In a public service announcement, the National Payments Corporation of India (NPCI) has debunked “baseless and false videos” making rounds on social media, stating that one should be cautious while driving on highways as those pretending to clean the glass of cars can defraud the owner by wiping off the FASTag.
According to NPCI, no transactions can be executed through open internet connectivity. Several layers of security protocols are placed to ensure the end-to-end safe processing of transactions, it said. Here we explain why no one can steal money from your FASTags.
FASTag uses RFID
FASTag uses Radio Frequency Identification (RFID) technology to communicate with a scanner installed at toll plazas. Once the car crosses the toll plaza the requisite toll amount is automatically deducted from a bank account or a prepaid wallet linked to the FASTag.
Vehicles have to drive through the toll, and if the tag is linked to a prepaid account like a wallet or a debit/credit card, then owners need to recharge/top up the tag. If it is linked to a savings account, then the money will get deducted automatically after the balance goes below a pre-defined threshold. Once a vehicle crosses the toll, the owner gets an SMS alert on the deduction. The alert is like money getting debited from accounts or wallets.
Operates on P2M
FASTag can only be used for person-to-merchant (P2M) transactions, which means that no person-to-person (P2P) transactions are allowed. “An individual cannot receive the money in the NETC FASTag ecosystem from fraudulent transactions,” NCPI said in a statement.
Security
NPCI clarified that only authorised System Integrators (SI), which are authorised on behalf of concessionaires are allowed to make and initiate payment transactions at toll plazas. The infrastructure deployed between the SI system, concessionaire and banks is secured by whitelisting only permitted IP addresses and URLs.
The hardware installed at the Toll Plaza server room is cryptographically secured through Hardware Security Module (HSM). This ensures that no third person can interact with the system, and the transaction is carried out between the two parties.
Every API call needs to pass through a secure Firewall. Every time the Bank connects with NPCI through API connectivity, the data is encrypted with a secure 256 SHA ECC algorithm and locked with a Hexadecimal Private Key. Only NPCI possessing the corresponding Public key will be able to access the information by decryption.
Unique Plaza code
Every merchant (toll and parking plazas) boarded by NPCI is allotted a unique Plaza code. This is onboarded only by authorised acquirer Banks active on the FASTag ecosystem.
Every acquirer Bank is provided with a unique Acquire ID (AID). The combination of the Plaza code and Bank Acquirer ID is mapped at the NPCI end. This makes it impossible for anyone to get registered on the platform.
