Mumbai man says FASTag was hijacked mid-transit, calls 'massive loophole' in viral post

A Mumbai man has alleged a major security lapse in the FASTag system after his existing FASTag was allegedly deactivated and replaced with a new one without his consent while his car was being transported from Mumbai to Delhi.

The allegation was made by user X Rushil whose post has now gone viral on social media. In the post, he claimed that the transporter driver was allegedly able to activate another FASTag linked to his vehicle using a different mobile number and personal details without any consent from the registered owner.

“FASTag has a MASSIVE security hole and no one is talking about it,” Rushil wrote on X.

The vehicle was being transported from Mumbai to Delhi

According to Rushil, the incident took place when his vehicle was traveling between Mumbai and Delhi through a shuttle service.

Read also | Salman Khan clarifies after fans express concern over his ‘lonely’ post at 60

He claimed that before taking the car for transport, the driver casually asked him if there was sufficient balance in the FASTag account. However, the following morning, he reportedly received a message from ICICI Bank that a new FASTag had been activated for the vehicle.

Rushil said the message further informed him that his existing FASTag would be deactivated based on the “One Vehicle One FASTag” policy.

“Within minutes he was blacklisted/deactivated,” he wrote.

“No Owner Permission, No Consent”

In his viral post, Rushil claimed that the new FASTag was activated without any OTP verification or approval from the registered owner of the vehicle.

“No OTP. No owner authorization. No consent from the actual owner of the vehicle,” he wrote.

He further claimed that after contacting the customer support several times, he found that the newly activated FASTag was allegedly issued through Airtel Payments Bank.

Rushil later checked the Airtel Thanks app and claimed that the FASTag appeared to have been registered using the transporter driver’s details.

“Vehicle owner has zero control”

The Mumbai resident also claimed that despite being the owner of the vehicle, he was unable to deactivate the FASTag.

According to him, customer support informed him that only a person who has activated FASTag can request its closure.

“The actual owner of the vehicle has ZERO control over FASTag – but the person who fraudulently activated it does,” he wrote.

Read also | Back to WFH? India Inc responds to Modi’s call for fuel savings

Rushil also criticized the National Highways Authority of India (NHAI) helpline, claiming that there was no emergency blocking system or fraud resolution mechanism in place for such situations.

“No owner protection mechanism,” he wrote.

It requires OTP based authentication

Rushil described the incident as a “massive security vulnerability” and called on the National Payments Corporation of India (NPCI) and FASTag authorities to make OTP verification mandatory before any changes related to FASTag accounts are approved.

“At least mandate OTP verification from the registered owner of the vehicle before approving ANY FASTag change,” he wrote.

He further criticized the support system associated with the service.

“Poor support, zero accountability and absolutely no protection for the actual vehicle owner while someone else fraudulently took control of FASTag,” added Rushil.

Read also | Salman Khan makes surprising revelation about his career: ‘Never read a script’

Reaction of ICICI Bank and Airtel Payments Bank

After the viral post, both ICICI Bank and Airtel Payments Bank publicly responded to X and said the matter was being investigated.

Responding to the complaint, ICICI Bank wrote, “Hello, we are aware of this concern. Request you to DM your contact details. We will get in touch with you first to help resolve your issue. For your security, please note that ICICI Bank will never ask for your password, PAN, Aadhaar, bank details or OTP through calls, SMS, email, WhatsApp or share such details publicly or on social media.”

Airtel Payments Bank also responded to the allegations and assured users that the issue will be investigated on priority.

“Hello, this experience was never intended for you. We apologize for the inconvenience. To investigate this further, please share your contact details along with your vehicle number via DM. We assure you that we will address your concerns as a matter of priority,” the company wrote.

The incident sparked an online debate about FASTag security protocols and whether additional owner verification measures are needed to prevent unauthorized changes to vehicle-linked accounts.