{"id":1620,"date":"2022-08-02T22:19:33","date_gmt":"2022-08-02T21:19:33","guid":{"rendered":"https:\/\/cms.scantrust.com\/?p=1620"},"modified":"2024-12-30T15:59:43","modified_gmt":"2024-12-30T15:59:43","slug":"secure-qr-code-anti-counterfeiting-solutions","status":"publish","type":"post","link":"https:\/\/cms.scantrust.com\/secure-qr-code-anti-counterfeiting-solutions\/","title":{"rendered":"Secure QR codes for anti-counterfeiting, with examples"},"content":{"rendered":"

<\/p>\n

Secure QR codes for anti-counterfeiting are found on products everywhere as digital printing and smartphone cameras have evolved to be more affordable, reliable, and improved. The fact that end users also reflexively scan QR codes has also contributed to their wide acceptance. This environment has made secure QR codes more scalable and cost-effective than other, physical security features like holograms and various taggants. Not all QR codes used for anti-counterfeiting are the same though – several different solutions for securing QR codes are available, each with different strengths and weaknesses.<\/p>\n

This article gathers decades of anti-counterfeit security data to produce an in-depth review of the security features, pros, and cons of using QR codes to detect and protect against counterfeit products and documents.<\/p>\n

<\/p>\n

    \n
  1. Overview: Types of QR codes used for anti-counterfeiting<\/strong><\/a><\/li>\n
  2. How counterfeiters typically copy packaging and QR codes<\/strong><\/a><\/li>\n
  3. Static and dynamic QR code security<\/a><\/strong><\/li>\n
  4. Serialized (unique) code security<\/a><\/strong><\/li>\n
  5. Secure QR codes security<\/a><\/strong><\/li>\n
  6. How to protect against counterfeiters bypassing your QR code<\/a><\/strong><\/li>\n
  7. How practical it is for users to scan QR codes for product authentication<\/a><\/strong><\/li>\n
  8. How to choose a QR-code-based anti-counterfeiting solution<\/a><\/strong><\/li>\n<\/ol>\n

    <\/p>\n

    <\/p>\n<\/div>\n\n \n Overview of common QR code features and utility in anti-counterfeiting\n <\/h2>\n\n\n\n \n \"QR\n <\/picture>\n

    Of the above, only 2 types of QR codes have any security feature: serialized QR codes and secure QR codes. Only secure QR codes can enable near-instant verification of a counterfeit product or document. The other types of QR codes above are inherently insecure.<\/figcaption>\n <\/figure>\n\n

    <\/p>\n

    Case study: How R\u00e9my Cointreau uses Secure QR codes<\/a><\/p>\n

    <\/p>\n<\/div>\n\n \n How counterfeiters copy and take advantage of insecure QR codes on packaging\n <\/h2>\n\n\n

    This diagram shows a common example of a counterfeiter successfully copying the packaging, including the QR code, of a product:<\/p>\n<\/div>\n\n\n \n \"Basic-counterfeiting-example-with-QR-code-800x281\"\n\n <\/picture>\n

    A counterfeiter uses a scanner and printer to create a copy of the original product’s QR code for placement on their counterfeit product’s packaging. If the QR code has no security or anti-counterfeiting features, the customer will still be able to scan the code and see product information as if it was a genuine product.<\/figcaption>\n <\/figure>\n\n \n Example of a counterfeit QR code being detected\n <\/h2>\n\n\n

    The same counterfeiting approach shown above is thwarted by a secure QR code which is resistant to being copied. When scanned by an end-user or customer it is possible to instantly detect copied packaging or product labels as counterfeit.<\/p>\n

    Counterfeiting method: Copy the secure QR code label directly using a high-resolution scanner and printer<\/strong><\/p>\n

    <\/p>\n<\/div>\n\n\n \n \"Counterfeit-product-package-QR-code-800x339\"\n\n <\/picture>\n

    A counterfeiter attempts to scan and print a secure QR code onto the fake product, but the end-user is able to detect the unauthorized duplication with any camera-enabled mobile phone.<\/figcaption>\n <\/figure>\n\n \n Not secure and simple to counterfeit: static, dynamic, and non-unique (aka non-serialized) QR codes on packaging\n <\/h2>\n\n\n

    <\/p>\n

    “Static” and “dynamic” are technical terms for the kind of URL which is embedded in a QR code. These features of QR codes don’t intrinsically provide security, though they can make it slightly easier to monitor and potentially shut down counterfeits.<\/p>\n

