Venmo is using a service that intercepts your banking credentials

One of my friends recently purchased a piano keyboard from me, and sent me the money via Venmo. I’ve had a Venmo account for a while, but have never received payment before.

Venmo uses a third party service called Plaid, which enables you to validate your bank account and send money through it.

The popup dialog appeared to be from Chase:

It looked fishy to me, so I inspected the source. The reset password points to chase, but the form itself does not. I looked at the network request and confirmed that username and password are being sent directly to Plaid, not your bank:

When I provided incorrect credentials, Chrome displayed a data breach error suggesting I change my password:

I am definitely not ok with a service that tries to dupe me into thinking I’m signing into my bank and intercepts my username and password.

You probably shouldn’t be either.