Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Paying for car without forking over my online banking creds?

This site may earn commission on affiliate links.
Changing your credentials won't remove Plaid's access to your account if your bank supports OAuth. As I've already said, in that case they never see them in the first place. You would have to go into your settings on your banking site and find the authorization for Plaid and revoke it. That will invalidate their keys for access. How this is done, how easy it is find, and even the terminology they use will vary by bank unfortunately.
I was indeed remiss not to add that detail. At Schwab I can set to reject all OFX, as I do now. Some banks make that easy, usually in something called ‘security center’ or something similar. I still will change the password too.
I was also remiss not to mention disabling OFX, of which Plaid is a member. Account aggregators almost all use OFX also, which I do not employ.



I should add that enabling Plaid at Tesla enables Tesla to make other charges than the purchase one authorizes in accordance with the ‘Tesla policy’. Protesting a debit can be lengthy (as in the cases where Tesla charged a purchase twice.

To be sure, the same risk happens with the credit card used for Supercharger and Tesla store. in those cases you can protest the charge through your credit card issuer. The card issuer gives immediate credit after the protest, holding the charges in a suspense account until resolution. That is much less onerous than is fighting to get back money from a merchant directly (e.g. Tesla). Almost all automatic debit to credit cards or bank accounts uses OFX. Many, but not all, banks make protesting an aromatic debit possible. Few follow the same process they are forced to use with bank cards, including both credit and debit, as long as the cards are issued under Visa, MasterCard, Discover (MasterCard process) or American Express. That is why autopay for cards presents less cash flow risk than does OFX (e.g. Plaid) with bank deposit accounts.

Most of this applies throughout the EU, and many other countries. The credit card procedures apply identically worldwide for all global brands, including ChinaUnionPay and JCB. The descriptions do vary country by country.
 
Last edited by a moderator:
For what it's worth, my caution is because I work in information security in the financial industry. I spent a good chunk of five years working on wire payment security.

Giving account and routing numbers to a SA is vastly less risky than giving financial institution login details to a 3rd party -- whether it's some sexy venture-funded darling like Plaid or, um, other people who might ask for your account name and password, like, say, Joey Knuckles' House Of Cards -- for several reasons.
  1. An account and routing number pick out a single account at an institution. Adding an account that's used only for transfers of this type is of extremely low cost -- often free. For example, if you're a Chase customer, they'll give you a second checking account (they call it a "Liquid" account) with no checks, just for the asking. You can use it as a holding place for money that's being transferred in or out and have full confidence that anyone who's got those account details can never touch any other funds you have there.
  2. Procedures for reversing mistaken, fraudulent, or otherwise improper ACH and wire transfers are well established, well understood, and high-confidence. If an SA uses your routing and account numbers to steal your money, it's likely they'll be caught (even if they're savvy enough to send it to a casino in the Phillippines) but it's almost certain you'll get if back whether they end up in jail or not.
  3. Giving your account name and password for an institution to a 3rd party has none of these properties. Your account name and password can be used to do almost anything to any account you have at that institution. Heck, they can even be used to change your contact details so that if fraud is flagged, you don't learn about it for days or weeks. Once you hand over that login name and password the sky's the limit. You can't limit it to an account that has a zero balance except when you expect to be buying a car; in fact, you can't even block off access to CDs, retirement accounts or other assets so that whoever or whatever has that password can't touch them. It's practically like handing them a power of attorney: they are you. And procedures for reversing mistaken, fraudulent, or improper transactions made with your account name and password? I should be a little circumspect in what I say here but I will suggest at least that if you knew how this was likely to go if you had to try it, you would not be happy about it.
  4. Seriously, read Plaid's user agreement and, if you really want something to think about, your financial institution's user agreement and in particular what it says about your obligation to keep your credentials secret and what happens to their obligations to you if you don't. And then if you're still totally pleased to go telling people your password because they got a bunch of Menlo Park venture money, do a little reading about who's likely to prevail in arbitration if you do get into a dispute about it.
And if all that leaves you fine and dandy? Go for it.

Me, if what I'm hearing here is that if I show up at the delivery with a cashier's check it's still fine, my concerns just shift to being sure I know whom to have it made out to...
You do realize that almost everything you said is made null and void with two factor authentication, of which Plaid works with… right? Like someone else explained… Plaid is just grabbing account numbers.. of which you get to choose which account (after Plaid logs in) Tesla ultimately gets the numbers for and once that is accomplished the entire connection is dropped. Even if your user, pass, and 2FA token we’re stored (even temporarily) at Plaid and somehow retrieved… no one, not even Plaid, could manage to use your log in information to do a thing a second time.

Pay using Plaid, let it do its thing and if it sets up a “relationship” between Tesla and your institution you can always log in to your institution after the deed is done and delete the relationship. There’s no way to recreate it without Plaid authenticating again, which would require another 2FA token.
 