    <\/p>\n

    Basic example of dynamic QR code vs. static QR code<\/strong><\/p>\n

    <\/p>\n<\/div>\n\n\n \n \"Dynamic-vs-static-QR-code\"\n\n <\/picture>\n

    Dynamic and static QR codes are generally non-serialized (not unique); the key difference is that dynamic codes use a redirect URL.<\/figcaption>\n <\/figure>\n\n

    <\/p>\n

    Dynamic QR codes<\/a> are more common in enterprise use cases due to the ability to \u201csee\u201d all traffic (QR code scans) going through the redirect URL. Another important Dynamic QR code feature for enterprise is the ability to change the destination URL as needed and on demand. This characteristic provides flexibility in managing and updating a QR code after the code has been printed. With static QR codes, you\u2019re stuck with the destination URL used\u2014unless you make advanced DNS changes later to redirect users. That approach with static QR codes can be fraught with problems though, which is why dynamic QR codes are preferred.<\/p>\n

    <\/p>\n

    As we\u2019ll show in the following detailed example, both static and dynamic codes don\u2019t intrinsically provide any security against counterfeiting.<\/strong><\/p>\n

    <\/p>\n<\/div>\n\n \n Checking product authenticity of counterfeit, printed static QR codes\n <\/h2>\n\n\n

    <\/p>\n

    \u200b\u200bStatic QR codes are the most basic of QR codes and also the least secure. These codes are often made using free QR code generator tools found online or using a spreadsheet application like Excel. They include an embedded URL that cannot be changed once the code is printed.<\/p>\n

    <\/p>\n

    Here is an example static QR code counterfeiting scenario:<\/strong><\/p>\n

    <\/p>\n

    Context: A consumer encounters a static QR code which has been copied and re-printed by a counterfeiter. These codes are not unique and serialized from one product to the next:<\/p>\n

    <\/p>\n

      \n
    1. Prints static QR codes: <\/strong>A motor oil brand prints the same static QR code on millions of genuine motor oil bottles with a link to the product website.<\/li>\n
    2. Counterfeiter makes copies<\/strong> of the motor oil packaging, including the QR code.<\/li>\n
    3. A customer buys a counterfeit product<\/strong> and scans the copied QR code<\/li>\n
    4. Customer sees product webpage: <\/strong>The customer is redirected to the same product information website URL as customers who have bought the real product.<\/li>\n
    5. Result is no mechanism for checking if the product is genuine<\/strong>: There is no easy way for the motor oil brand to distinguish which users on the product information website came from the “real” product or from the “fake”, and thus, no way to alert customers that they’ve obtained a counterfeit product.<\/li>\n<\/ol>\n

      <\/p>\n

      In a scenario where a counterfeiter has copied packaging, a document, etc. with a static QR code, the end-user is usually unable to visually distinguish the counterfeit QR code. When the URLs on the counterfeit and real packages are all the same, all things being equal, it would be difficult for the brand owner to confidently distinguish which QR code scans (and thus, hits to the URL) are coming from real products or fake ones. At the very least, this pollutes what would have otherwise been useful consumer usage data.<\/p>\n

      <\/p>\n

      Pros: <\/strong>None! Standard QR codes have no anti-counterfeiting capabilities.<\/p>\n

      <\/p>\n

      Cons:<\/strong> Any counterfeiter can copy these static QR codes for use on counterfeit products.<\/p>\n

      <\/p>\n<\/div>\n\n \n Checking product authenticity with Dynamic QR codes\n <\/h2>\n\n\n

      Dynamic QR codes<\/a> are codes with an intermediary URL embedded in the QR code. These codes redirect the customer to another URL, usually leading to a web page with product or marketing information.<\/p>\n<\/div>\n\n\n \n \"Dynamic-QR-example\"\n\n <\/picture>\n

      With dynamic QR codes, the redirect URL can be changed to make the QR code “dynamic” even after it\u2019s printed. Namely, product information website destination can be changed on the fly to direct users one way or another, for example to a different marketing campaign, as needed.<\/figcaption>\n <\/figure>\n\n

      <\/p>\n

      Here is an example dynamic QR code counterfeiting scenario, assuming the codes are not unique from one product to the next:<\/strong><\/p>\n

