A Mumbai man has alleged a major security loophole in the FASTag system after his existing FASTag was deactivated and replaced with a new one, allegedly activated by a transporter’s driver without his consent.
The claim was made by X user Rushil, who said the incident occurred while his car was being transported from Mumbai to Delhi. “FASTag has a MASSIVE security loophole & nobody is talking about it,” he wrote on X.
In his post, Rushil claimed that the transporter’s driver was able to activate a new FASTag linked to the vehicle using his own mobile number and details. “No OTP. No owner authorization. No consent from the actual vehicle owner,” he wrote.
He claimed the driver casually asked whether there was balance in the FASTag before taking the vehicle for transport. The next morning, he received a message from ICICI Bank informing him that a new FASTag had been activated on his vehicle and that his existing FASTag would be deactivated under the “One Vehicle One FASTag” policy. “Within minutes, it was blacklisted/deactivated,” he wrote.
Rushil alleged that after several calls with customer support, he found that the new FASTag had been issued through Airtel Payments Bank. He later checked the Airtel Thanks app and claimed the FASTag had allegedly been registered using the transporter driver’s details.
The user further alleged that despite being the vehicle owner, he could not get the FASTag closed because customer support informed him that only the person who activated it could request deactivation. “The actual vehicle owner has ZERO control over the FASTag – but the person who fraudulently activated it does,” he wrote.
He also criticised the NHAI helpline, alleging there was no emergency block system or fraud-handling mechanism available for such cases. “No owner protection mechanism,” he wrote.
Calling it a “massive security vulnerability,” Rushil urged National Payments Corporation of India (NPCI) and FASTag authorities to make OTP verification mandatory before any FASTag-related changes are approved. “At the very least, mandate OTP verification from the registered vehicle owner before ANY FASTag change is approved,” he wrote.
“Pathetic support, zero accountability, and absolutely no protection for the actual vehicle owner while someone else fraudulently took control of the FASTag,” Rushil concluded.
Airtel, ICICI react
Reacting to the viral post, ICICI Bank said it was looking into the issue.
“Hi, we are concerned to know about this. Request you to DM your contact details. We will connect with you at the earliest to help resolve your concern. For your safety, please remember ICICI Bank will never ask for your password, PAN, Aadhaar, bank details, or OTP through calls, SMS, email, WhatsApp, or social media. Kindly do not share such details publicly or privately,” the bank wrote on X.
Airtel Payments Bank also responded publicly, saying it would investigate the matter on priority.
“Hi, we never intended such an experience for you. We apologize for the inconvenience. To investigate further, request you to share your contact details along with your vehicle number via DM. Please be assured that we will resolve your concerns on priority,” the company wrote.
