Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Paying for car without forking over my online banking creds?

This site may earn commission on affiliate links.
I have delivery of a Y scheduled for the 30th. My Tesla account is now nagging me to complete payment.

Unfortunately, it appears the only way payment is accepted is by "Plaid", which tries to reassure me with some generic fluff about FULLY ENCRYPTED COMMUNICATIONS then expects me to fork over my login credentials for my bank's web site.

No thank you. Not handing those to some 3rd party intermediary (no, I wouldn't give them directly to Tesla either). Certainly not signing up to some click-through agreement dramatically limiting my options for recovery if they lose or misuse those credentials, either. What a ridiculous expectation just to pay for a car.

Is it still possible to pay Tesla by wire transfer? That's what I did when I bought my S 5 years ago. How would I even ask? I haven't talked to a human being about this purchase since the day I test drove, and when I call the local showroom/service center, I don't get anyone on the phone...
 
  • Like
Reactions: Yoonoo
There are plenty of ways I'd be willing to pay, including cash on the barrelhead (since Tesla will not accept cash, I ask that nobody here follow me around on the 30th and mug me to "get the cash" -- I won't have it) but any method that requires me to give my bank account login information to a 3rd party is just not one of them.

I mean, seriously, it's not even like I could just give them access to one of my accounts -- if I give them login access, they (or anyone else who gets the password, which must be retrievably stored in Plaid's systems or their service could not work) can do anything I could do at that institution. Hell, they could dump out my retirement funds and tell me to take it to arbitration or get lost (nice user agreement there, by the way).

It's obnoxious to even suggest people fork over their bank login info in return for the privilege of buying a car. But how exactly do I even ask Tesla to accept payment some other way? Even more obnoxious is that the site doesn't tell me.
 
  • Like
Reactions: Yoonoo
Read your MVPA. It clearly states that you can pay by check or wire transfer. ACH is simply the most convenient method. While Tesla prefers you to pay in advance you can also pay at pickup with a cashier’s check. This is will avoid the potential headache of seeking a refund if you reject the car at delivery.

I paid for an S with a personal check years ago, I would be surprised if that policy has changed. It's not like Tesla will be unable to find the car if the check bounces.
 
  • Like
  • Funny
Reactions: DanDi58 and 2101Guy
While I absolutely applaud the caution of those in this thread, it is absolutely warranted, Plaid is an a well known player in the financial industry these days. It's used for connecting your account to all sorts of things. Venmo, Mint, Stripe, just to name a few. It allows them to pull in your account numbers and routing numbers safely and securely from any bank plaid has agreements with, which is most of the banks in the US today. They can then setup your ACH transfer reliably with less chance of failure because you mistyped a number. Having said that, I'm quite sure your SA can setup the same manually, but it will take longer and have the risk of failing to go through because the account number or routing number is mistyped. Giving those numbers to your SA is not less dangerous than having a service like Plaid pull them. The SA could just as easily take them and setup a ACH transfer to her offshore account in the Cayman's as to Tesla. Plaid at least takes that risk out because no human has to ever see your account info.
 
I paid for my Model Y in June via a cashier's check. Tesla will strongly encourage you to make payment via ACH (Plaid must be something new.) I told each of the Tesla Delivery Advisors who texted me or called me that I would be paying via a bank cashier's check. I was a victim of ACH debit fraud in 2019, no way I wanted to go through it again especially with COVID-19 protocols in place.

A few days before your scheduled delivery obtain an updated payoff amount so you can draw that amount from your bank account. The bank will ask for the business address of the payee (Tesla), I gave the cashier the address of my local Tesla Service Center and they were satisfied. The only downside of paying via a cashier's check is you have to go to the bank, follow COVID-19 distancing protocol so there was about a 30 minute wait in line at my bank before I could speak with a teller.

Depending on your state's laws you may have to send payment to Tesla in advance of taking delivery. I scheduled contactless home delivery on a Sunday. All of the required paperwork was inside the vehicle. I signed the forms and included my cashier's check in the pre-addressed FedEx envelope that Tesla provided. I placed the FedEx envelope in the drop box at a local FedEX/Kinko's store on Monday.
 
Giving those numbers to your SA is not less dangerous than having a service like Plaid pull them. The SA could just as easily take them and setup a ACH transfer to her offshore account in the Cayman's as to Tesla. Plaid at least takes that risk out because no human has to ever see your account info.

For what it's worth, my caution is because I work in information security in the financial industry. I spent a good chunk of five years working on wire payment security.

Giving account and routing numbers to a SA is vastly less risky than giving financial institution login details to a 3rd party -- whether it's some sexy venture-funded darling like Plaid or, um, other people who might ask for your account name and password, like, say, Joey Knuckles' House Of Cards -- for several reasons.
  1. An account and routing number pick out a single account at an institution. Adding an account that's used only for transfers of this type is of extremely low cost -- often free. For example, if you're a Chase customer, they'll give you a second checking account (they call it a "Liquid" account) with no checks, just for the asking. You can use it as a holding place for money that's being transferred in or out and have full confidence that anyone who's got those account details can never touch any other funds you have there.
  2. Procedures for reversing mistaken, fraudulent, or otherwise improper ACH and wire transfers are well established, well understood, and high-confidence. If an SA uses your routing and account numbers to steal your money, it's likely they'll be caught (even if they're savvy enough to send it to a casino in the Phillippines) but it's almost certain you'll get if back whether they end up in jail or not.
  3. Giving your account name and password for an institution to a 3rd party has none of these properties. Your account name and password can be used to do almost anything to any account you have at that institution. Heck, they can even be used to change your contact details so that if fraud is flagged, you don't learn about it for days or weeks. Once you hand over that login name and password the sky's the limit. You can't limit it to an account that has a zero balance except when you expect to be buying a car; in fact, you can't even block off access to CDs, retirement accounts or other assets so that whoever or whatever has that password can't touch them. It's practically like handing them a power of attorney: they are you. And procedures for reversing mistaken, fraudulent, or improper transactions made with your account name and password? I should be a little circumspect in what I say here but I will suggest at least that if you knew how this was likely to go if you had to try it, you would not be happy about it.
  4. Seriously, read Plaid's user agreement and, if you really want something to think about, your financial institution's user agreement and in particular what it says about your obligation to keep your credentials secret and what happens to their obligations to you if you don't. And then if you're still totally pleased to go telling people your password because they got a bunch of Menlo Park venture money, do a little reading about who's likely to prevail in arbitration if you do get into a dispute about it.
And if all that leaves you fine and dandy? Go for it.

