The Reserve Bank of India came out with a notification on 22nd August 2024 modifying e-mandate mechanism. Although, the modification is well intentioned move, it’s prone to misutilization by cyber criminals. An instrument costing just Rs. 25000 is enough to empty bank account of FASTag users in modified e-mandate regime.
What is e-mandate all about? It’s your permission to bank for deducting money from your bank account periodically without bothering you again and again. For example, your bank deducts money every month from your account towards home loan EMI. The permission for payment of monthly SIP is also an example of e-mandate. E-mandate are generally given for recurring payments. As per RBI guidelines, banks must inform one day in advance about incoming e-mandated payments to their customers. But certain payments are exempt from it. Non-periodic payments like RFID FASTag are one of them.
The Reserve Bank of India has modified some of the rules regarding RFID FASTag e-mandate. As you know, the FASTags are used to make toll payment at toll plazas. These tags work on Radio Frequency Identification (RFID) technology. You generally recharge your FASTag through bank account or mobile wallet. The RBI has said that the RFID FASTag would be recharged automatically if the balance amount dips below a certain level. Technically, this ‘level’ called threshold level. For example, if the RFID FASTag balance of Mini Bus goes below Rs.350, the FASTag will be automatically recharged by debiting bus owners’ bank account without any notification or consent. There is no cap prescribed on such debits for recharge of FASTag.
Here lies the catch of cyberthieves’ revelry. Under modified auto debit permission (auto replenishment) regime, RFID FASTag recharge can debit your bank account as many times as it desires. This open-ended debit permission is enough to lure cyber criminals. What they need is a Passive RFID reader which costs just Rs. 25000. It has a range of 90 feet. This device is enough to empty your bank account from 90 feet by reading your RFID FASTag.
The RBI should immediately cap the daily limit of FASTag auto replenishment. This will go a long way in securing the non-periodic e-mandate framework.
Till the capping happens, let cyberthieves party all night.
