[wheelguy]

With the Fastags linked with bank accounts, all the payments directly get deducted from the linked account balance.

Quote:

NEW DELHI: Fraudsters have found a new way to cheat citizens with the launch of FASTag in the country. The scamster are trying to siphon money from the bank accounts of gullible citizens through UPI on the pretext of helping people to register and get their FASTag working.

The first incident of this scam was officially reported recently when a man from Bengaluru lost Rs 50,000 to scamsters. He got a fake call from a so-called customer service executive of Axis Bank who had sent him an online form to fill-in to get his FASTag wallet running after he complained that the wallet was not working.

The scamsters cleverly managed to get the UPI PIN from the victim by fooling him about the online registration process.

“The caller sent me a link through SMS which said, ‘Axis Bank — FASTag form’ and asked me to provide a few details in order to activate my FASTag wallet. In the form, I provided details like my full name, registered mobile number and Unified Payment Interface (UPI) PIN." he said.

He also said, "I thought the application itself served as a point of recharge. I typed the PIN and submitted it. Subsequently, I was told that the helpdesk had generated a one-time pass (OTP) which was sent to my phone. The caller told me to send the OTP to a different number and I did accordingly."

• Readers are recommended that under no circumstances they should reveal any PIN or password to anyone or enter it in any random form for any purpose. The registration of FASTag doesn’t require you to submit any password or online banking details at all. As FASTag service is new, scamsters are trying all means to cheat citizens.

• There are only two ways one can activate their Fastags-- either through self-activation using MyFastag app or by visiting the nearest bank branch. The FASTag registration cannot happen by talking to some bank employee over the phone. In case, you happen to receive any such calls, immediately disconnect and then visit the bank branch yourself to check if there is any issue.

• As Fastags are usually linked with bank accounts, all the payments directly get deducted from the linked account balance. Users also have the option to create a NHAI Prepaid wallet, recharge it and connect it with the Fastag for payments.Also, you can also recharge your Fastag using UPI via MyFastag app.

Source: ET Auto

[gkveda]

First of all, I do not believe "Linking the Bank account to Fast Tag account for direct deduction from the bank account"

How can we give the complete control of limitless debit from our bank account to a third party?

In my view, we should just charge the card just before travel with 100-200 Rupees extra as and when required, by knowing the approximate toll expense. Else, we never know when and where hackers would start pulling the money from our account.

I may be a bit more conservative here, but it is always profitable and safer to be conservative like this.

[RedTerrano]

The caller told me to send the OTP to a different number and I did accordingly.

Seriously? Over the years, I have had official communication from all the banks, asking me not to do this very thing. If I remember correctly, even the OTP SMS contains the message.

[adi.mariner]

I maintain only the bare minimum amount required in my bank account linked to UPI because I am still not sure about the security. The salary accounts are separate and the debit cards are locked away. I guess Paytm Fast Tag has the toll deducted from the Wallet instead of the bank account. The Fast Tag system still has glitches to overcome till it becomes a truly seamless and user friendly experience. Meanwhile we have to be careful from scamsters like these.

[THE_DRIFTER]

Now, this is the most common way in which these fraudsters manage to fool people.

Citizens should never ever share these important details with anyone. First thing stated by bank employees is to never give OTP to anyone and as described by another BHP-ian OTP message itself says " DO NOT SHARE THIS OTP WITH ANYONE "

[nibedk]

I am still more conservative. Though I use PayTm to make payments using mobile but it is not linked to my bank accounts. I do not use any other payments app if they do not have the option of recharging using credit cards.

Call me old fashioned but I would rather be safe than be sorry. I have not faced issues yet as most merchants accept PayTm payments through linked mobile numbers. In few cases where they don't I use cash or credit card. But such cases are extremely rare

Only downside is one has to keep tab on credit card expenses.

[GTO]

A fool and his money parted, is all that I can say.

On a related note, my Fastag is linked to a prepaid wallet (Axis Bank). There is NO WAY I'm linking a Fastag to my bank account. Heck, I don't even keep a debit card in this country full of scams & frauds. Just credit cards for me; if someone has to steal my card number from a swiping machine (example), they better be stealing the issuing bank's money, not mine.

[RedTerrano]

Quote:

Originally Posted by GTO

Heck, I don't even keep a debit card in this country full of scams & frauds. Just credit cards for me;

IMO a debit card is more safer than a credit card (agree on the part about bank's money though)
Every debit card transaction has to have a PIN/OTP.

My family has 2 FasTags. HDFC and Kotak. Both these banks use the wallet system.
Unbelievably, only AXIS (from what I could gather after a quick google search) is offering the linking + auto debit facility.

