06 Jun QR codes and anti-counterfeiting: the false sense of consumer security and why NFC is the most appealing alternative
Search the Internet for QR codes and authentication or counterfeiting keywords and you will get plenty of results, whether links to solution providers selling anti-counterfeiting solutions based on QR codes or announcements from brands having adopted QR codes to protect their products. Actually, “protecting their products” rather than “protecting their customers” may very well be the key element to understand and evaluate.
QR codes are widely adopted primarily because they are extremely cheap, and because of their visual aspect they give the feeling of something cryptic, hence secure. The production cost of a single code is basically zero, which may be one reason brands keep on adopting it even today. The problem being that the reproduction cost of such a code is also zero. When using 2D codes based on standards (ISO/IEC 18004), anyone can create the exact same codes and associate them with fake or counterfeited products, or generate codes that follow the exact same content logic as yours. The replicated or fake code can lead the consumer to a fake website, or just replay real identities leading to the original company systems. The way “anti-counterfeiting” detection works, seen from the brand or its service provider’s side, is by detecting when the same identities (identifiers coded in the QR code) are replayed multiple times within suspicious time periods or geographic areas. This behavior would trigger an alert showing that there is a high probability your product or its identity has been counterfeited. However, it must be very clear that the consumer is not protected at all: it will take several identity replays until, as a brand, you realize something is wrong, which means there are always a number of your consumers buying a counterfeited good, thinking it was genuine because of its QR code, who will get a very bad product experience if not even a lethal one. The solidity of the detection system is one where the solution providers don’t want to openly discuss about their detection algorithm to not make the counterfeiters’ life easier. This is called “security by obscurity” which following Wikipedia’s definition is a security system that “may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, then attackers will be unlikely to find them”. In other words, this may very well be called wishful thinking.
Based on this situation, other solution providers do offer proprietary solutions for QR codes. Instead of creating codes based on such standard as ISO/IEC 18004, their codes rely on proprietary coding and generation algorithms. The claim is that only them can generate these specific codes, hence your products are protected. The fact remains these codes are visual, and thereby can be replicated. Two similar products could be sitting next to each other on your favorite shop’s shelves, one being genuine and one being counterfeited. It will always take 2 scans (real and fake product) to detect something is wrong. The protection again relies on the back-end servers’ ability to detect that a specific identity is being replayed under suspicious conditions which creates again the undesirable situation where at least one of your consumers will eventually get in touch with a counterfeited product. Would that consumer have a large social community and influence and complain about the terrible experience he had with your (counterfeited) product and you’ll be spending days trying to restore your reputation. Finally, the issue with proprietary solutions is that they are… proprietary. Assuming millions of your products have been stamped with these proprietary QR codes, and the service provider closes business or files for bankruptcy, what are you going to do?
Product authentication and anti-counterfeiting needs to be based:
- on open standards, which will ease transitions in case of service providers’ business failures, avoid vendor lockups and facilitate wider market adoption
- on a security by “open design”, meaning the security does not rely on it being secret and hidden, but instead designed from the ground up to be secure and based on code and methods that are in front of enough people, relying on the efforts of the masses to find and close any security vulnerabilities. All of the most popular open source applications use this method, from WordPress to Linux, and it has been extremely successful
- on protecting customers and consumers at an individual level, preventing even one single product identity replay scenario
- on the most minimal need for customer or consumer education
Now, let us take a look at NFC technology as an alternative solution for product authentication and anti-counterfeiting based on these 4 elements.
- Open standards: NFC is completely standardised under ISO14443 and ISO15693. All NFC-enabled smartphones are compatible with ISO14443. That was 275 million phones in 2013, and more than 1.2 billion by 2018
- Security by open design: many NFC chip manufacturers offer chips with several level of security including symmetric and asymmetric encryption, based on well-known documented encryption algorithms such as 3DES, AES128, GRAIN128, RSA, ECC, … The security protocols are very well documented. Their security lies in the strength of their keys, not in hiding the protocol. Similarly, backend systems managing the keys, identities and content shall be based on standard technologies
- Protecting customers at individual level: encryption coprocessors embedded into NFC chips allow to unilaterally authenticate chips at an individual level. Several of these chips are even certified by external bodies (ANSI, …) and carry certifications (EAL4+, EAL5+, …) making them perfectly suitable for financial transaction and military usage. These are the chips you find into passport, contactless credit cards and contactless transportation tickets. Cryptographic coprocessors on NFC chips makes it nearly impossible for counterfeiters to replicate authentication certificates, or if possible it would be at such a financial cost that the advantages of counterfeiting are lost. It needs to be understood however that NFC chips that are simply password protected can be replicated with reasonable technical and financial efforts that may support the case for counterfeiters.
- Customer education: NFC is extremely simple to use for consumers. Without any application installed, by reading the NFC tag their smartphone can be redirected to a website that explains the product they have in hand is secured by NFC technology, deliver a first set of (marketing) information to the consumer, and invite him to download the appropriate mobile application by simply clicking a link leading to the appropriate app store. The mobile application is then used for authenticating the product based on its digital certificates. This is, at most, a 2 step process as a whole, where the first step doesn’t require any consumer understanding that a specific logo – such as a proprietary QR code – is implemented for which he’ll need to know what application needs to be downloaded. With the whole payment industry moving to NFC enabled smartphones (Apple Pay, Samsung Pay, Google Pay, Huawei Pay, Orange Cash, etc), the consumer education on NFC itself as a technology is accelerated at a tremendous pace.
There are further advantages for using secure NFC over 2D codes:
- Tampering detection: several NFC chips today offer, thru a dedicated detection circuit, the ability to detect whether a product has been opened or not (like a bottle or a package). Thereby, not only does the consumer know his product is genuine (chip authentication), but on top he knows whether the product has been tampered with as well. When it comes to brands deploying the technology on their product, with such opening detection capability they can make the difference between a prospect (such as someone scanning a product in a shop to get more information) and a real customer (who has acquired the product and opened it). Which leads us to the next point:
- Consumer engagement and gray market detection: as we have now understood, secure NFC chips can be used to authenticate a product, however on some markets, typically western ones, we feel like counterfeiting is not really our problem. NFC gives the possibility to enrich the product experience by associating additional value such as product information, usage guidance (think about guidance on cosmetic or pharma products or food pairing for wines and spirits), but seen the chip is secured brands can get into something more personal or of exclusive value, such as participation to consumer communities, VIP privilege clubs, reward programs and contests. As consumers scan, products can be geolocalized thru the mobile application and potential gray market situation detected and reported to the brands while at the same time consumers get into a more personal and rewarding relation with their products, helping increasing sales and, by searching to replicate their digital experience, strengthens your anti-counterfeiting and anti-gray market solution.
With secure NFC, everybody wins. The brands, but indefinitely more important: the consumers as well.