Password managers can help you identify when you’re on the site you want, or might be somewhere you do not intend. By comparing the url of the site you’re on, to the urls saved in the password manager, the password manager can indirectly alert you to a suspicious situation.

Here’s an example. In the Robinhood app (which registers on iOS as Robinhood.com), you are prompted for a Wells Fargo account and password.

This sure looks a lot like Wells Fargo, but the password manager (Dashlane) tells you it detected that you’re actually entering this information on Robinhood.com.

If you ever find yourself in a situation where your password manager credentials don’t match or don’t autocomplete on a site where you expect they should, it should set off all sorts of alarms in your head.

This is not the login page for the site you think you’re on.

So then why does Robinhood make it seem like you are entering your information on Well Fargo?

In this case, the app is not trying to steal your bank information (or so they say), instead, it’s trying to help you log in quickly, so you can get back to using the app as soon as possible.

Robinhood, like many other financial apps, uses a service called Plaid (owned by Visa) to sign in to your bank accounts. Plaid touts itself as “The easiest way for users to connect their financial accounts to an app”. Incidentally it’s also the easiest way to condition people to fall for phishing schemes.

“Secure and private”, or “encrypted transfers and no access by Robinhood”, boils down to you trusting Plaid with your financial account information.

Is using Plaid any worse than sending your bank account and routing numbers? Well, at least you can change your password easily enough after giving your old one to Plaid. Changing a bank account is a bit more cumbersome.

Just be aware, the same tricks Plaid is using to make you think you’re logging into your bank can be used by more nefarious actors. And if you’re not using a password manager to help you recognize these tricks, you just might fall for one.

Stay safe. Wash your hands. Wear a mask. And use a password manager 🧼

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: