of the last economic crash, ’08-’09!
          In this case you have public (mostly) companies gathering all that personal information and since so many of those same companies collude with the “National Security State” in the long run some of that info will certainly be used against you. That is the role of the NSC. Tin foil hat or not.
          “Personal” is just that….personal.
          I would prefer that whenever my personal information is used in the business world that I be paid for that use. You would see much of this mischief be slowed or stopped.
          We allow our personal information to be traded like baseball cards with no monetary advantage to ourselves whatsoever.
          If we are to be used as a commodity then “pay me”.
          “Tin foil hatters, indeed!”

    • Thomas Roberts says:


      Just because the bad things haven’t started yet, doesn’t mean it’s acceptable. The big way this data will harrm the public is that if companies know every single aspect of your life and can use it against you, they will eventuality figure out targeted ads that actually work on most people. They will swing every election and democracy is done. They will use every feeling you ever had in an emotionally manipultive way. And even if you take every step to avoid them spying and tricking you, most won’t, and you’ll live under the boots they lick.

      There is absolutely no need for the immense data collection that goes on and there is no benefits for the average jo, only harm that results from it. It can be as simple as reduced competition resulting in higher prices and less choices, but, there will be much worse consequences. There are quite a few negative situations i can think of, off the top of my head, but, they are complicated to explain. There are endless possibilities, all bad.

      • Thomas Roberts says:

        In good countries targeted advertising would, eventually, face enough resistance to prevent them from going too far, but, they still will cause problems, unless banned completely. The real use case of “Big Data” is targeted advertising. There are other nefarious uses as well of course.

    • Wolf Richter says:


      I understand that’s what you think, and that’s great. But you need to read the article to figure out what actually is happening here. This will disabuse you of some of your concepts.

    • mars says:

      Z, no foil hat here…..

      A few years a go I worked on a project as an independent contractor for an aggregator

      The client was a health insurance underwriter wanting to match up the last four digits of credit cards used in specific zip codes for purchases of alcohol and tobacco

      I bet back then they cross referenced purchase transaction data with Cc premium payments for a moral hazard vector for premium for coverage selection or cancellation.

      Yeah, it’s all good. Dream on.

      • Kurtismayfield says:

        Yep, and all this data will be used against you.. legal or not. The best part is that you will never know it happened

    • w says:

      Ever hear if the darkweb???The more data you have accessible online to whomever-dr.,insurance co.s,social security,I.r.s.,visa,employment/labor dept.,amazon,emails,the more vulnerable to identity theft you are.I guarantee you will care then.Recent Known hacks:many hospitals,d.o.d.,V.A.,yahoo,Equifax,IL. Dept. Of Unemployment-2x,several medical insurance co.s

      • OutsideTheBox says:


        Ever hear of Death ?

        Ya know that experience at the end of life.

        Why don’t we get all worked up about that next ?

    • Outwest says:

      I don’t necessarily disagree with many of your points but you didn’t address what I think was the thrust of this article….the consolidation of control of what you describe above into the hands of a few.

    • joe2 says:

      I feel sorry for you and want to help, but I am not going to rebut you point by point. I just wish they had not gotten my telephone number so I would not get the 20 messages and 5 robo calls a day that I get. And I have to cancel at least one card every 6 months due to fraud.

      • joe2 says:

        Wolf, I saw what you did there in editing my comment. I know you are trying to keep a lid on politics and focus on finance, but do you really believe there can be a lid anymore? The old world of gentile facades is gone. Let the truth out and let people prepare. If Biden is president, the style of government has been chosen and socialism always requires scapegoats to blame and punish. This is the way of socialism when we see crony capitalism merged into totalitarianism.
        Look back at the Wolf of 2005 and honestly tell me you see this as normal and we are not on the brink of vaccine cards, social credit scores and censorship, re-education, and centrally monitored and metered digital currency.
        Thee are no financial markets to analyze, why bother?

  5. andy says:

    $5.3 Billion is chump change.
    Tesla is being added to SP500 index funds at close to $0.6 Trillion.

    Fin industry is indexing bag holders. And that’s all you need to know about indexing.

  6. Lisa_Hooker says:

    Thanks Zantetsu. We need all the optimists we can find. Justified or not. Life would be a bummer if everyone was paranoid.

    • 2banana says:

      There is a huge difference in being paranoid and just wanting to be left alone in privacy.

      It’s not a new problem or argument.

      “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

      • OutsideTheBox says:

        Yeah…..great bit of law there.

        Trouble is……only applies to government.

        It is no impediment whatsoever to the private sector.

        • joe2 says:

          And even for the government it does not apply at borders, which are now defined with a 100 mile width inside the US.

  7. WES says:

    Privacy is the “oh, look there is a squirrel” distraction from the actions of those intent on eliminating future competition.

    No competition means higher prices.

    • Cas127 says:

      The bigger question is how Visa’s 75% mkt share in a 2 or 3 player mkt has managed to survive antitrust for decades and many, many administrations.

      The original pitch to retailers and banks (“Deal only with us, otherwise you’ll need dozens of special terminals!”) seems long obsolete, so I’m guessing it is only ancient legal agreements that keep Visa’s monopoly intact, against a bazillion potential internet competitors.

      I would be interested in hearing a quick summary of the court cases that support those long standing exclusivity agreements and how they’ve survived antitrust.

