Blog

Secure QR codes for anti-counterfeiting, with examples

Anti-counterfeiting on product packaging is already being used in several major industries including lubricants, pharmaceutical, cosmetics, and electronics. Different situations and products merit a different solution and approach. This article reviews several of the most effective, proven options available to companies.

Secure QR codes for anti-counterfeiting, with examples

Secure QR codes for anti-counterfeiting are found on products everywhere as digital printing and smartphone cameras have evolved to be more affordable, reliable, and improved. The fact that end users also reflexively scan QR codes has also contributed to their wide acceptance. This environment has made secure QR codes more scalable and cost-effective than other, physical security features like holograms and various taggants. Not all QR codes used for anti-counterfeiting are the same though – several different solutions for securing QR codes are available, each with different strengths and weaknesses.

This article gathers decades of anti-counterfeit security data to produce an in-depth review of the security features, pros, and cons of using QR codes to detect and protect against counterfeit products and documents.

  1. Overview: Types of QR codes used for anti-counterfeiting
  2. How counterfeiters typically copy packaging and QR codes
  3. Static and dynamic QR code security
  4. Serialized (unique) code security
  5. Secure QR codes security
  6. How to protect against counterfeiters bypassing your QR code
  7. How practical it is for users to scan QR codes for product authentication
  8. How to choose a QR-code-based anti-counterfeiting solution

Overview of common QR code features and utility in anti-counterfeiting

QR codes and security features
Of the above, only 2 types of QR codes have any security feature: serialized QR codes and secure QR codes. Only secure QR codes can enable near-instant verification of a counterfeit product or document. The other types of QR codes above are inherently insecure.

Case study: How Rémy Cointreau uses Secure QR codes

How counterfeiters copy and take advantage of insecure QR codes on packaging

This diagram shows a common example of a counterfeiter successfully copying the packaging, including the QR code, of a product:

Basic-counterfeiting-example-with-QR-code-800x281
A counterfeiter uses a scanner and printer to create a copy of the original product’s QR code for placement on their counterfeit product’s packaging. If the QR code has no security or anti-counterfeiting features, the customer will still be able to scan the code and see product information as if it was a genuine product.

Example of a counterfeit QR code being detected

The same counterfeiting approach shown above is thwarted by a secure QR code which is resistant to being copied. When scanned by an end-user or customer it is possible to instantly detect copied packaging or product labels as counterfeit.

Counterfeiting method: Copy the secure QR code label directly using a high-resolution scanner and printer

Counterfeit-product-package-QR-code-800x339
A counterfeiter attempts to scan and print a secure QR code onto the fake product, but the end-user is able to detect the unauthorized duplication with any camera-enabled mobile phone.

Not secure and simple to counterfeit: static, dynamic, and non-unique (aka non-serialized) QR codes on packaging

“Static” and “dynamic” are technical terms for the kind of URL which is embedded in a QR code. These features of QR codes don’t intrinsically provide security, though they can make it slightly easier to monitor and potentially shut down counterfeits.

Basic example of dynamic QR code vs. static QR code

Dynamic-vs-static-QR-code
Dynamic and static QR codes are generally non-serialized (not unique); the key difference is that dynamic codes use a redirect URL.

Dynamic QR codes are more common in enterprise use cases due to the ability to “see” all traffic (QR code scans) going through the redirect URL. Another important Dynamic QR code feature for enterprise is the ability to change the destination URL as needed and on demand. This characteristic provides flexibility in managing and updating a QR code after the code has been printed. With static QR codes, you’re stuck with the destination URL used—unless you make advanced DNS changes later to redirect users. That approach with static QR codes can be fraught with problems though, which is why dynamic QR codes are preferred.

As we’ll show in the following detailed example, both static and dynamic codes don’t intrinsically provide any security against counterfeiting.

Checking product authenticity of counterfeit, printed static QR codes

​​Static QR codes are the most basic of QR codes and also the least secure. These codes are often made using free QR code generator tools found online or using a spreadsheet application like Excel. They include an embedded URL that cannot be changed once the code is printed.