Me, if what I'm hearing here is that if I show up at the delivery with a cashier's check it's still fine, my concerns just shift to being sure I know whom to have it made out to...
 
I would only add that in the event of your checking or savings account being invaded by ACH debit fraud the bank will probably immediately refund your money while they research this as a bank fraud case. The problem that remains is the only way to prevent further fraud against the account is to close the account. (That is correct, you have to close the affect account and open a new account.) Any direct deposit transactions, payroll etc. have to be discontinued on the old account and started up using the new account. This can literally take weeks if not months to work through, get straightened out.
 
For what it's worth, my caution is because I work in information security in the financial industry
That explains our difference here. I work in software development, not in the financial industry but in one with just as stringent security requirements. While you InfoSec guys and I are on the same side, we tend to draw very different conclusions from the same data. I can see a hundred ways to do what Plaid does in a totally safe manner, and there is no reason that your credentials ever need actually be "given to them" even though it appears that your doing that from the UI end of things. I also know all the ways they could totally screw it up and make it extremely dangerous.

As developer I tend to assume that my fellow developers have done things the right way, and as an InfoSec guy you tend to assume the opposite.

Having said that, your making one assumption here that is false. Or at least, sometimes false. Typing your bank username and password into something using Plaid is not the same as giving it out to someone, sometimes. Their "Link" backend may handle the authentication, in which case yes, your giving them your login, but many banks are now requiring OAuth. In that case your redirected to your banks login page to login, Plaid never sees the login. Plaid initiates a request for a OAauth token to securely access your account, you authorize it by logging into your bank and approving the request, your bank sends a token. Your login details are never compromised.

Now, what they can do with that token will vary by bank but I'm still not worried. All the usual banking protections still apply to any transaction.
 
That explains our difference here. I work in software development, not in the financial industry but in one with just as stringent security requirements. While you InfoSec guys and I are on the same side, we tend to draw very different conclusions from the same data.

Nice try. I've written my million lines of code in my lifetime, declared myself "done", and surprise myself by continuing to write many thousands, sometimes tens of thousands, of lines of code a year without meaning to. I am not an empty InfoSec stuffed shirt. I didn't sit around and make fancy security pronouncements about wire payment systems; I wrote the code. I refuse to hire idiots with CISSPs; in fact, for many years a CISSP on a resume was an instant trip from my candidate-resume pile to my recycle bin. Enough said?

I can see a hundred ways to do what Plaid does in a totally safe manner, and there is no reason that your credentials ever need actually be "given to them" even though it appears that your doing that from the UI end of things.

I am unfortunately limited in what I can say here, but -- if you haven't actually used Plaid: when a vendor like Tesla prompts you to register with Plaid and they in turn prompt you to pick your institution from a list, enter your username and password, and hit "Submit": those data go to Plaid. It is not the case, for example, that they go to your financial institution which then functions as some sort of pseudo-standard IdP and then hands Plaid a token that can only be used for certain things. Plaid has your username and password and you are 100% reliant on their goodwill and competence to determine that those are only used for what you expected or intended. Don't believe me? Fire up developer mode on your browser and look for yourself; I believe you when you suggest you're competent to so do.

As developer I tend to assume that my fellow developers have done things the right way, and as an InfoSec guy you tend to assume the opposite.
I'm sorry you seem to have worked with awful security people. Your assertion about my thoughts and beliefs is wrong.
Plaid initiates a request for a OAauth token to securely access your account, you authorize it by logging into your bank and approving the request, your bank sends a token. Your login details are never compromised.
Again I'm limited in what I can say here. The flow invoked by the Tesla website can be easily examined using developer mode in your browser of choice. See for yourself.
All the usual banking protections still apply to any transaction.
Do you actually know what those are? Because I have some reason to, and I don't think it's as simple or as happy for the customer as you seem to think. Read the agreements you're clicking-through to use your bank web site and to even see the list of institutions presented by Plaid and... well, if you're a thoughtful person, your point of view may change, is probably all I should say about that.
 
Last edited:
  • Like
Reactions: Corndart
Duh. I took the advice to "look at my MVPA" but, clearly, not carefully enough. At the bottom right of the last page, one will find... wire instructions.

And to get told this by a human being, it turns out you just have to navigate the 3-level menus of your delivery center's infuriating voicemail monstrosity the right way, which I hadn't been doing. So it all works out fine.
 
I was reluctant to pay via Plaid too. There was no push back when I paid with a cashier's check. They'll take your money anyway you want to give it to them... lol

Tesla will indeed take your money any way you want to give it to them. I have found that, in any transaction, the power transfers from the buyer to the seller at the exact same moment that the money transfers from the buyer to the seller. They know there will be no problem with the serviceability of your money. Before you give it to them wouldn't you like to know the product is as it should be and, if there is any problem, you have a remedy from them in writing. I know I would.
 
  • Like
Reactions: Frank N. Stein