    • w says:

      Exactly!!What happened to so-called freemarket capitalism?I do not think it Ever existed.Too many monopolies=higher costs,less innovation,and less legal recourse as the two Gigantors give you the consumer/peasant two choices:use our services/products and relinquish All rights to an individual/classaction lawsuit(forced arbitration at locale and time of company choosing) or do without said product/service!! :-)

  8. Anthony A. says:

    Yeah thanks Zantetsu, I feel the same way.

    My “data” is everywhere anyway. Since Equifax gave it all out, the bag is open. And, in case I never buy another thing with a CC, the U.S. government has every tax record I filed, my earnings, who I worked for, how many kids I had, where I live, the color of my skin, what church I go to, and probably the color of my underwear.

    One thing I won’t do though is sign on to one of these aggregators like Personal Capital where you have to give out user names and passwords to financial accounts to use their software.

  9. DR DOOM says:

    Regulatory agencies are all captured by the corporate/security military complex. Fergettaboutit.

  10. William Smith says:

    Am I wrong here, but don’t bank T&Cs prohibit disclosure of login credentials to other parties? I would NEVER EVER disclose any passwords or login details for any financial institution account. If money “goes missing” then they can say that it was my fault and therefore be absolved of any responsibility to refund said funds. I even go so far as to have a dedicated Linux laptop which is only used for banking. Every possible password (BIOS, HDD etc) is enabled. Data is always encrypted and the system is always updated. Phones and “apps” are just too insecure to trust for banking! Convenience comes at much too high a price as indicated in the article.

    • Panamabob says:

      My thought is never use a credit or debit card unless necessary or just it’s too convenient, gasoline for example. I pull a thousand or two from my account each month and pay with cash for most things and use online payment when I can. I think that the least data given is the way to go in the World we live in today.

  11. Anonymous says:


    I recommend that you should sign up for Zelle at your bank with your gmail account from you iPhone, so that all your transactions are monetized by both Apple and Google.

    What have you got to lose.

  12. Sriram Natarajan says:

    Great take of the issue. But what about MasterCard’s acquisition of Finicity? Isn’t it the same as Visa acquiring Plaid? Why is the DoJ silent on that acquisition?

    • Wolf Richter says:

      Yes, at this point, the DOJ should block ALL fintech acquisitions by anyone and let these companies fight it out in the market place. That’s what is really needed to shake up the duopoly and the other entrenched players.

  13. Tom Pfotzer says:


    While you have the admirable capacity to say things which will likely earn some resistance, I think you are glossing over some very strategic long-term vulnerabilities which you appear to be welcoming into your castle, like the fabled Trojan Horse.

    Acquiescing to the capture, permanent storage, and possibly malignant targeting of your mind, persona, and volition is a risky proposition.

    That malignant targeting is the natural consequence of handing over data about your conversations, relationships, purchases, investments, assets, reading material…all the things which constitute the outward behavioral expression of your innermost thoughts and will. It renders you a manipulable device; you become what you’re behaviorally shaped to be.

    Facebook and Google are as big as they are because they’ve learned how to harvest and monetize and manipulate that data to a degree unprecedented in human history.

    Our entire society is taking a big risk by handing them (anyone) this power. We’ve recently seen a great deal of politicization of key government institutions, like the Dept of Justice (esp. FBI lately, and J. Edgar Hoover in the past), the NSA (Clapper, for ex), and the CIA (Brennan, for ex). The very people we most trust with extremely sensitive information – and great power – have betrayed the public trust.

    The EU is trying to rein this snoop-culture in. Europe, especially Eastern Europe, has had some really bad times with “oversight” and psychological manipulation in general. That’s one reason they’re a bit more cautious than we are at the moment. They are more aware of what can happen.

    Humans are only “human” because of their free will – their volition. Freely giving away the information required to manipulate oneself seems unwise to me.

    Your position seems to be “I’m powerless to stop it, so I give up. And, I get cool ads”.

    • OutsideTheBox says:

      I suppose there are weak minded folks who are ” manipulated” by ads.

      Just remember what an adman said ( still true )…..” We know half of all advertising works……We just don’t know which half “

    • OutsideTheBox says:

      Malignant targeting would also involve data that is incriminating in some way but is also completely fabricated.

      See…’s the thing….even if one totally controls data and personal info….it’s futile.
      Fake data/info can be created to implicate anyone.If someone really wants to get you they will.

  14. Questa Nota says:

    Goliath, or Leviathan, take your pick.
    Recall how you may have thought about privacy only a short decade or two ago.
    If you aren’t pissed off, you should be.
    Write your Congressional delegates.
    Remind them of why they were elected, and who they, at least in theory, serve.

  15. Mad Dog says:

    The big banks are in all the credit card hacking that is going on. I’ve been hacked 5 times in this past year and have set up multiple layers of security. All have failed. BOA is the worst of the worst. I called the number on the back of the AAA BOA card to inquire about redeaming my reward points and the call got routed to a scam artist in the Middle East or Nigeria who could barely could speak English and he tried without luck to get my other credit cards and withdraw funds from them. They claimed they were BOA customer service representatives.

    I went to the BOA bank in my area and talked to a bank Rep about this incident and they could care less.

Comments are closed.