      <\/p>\n

        \n
      1. Print dynamic QR codes:<\/strong> A motor oil brand prints a dynamic QR code on each batch of hundreds of thousands of products for a total of millions of motor oil bottles (NB: oftentimes, one dynamic code is used on all products, not different ones by batch\u2014this practice offers less security and utility).<\/li>\n
      2. A counterfeiter copies a product<\/strong> and packaging, including the dynamic QR code, from one batch of motor oil.<\/li>\n
      3. A customer buys a counterfeit product<\/strong> and scans the counterfeit dynamic QR code.<\/li>\n
      4. Customer sees product webpage:<\/strong> The counterfeit dynamic QR code redirects the customer to the intended product information website URL, just as would occur with customers that bought the genuine product.<\/li>\n
      5. Result is no ability to check if product is genuine<\/strong>: Neither the brand or the consumer have an easy way to distinguish which site visitors came from; the real product or from the counterfeit. Thus there\u2019s no way to know which of the dynamic QR codes (which batch) was counterfeit, finally. There\u2019s no way to notify customers that they\u2019ve purchased a counterfeit product.<\/li>\n<\/ol>\n

        <\/p>\n

        Can you spot the fake?<\/strong><\/p>\n

        <\/p>\n<\/div>\n\n\n \n \"QR-original-vs-copy-Scantrust-466x244\"\n\n <\/picture>\n

        An original print and a photocopy of the same QR Code. Both contain the same URL https:\/\/st4.ch\/q\/HZO2K23G5xnl redirecting the user to the same content, and it’s virtually impossible for anyone to tell the difference between them with the naked eye.<\/figcaption>\n <\/figure>\n\n

        <\/p>\n

        Note that in the above flow, the brand could have used a different static QR code for each batch as well. Taken together, the above two examples illustrate that neither static nor dynamic QR\u00a0 codes provide significantly different levels of protection.<\/p>\n

        <\/p>\n

        Pros: <\/strong>The brand may eventually get a\u00a0 bit more information on which batch was counterfeit, but otherwise has little recourse.<\/p>\n

        <\/p>\n

        Cons:<\/strong> A counterfeiter is not particularly dissuaded from copying such a dynamic QR code to use and sell counterfeit products.<\/p>\n

        <\/p>\n<\/div>\n\n \n Verifying a counterfeit product with serialized (unique) codes on packaging\n <\/h2>\n\n\n

        <\/p>\n

        Serialized QR codes are unique from one product or document to the next. The links embedded in them may be static (point to a URL that can\u2019t be changed once printed) or dynamic (can be changed after the code is printed, through an intermediary, redirect URL).<\/p>\n

        <\/p>\n

        Here\u2019s an example counterfeiting scenario using dynamic, serialized (unique) QR codes:<\/strong><\/p>\n

        <\/p>\n

          \n
        1. Print unique, dynamic QR codes:<\/strong> A motor oil brand puts a unique serial number into a dynamic QR code on every bottle.<\/li>\n
        2. A counterfeiter makes copies<\/strong> of the bottle packaging of one product, including the unique, dynamic QR code.<\/li>\n
        3. Customers buy counterfeit products<\/strong> and some scan the counterfeit QR code.<\/li>\n
        4. Customers scan the QR code and try to authenticate<\/strong> the product. The product is only identified as counterfeit if the code is blacklisted by the brand, which usually happens after thousands of counterfeit products have already been bought and scanned in the wild.<\/li>\n
        5. The brand gathers anti-counterfeiting data<\/strong> including the individual motor oil bottle\u2019s unique QR code which has been scanned hundreds of times, in many different locations.<\/li>\n
        6. Eventually, the brand identifies<\/strong> a specific QR code which is counterfeit, and using their anti-counterfeiting solution, changes the information displayed to any future scans of this code to, \u201cthis is a counterfeit product.\u201d This is called \u201cblacklisting.\u201d<\/li>\n
        7. The brand gathers geographic information<\/strong> on the scan location, where the product may have been purchased, pictures, and otherwise gather evidence for pursuing legal action against the counterfeiters.<\/li>\n<\/ol>\n

          <\/p>\n<\/div>\n\n\n \n \"Counterfeiting-a-bottle-with-serialized-codes-800x396\"\n\n <\/picture>\n

          Note: In this example, the QR code is on the outside of the packaging which makes it possible that many scans are done pre-sale. When the QR code is hidden within the packaging, such as under a cap, the likelihood of pre-sales scans is reduced to zero, making duplicate scans even more indicative of a counterfeit.<\/figcaption>\n <\/figure>\n\n

          <\/p>\n