A Fast tag fraud is a hot topic in a popular online video that has gone viral. A kid is seen in the footage washing the car’s windscreen while simultaneously using a watch to scan the Fast tag. The viral video first surfaced on the Facebook page BakLol Video. (Hassan, 2022) The video, however, is a fake, which is not conceivable.

Utilizing RFID technology, the National Electronic Toll Collection (NETC) system allows users to make electronic toll payments at any NETC-compatible toll plaza on a roadway without stopping. According to ethical hacker Sunny Nehra who explained how FASTag works on his Twitter, “there is no way that anyone can steal money from a FASTag account like this.”

Banks,  as well as IP, are whitelisted. This indicates that only authorized businesses (licensed toll and parking plazas) can start transactions, and only at designated geolocations (and not just anywhere). A toll plaza ID is also necessary for any transaction to be processed (generated and known to SI, acquirer Bank, and NPCI). “There is no way these transactions may leak because NPCI is connected to member banks through its network.

Notification alerts are yet another built-in security feature. After using FASTag to make a payment, the consumer will receive an SMS with the following information: Toll Name, Transaction Date, Transaction Amount, and Available Balance in his FASTag account. Vehicle owners may also check the toll rates for their toll plazas on the NHAI website.

Paytm also called the video fraudulent and explained: “According to NETC regulations, only authorized merchants who have been onboarded following several rounds of testing are permitted to begin FASTag payments. Paytm FASTag is 100 percent secure. “Finally, Paytm stated.

The National Payments Council of India (NPCI) also clarified on Twitter, saying the video circulating on social media is false and baseless. It said, “NETC FASTag operates only for person-to-merchant (P2M) transactions. No person-to-person (P2P) transactions are facilitated through the NETC FASTag network.” It further explained, “The infrastructure set up between the SI system/concessionaire and the banks are safeguarded by whitelisting only authorized IP addresses and URLs. It also claimed that the Hardware Security Module used in the toll plaza data center/server room secures the hardware cryptographically (HSM).

According to NPCI, each merchant (including toll and parking plazas) onboard receives a unique plaza code, which is only assigned by authorized acquirer banks operating inside the NETC FASTag ecosystem. A unique acquire ID is given to each acquiring bank (AID). At the NPCI end, the bank acquirer ID and plaza code combination are mapped. Their respective acquirer banks and NPCI have recorded every merchant’s (plaza’s) geolocation. As a result, neither financial transactions nor transactions involving open internet access may be started without the enumerated requirements, according to NPCI.


Author – Mr. Shrey Madaan, Research Associate, CyberPeace Foundation

Leave a Reply

About Cyber Peace Corps

Address: B-55 MIG, Ranchi Jharkhand, India
Phone: (+91) 82350 58865
Email[email protected]