Mumbai man says FASTag was hijacked mid-transit, flags ‘masssive loophole’ in viral post

A Mumbai man has alleged a major security flaw in the FASTag system after his existing FASTag was allegedly deactivated and replaced with a new one without his consent while his car was being transported from Mumbai to Delhi.

The allegation was made by X user Rushil, whose post has now gone viral on social media. In the post, he claimed that a transporter’s driver was allegedly able to activate another FASTag linked to his vehicle using a different mobile number and personal details, without any approval from the registered owner.

“FASTag has a MASSIVE security loophole & nobody is talking about it,” Rushil wrote on X.

He claimed that before taking the car for transport, the driver casually asked him whether there was enough balance in the FASTag account. However, the following morning, he allegedly received a message from ICICI Bank stating that a new FASTag had been activated for the vehicle.

Rushil said the message further informed him that his existing FASTag would be deactivated under the “One Vehicle One FASTag” policy.

“Within minutes, it was blacklisted/deactivated,” he wrote.

“No OTP. No owner authorization. No consent from the actual vehicle owner,” he wrote.

He further claimed that after contacting customer support several times, he discovered that the newly activated FASTag had allegedly been issued through Airtel Payments Bank.

Rushil later checked the Airtel Thanks application and claimed that the FASTag appeared to have been registered using the transporter driver’s details.

According to him, customer support informed him that only the individual who activated the FASTag could request its closure.

“The actual vehicle owner has ZERO control over the FASTag - but the person who fraudulently activated it does,” he wrote.

Rushil also criticised the National Highways Authority of India (NHAI) helpline, alleging that there was no emergency blocking system or fraud-resolution mechanism available for such situations.

“No owner protection mechanism,” he wrote.

“At the very least, mandate OTP verification from the registered vehicle owner before ANY FASTag change is approved,” he wrote.

He further criticised the support system linked to the service.

“Pathetic support, zero accountability, and absolutely no protection for the actual vehicle owner while someone else fraudulently took control of the FASTag,” Rushil added.

Responding to the complaint, ICICI Bank wrote, “Hi, we are concerned to know about this. Request you to DM your contact details. We will connect with you at the earliest to help resolve your concern. For your safety, please remember ICICI Bank will never ask for your password, PAN, Aadhaar, bank details, or OTP through calls, SMS, email, WhatsApp, or social media. Kindly do not share such details publicly or privately.”

Airtel Payments Bank also reacted to the allegations and assured the user that the issue would be investigated on priority.

“Hi, we never intended such an experience for you. We apologize for the inconvenience. To investigate further, request you to share your contact details along with your vehicle number via DM. Please be assured that we will resolve your concerns on priority,” the company wrote.

The incident has sparked discussion online around FASTag security protocols and whether additional owner verification measures are needed to prevent unauthorised changes to vehicle-linked accounts.