  • Like
Reactions: fmm and morbidz
What if you pp

What if you open a checking account specifically for making the Tesla final payment; transfer money into the checking account and use Plaid to process the payment? After payment has been made you would close the checking account. The Plaid terms of service seemed to imply that you are giving Plaid access to all accounts linked to the primary account used for payment. Plaid states that they freely use all of your transaction history information on all accounts linked to the primary account for marketing purposes. Sounds sketchy but is there any risk if you just close the account after making the final payment? Also you would change your online banking credentials password and invalidate Plaid's access keys after payment has been made.

Instead of all these Plaid security concerns you could just bring a cashier's check from a major financial institution when accepting delivery of the Tesla vehicle. (That's what I did. I dug in my heels when Tesla pressured me to use Plaid. I explained I had been the victim of ACH debit fraud (true) and I was not comfortable using Plaid.) Even using touchless home delivery on a Sunday Tesla allowed me to include my final payment in the form of a cashier's check with my signed paperwork and send Tesla the final payment with the other documents via FedEx the following Tuesday (Monday was a holiday.)
For your checking account idea, maybe. If it was with a bank you had no other accounts at, sure, but that would require you to get an account, usually you have to be a client for 90 days+ for large transactions to be approved though. If you got a new account at your existing bank, then you might be giving plaid access to all of your accounts anyway. Recently I've seen US Bank start asking you which specific accounts your giving access to (and only one per request from something like Plaid). But I don't know how widespread that it.

Ultimately, if you don't want to use Plaid, a cashier's check is your best bet. I don't think most people should worry about using Plaid, but I don't see any reason you should be forced too.
 
What do they require of you to pay this way? Just a routIng number and Acct number
Actually it was simple, I just paid fir mine yesterday. The default option is Plaid, but scrolling in the MVPA in your documents fir your new car, shows the procedure for making a conventional wire transfer. For most banks wire process you must use a payee address. The Tesla form does not show theirs so I used the Wells Fargo address fir Tesla’s account. You show in notes your RN and name, Tesla even shows those in the MVPA instructions.

I made my wire yesterday afternoon. This morning my Tesla account shows the payment complete, they sent an email advising of the status change.

Much ado about nothing. We absolutely do not need to use Plaid!

Based on other reports I thought they had changed the policy. They have not, just made Plaid the default option.
 
You clearly don't understand how OAUTH works.
I'm used to OAUTH having me log in to an account I own on the actual site (bank for instance) then proceeding to grant access to certain information being requested by the 3rd party (Plaid in this case) on my account. With Tesla, they are asking me to plug in my credentials into an iframe owned by Plaid, which is different from the flow I was describing.
 
You clearly don't understand how OAUTH works.
I'm used to OAUTH having me log in to an account I own on the actual site (bank for instance) then proceeding to grant access to certain information being requested by the 3rd party (Plaid in this case) on my account. With Tesla, they are asking me to plug in my credentials into an iframe owned by Plaid, which is different from the flow I was describing.
 
I'm in the IT / Software industry, and I was not at all comfortable entering my bank credentials for payment. Instead Tesla said I could use a cashier's check at delivery. I dropped the check off at my local Tesla shop early for good measure since it's next to my bank. This felt *much* safer.

If you do decide to pay using a service that requires your bank credentials then I strongly recommend first changing the password to a password completely different from any others you use until the transaction is done, and then after delivery immediately changing it again (to something completely different, again). And frankly if you have the option I'd make sure there is not a lot of money (other than your car payment) in any account accessible by those credentials while the third party has access. ... or just pay with a cashier's check. :)

FWIW ...
 
I am still more than a month from receiving a VIN, but have been looking ahead on the payment mode. It seems a cashier's check would be the safest option in my case. However, it would take some 10 days for me to order a cashier's check and have it sent to my address. Does the amount due change from what it shows after you make the booking? I have attached my current statement in my booking. Can I safely assume that this is what the amount will be?
 

Attachments

  • Screenshot 2021-11-16 201845.png
    Screenshot 2021-11-16 201845.png
    141.1 KB · Views: 158
I am still more than a month from receiving a VIN, but have been looking ahead on the payment mode. It seems a cashier's check would be the safest option in my case. However, it would take some 10 days for me to order a cashier's check and have it sent to my address. Does the amount due change from what it shows after you make the booking? I have attached my current statement in my booking. Can I safely assume that this is what the amount will be?
The estimated final cost should be accurate but if you are getting new license plates with your purchase of the Tesla Model Y there may be an additional DMV fee for the new plates. You can check the final amount due at delivery a few days before your scheduled delivery.
 
  • Like
Reactions: 45thParallel
Same process when you link a bank account to an app to trade stocks.

Not something to worry about. I did what bcompton32 mentioned about password changes after everything was completed.
I think once the link is established between your account and Plaid, even if you change your password Plaid will continue to have access to your accounts under that log in name. I wish Tesla would cancel the account with Plaid as soon as you have made the payment.
 
