---

@FicoMike0 wrote:

I read a thread about a potential security breach attempt and wonder what ideas we can collect from the mythic brain trust.  A few things I do are:

1. I use a dedicated eMail for bank, credit union  and brokerage contact. E.g. Ficomiko@protonmail.com. Picked protonmail since they're reason for existing is security. I never give that address to anyone else for any reason. I don't even use it with myfico, creditkarma, etc. 
2. I not only use a strong password for each account, I use a hard to guess username, including letters, numbers and special characters, when that's supported. E.g. Fast&99racecar!. 

Anyone else have some ideas to contribute?

---

My thoughts are as follows:

• Always enable 2FA where you can, and if a financial institution doesn't have that option, I'd be looking for a different one.
• I avoid email services like Proton because many sites block then due to a high (and I mean REALLY HIGH) percentage of users are scammers, hackers, and ne'er-do-wells.

I categorically refuse to do AZEO!

Your email should be your most secure account, followed by financials. That's because email can be used to unlock other accounts.

If a site still follows bad practices and asks you to enter security questions, lie. Don't tell them the first street you lived in, the city where you got married, or any of that. Too much of that can be culled from public sources. Instead, make something up.

Never, ever, under any circumstances, use a service that uses Plaid.

I like the one about making up security questions, I do that. If they ask my mother's maiden name, it's not even a name, it's a color.

I've never had a problem with protonmail.

what's the problem with plaid? I have used it.

---

@FicoMike0 wrote:

what's the problem with plaid? I have used it.

 

---

The #1 security rule is don't share your password. Plaid violates that by requiring your userid/password to sign in as you, and as a result has full access to everything.

Good point. I'll go back to routing and account numbers.

Great point, I didn't think of this. Now that I've Plaided a lot of stuff, is there a way to become safe again? If I change my credentials, am I good?

I assume that this may apply to other instant verification thingies as well. I had always (naively) assumed that Plaid didn't retain your credentials and maybe never even saw them, just got some digested version. Quick google suggests that I was wrong about that.

---

@TyrannicalDuncery3 wrote:

Great point, I didn't think of this. Now that I've Plaided a lot of stuff, is there a way to become safe again? If I change my credentials, am I good?

 

I assume that this may apply to other instant verification thingies as well. I had always (naively) assumed that Plaid didn't retain your credentials and maybe never even saw them, just got some digested version. Quick google suggests that I was wrong about that.

---

There are two issues, security and privacy. If you change your credentials and don't let Plaid know, you've taken care of the first. Privacy is a bit trickier, because while they claim to be good custodians, there are reports they basically scrape everything they can from your account. They do supposedly have a portal where you can delete the information they have on you, though like all good companies that treat you as a product not a customer, they may have shared it with the ecosystem of information trackers. There isn't a lot you can do about that.

Thanks @Anonymalous! Makes sense. I assume the deletion is a lost cause. I'll try that portal once I've "de-Plaided" everything.

You said "If you change you credentials and don't let Plaid know." Is there anything special that you think I need to do in order to not let Plaid know?

Or is it sufficient to just not explicitly type anything else into Plaid? Is it okay if it's still linked in Plaid when I change the credentials?

Seems like yes but IDK.

Changing the password for each linked institution may be sufficient, but I left it a little vague because I don't know if Plaid is doing anything tricky behind the scenes like automatically updating passwords once an account is linked. Googling suggests it's possible to revoke access to specific accounts within the Plaid portal, so it's probably a good idea to do that, and then change passwords after.