Source

[KrisTvpm]

Quote:

Originally Posted by wheelguy

With the Fastags linked with bank accounts, all the payments directly get deducted from the linked account balance. <SNIP>
[*]As Fastags are usually linked with bank accounts, all the payments directly get deducted from the linked account balance

It's sad that despite the awareness created by financial institutions, general knowledge imparted through online media etc., still people fall prey to such fraudsters/social engineering. Ofcourse not discounting the mass of not-so-tech-savvy people who might be the gullible victims in such cases.

Btw, seconding @gkveda's point: Guess the last bullet point needn't be mandatory, it's not necessary to link fastag to any bank account - at best it might be an option provided by some banks/providers. I've been operating my ICICI fastag through inbuilt wallet for the last couple of years and it's been working perfectly. I just load the wallet with approx necessary amount + a buffer before the journey and I'm good.

[saisree]

I read this story sometime back and was appalled after learning that, the person who is cheated is a Cyber Security Expert himself. When these scamsters are able to cheat a security expert and think about the common man. High time government runs an educative videos / announcements on how the Fastags work and how they have to be recharged.

FASTag fraud: Cybersecurity expert from Bengaluru shares PIN ..


80's kids might remember the Puliraja campaign for educating the mass on AIDS. It worked well. We need such campaings to educate our people.

[Newpunter]

Quote:

Originally Posted by RedTerrano

The caller told me to send the OTP to a different number and I did accordingly.

Seriously? Over the years, I have had official communication from all the banks, asking me not to do this very thing. If I remember correctly, even the OTP SMS contains the message.

I had recently posted in a different thread about a similar scam with Amazon returns. The problem with the UPI PIN change OTP is that the SMS is just a bunch of random characters and does not mention that this SMS contains the code to change your UPI pin. There is no way a normal customer would realize that they are forwarding an SMS that would let the scamsters change your UPI pin.
Since I was aware that this was a scam, I talked to him and tried to find out the scamsters' modus operandi. But it would not be right to blame a layman for the bad design of the UPI process.

[saisree]

Quote:

Originally Posted by Newpunter

The problem with the UPI PIN change OTP is that the SMS is just a bunch of random characters and does not mention that this SMS contains the code to change your UPI pin.

Guess, this random characters is for activating the UPI registration/activation and linking your bank account with your UPI provider like GPay,PhonePe, BHIM etc., Change of UPI pin is done generally by entering your debit card no and the expiry data.

[gungax]

Quote:

Originally Posted by GTO

On a related note, my Fastag is linked to a prepaid wallet (Axis Bank). There is NO WAY I'm linking a Fastag to my bank account. Heck, I don't even keep a debit card in this country full of scams & frauds. Just credit cards for me; if someone has to steal my card number from a swiping machine (example), they better be stealing the issuing bank's money, not mine.

Exactly as GTO has said, doorway to your bank accounts should be strictly kept closed.

I don’t use UPI and Debit cards are used only at ATMs. I Strictly use credit cards which I have insured.

My FastTag from Axis bank in 2017 came with its own pre-paid wallet. How is it linked to the bank account? Even my parents FastTag is linked to my Paytm prepaid wallet only.

Banks should educate users on good practices for cashless transactions.

[binand]

This incident is not particularly indicting Fastag; just that Fastag was used as a vector in a social engineering attack. This and several other similar incidents all point to one thing - this whole "OTP for 2FA" system is broken beyond redemption.

A while back I switched to TOTP for my Google Account and over several years, for all services that I use which support it. But even TOTP systems suffer from the same vulnerability as SMS-delivered OTPs; the saving grace being their relatively shorter lifetime (1 min max vs 5 mins or more for SMS OTPs). Last year I invested in a Yubikey for services that support it - Google, Microsoft & Dropbox for now. It is at least 2FA as it is meant to be. I just hope our banks and service providers all mandate it (HSBC had an RSA SecurID based 2FA way back in early oughties. No other bank that I know of even introduced it as an option).

[vishwasvr]

I'd linked my Paytm wallet to 3 FASTag for 3 of our cars just over a month ago and I've been charged 90 bucks twice (FASTag linked to my Polo GT TSI) from a certain 'Guduru' toll ( I don't even know where that is) and I am sure as hell I haven't even gone out of Bangalore in my Polo!

I simply emptied my wallet to prevent further damage.

Paytm's support system doesn't help either. Tried raising a complaint but to no avail.

Planning to get FASTag from ICICI as a bunch of my friends said they've not faced any hassles!