Can't you pay cash?
As per Tesla' web site only the below 3 methods are allowed:

Payment and Fees​

What are the accepted methods of payment?
Before driving off with your new Tesla, we require that the balance be paid in full, either personally or by way of guarantee from a financing institution.

Confirm your method of payment with your Tesla representative prior to Delivery Day. In some states, payment must be received before delivery and cannot be accepted at time of pick-up.

Final payment is accepted via:

  • Electronic check (direct debit) in your Tesla Account
  • Wire transfer
  • Certified check at time of pick-up, with your Reference Number (RN) and name in the memo line
Note: Only credit cards are accepted for the initial order fee.
 
I was researching about Plaid and read this on Wikipedia:

******
The company has faced controversy for scraping user data, impersonating bank login screens, and not properly disclosing the privacy risks associated with the service.[31] TD Bank filed a lawsuit against Plaid in 2020 accusing the company of trying to "dupe" its users.[32]

In 2021, Plaid settled a $58 million class action lawsuit over claims that it passed on personal banking data to third party firms without user consent. The settlement encompasses five separate lawsuits combined as one. Each claims that Plaid used consumers’ banking login credentials to gather and distribute detailed financial data without prior consent.[33]

Plaid has "exploited its position as middleman," the plaintiffs alleged. Approximately 98 million people are affected by the settlement. Claimants will be given the option to receive the settlement money automatically through payment platforms such as PayPal and Venmo. If all 98 million people were to file a claim, each would receive just 60 cents.
 
I am still more than a month from receiving a VIN, but have been looking ahead on the payment mode. It seems a cashier's check would be the safest option in my case. However, it would take some 10 days for me to order a cashier's check and have it sent to my address. Does the amount due change from what it shows after you make the booking? I have attached my current statement in my booking. Can I safely assume that this is what the amount will be?
I'm curious as to why it takes so long to get a cashier's check - are you using an online bank? If you have access to a Sales Advisor, I'd reach out to him/her to determine if all of the fees are included. I actually got a refund of about $14 for DMV fees that were overpaid.
 
I'm curious as to why it takes so long to get a cashier's check - are you using an online bank? If you have access to a Sales Advisor, I'd reach out to him/her to determine if all of the fees are included. I actually got a refund of about $14 for DMV fees that were overpaid.
I bank with Capital 1, which has no branches in Minnesota. The bank sends cashier checks for free once you enter the name of the beneficiary and address. They take 7 days to do it. My account is linked to a small regional bank with branches at grocery stores etc. One option would be to get a cashier's check done. My Schwab account gives me access to wire transfer. I might go that route. I am extremely reluctant to give Plaid access to log in and password details. The log in gives access to all accounts within the login, not just one account. Whereas pulling an electronic check does not require login details to be given to DMV etc. So I have no idea why Tesla goes with a company that wants to use your login details unlike DMV, utilities just pull the money without having to login to my account. Do you see a disconnect here between Tesla/Plaid and every other business including your county property tax authorities and IRS and more who just pull or deposit money.
 
  • Like
Reactions: electricar
I bank with Capital 1, which has no branches in Minnesota. The bank sends cashier checks for free once you enter the name of the beneficiary and address. They take 7 days to do it. My account is linked to a small regional bank with branches at grocery stores etc. One option would be to get a cashier's check done. My Schwab account gives me access to wire transfer. I might go that route. I am extremely reluctant to give Plaid access to log in and password details. The log in gives access to all accounts within the login, not just one account. Whereas pulling an electronic check does not require login details to be given to DMV etc. So I have no idea why Tesla goes with a company that wants to use your login details unlike DMV, utilities just pull the money without having to login to my account. Do you see a disconnect here between Tesla/Plaid and every other business including your county property tax authorities and IRS and more who just pull or deposit money.
Yes, there was no way I was giving anyone access to my login credentials. I'm not sure why they decided to go this route. I did a bank check as well for my balance.
 
  • Like
Reactions: 45thParallel
There is a way to do an ACH through the app which our SA told me about which I successfully executed. If you go through the Plaid process until you get to the point of choosing a bank from a list, rather than choosing a bank (even if yours is there), type manual into the search function and hit the exit button that shows up at the bottom of the page. From there you can manually enter the routing number and account number and send a regular ACH. The app accepted the payment and zeroed out our balance due when I executed this procedure. It was a lot easier than stopping at a bank and felt a lot more secure than giving out our login info to all our bank accounts.
 
Same process when you link a bank account to an app to trade stocks.

Not something to worry about. I did what bcompton32 mentioned about password changes after everything was completed.
Yes, but one does give them login name and password like Tesla does through Plaid. An ACH is authorization to deduct amount. But Plaid gets access to all previous and current transactions and more, which is none of their damn business.