Here is an example static QR code counterfeiting scenario:

Context: A consumer encounters a static QR code which has been copied and re-printed by a counterfeiter. These codes are not unique and serialized from one product to the next:

  1. Prints static QR codes: A motor oil brand prints the same static QR code on millions of genuine motor oil bottles with a link to the product website.
  2. Counterfeiter makes copies of the motor oil packaging, including the QR code.
  3. A customer buys a counterfeit product and scans the copied QR code
  4. Customer sees product webpage: The customer is redirected to the same product information website URL as customers who have bought the real product.
  5. Result is no mechanism for checking if the product is genuine: There is no easy way for the motor oil brand to distinguish which users on the product information website came from the “real” product or from the “fake”, and thus, no way to alert customers that they’ve obtained a counterfeit product.

In a scenario where a counterfeiter has copied packaging, a document, etc. with a static QR code, the end-user is usually unable to visually distinguish the counterfeit QR code. When the URLs on the counterfeit and real packages are all the same, all things being equal, it would be difficult for the brand owner to confidently distinguish which QR code scans (and thus, hits to the URL) are coming from real products or fake ones. At the very least, this pollutes what would have otherwise been useful consumer usage data.

Pros: None! Standard QR codes have no anti-counterfeiting capabilities.

Cons: Any counterfeiter can copy these static QR codes for use on counterfeit products.

Checking product authenticity with Dynamic QR codes

Dynamic QR codes are codes with an intermediary URL embedded in the QR code. These codes redirect the customer to another URL, usually leading to a web page with product or marketing information.

Dynamic-QR-example
With dynamic QR codes, the redirect URL can be changed to make the QR code “dynamic” even after it’s printed. Namely, product information website destination can be changed on the fly to direct users one way or another, for example to a different marketing campaign, as needed.

Here is an example dynamic QR code counterfeiting scenario, assuming the codes are not unique from one product to the next:

  1. Print dynamic QR codes: A motor oil brand prints a dynamic QR code on each batch of hundreds of thousands of products for a total of millions of motor oil bottles (NB: oftentimes, one dynamic code is used on all products, not different ones by batch—this practice offers less security and utility).
  2. A counterfeiter copies a product and packaging, including the dynamic QR code, from one batch of motor oil.
  3. A customer buys a counterfeit product and scans the counterfeit dynamic QR code.
  4. Customer sees product webpage: The counterfeit dynamic QR code redirects the customer to the intended product information website URL, just as would occur with customers that bought the genuine product.
  5. Result is no ability to check if product is genuine: Neither the brand or the consumer have an easy way to distinguish which site visitors came from; the real product or from the counterfeit. Thus there’s no way to know which of the dynamic QR codes (which batch) was counterfeit, finally. There’s no way to notify customers that they’ve purchased a counterfeit product.

Can you spot the fake?

QR-original-vs-copy-Scantrust-466x244
An original print and a photocopy of the same QR Code. Both contain the same URL https://st4.ch/q/HZO2K23G5xnl redirecting the user to the same content, and it’s virtually impossible for anyone to tell the difference between them with the naked eye.

Note that in the above flow, the brand could have used a different static QR code for each batch as well. Taken together, the above two examples illustrate that neither static nor dynamic QR  codes provide significantly different levels of protection.

Pros: The brand may eventually get a  bit more information on which batch was counterfeit, but otherwise has little recourse.

Cons: A counterfeiter is not particularly dissuaded from copying such a dynamic QR code to use and sell counterfeit products.

Verifying a counterfeit product with serialized (unique) codes on packaging

Serialized QR codes are unique from one product or document to the next. The links embedded in them may be static (point to a URL that can’t be changed once printed) or dynamic (can be changed after the code is printed, through an intermediary, redirect URL).

Here’s an example counterfeiting scenario using dynamic, serialized (unique) QR codes:

  1. Print unique, dynamic QR codes: A motor oil brand puts a unique serial number into a dynamic QR code on every bottle.
  2. A counterfeiter makes copies of the bottle packaging of one product, including the unique, dynamic QR code.
  3. Customers buy counterfeit products and some scan the counterfeit QR code.
  4. Customers scan the QR code and try to authenticate the product. The product is only identified as counterfeit if the code is blacklisted by the brand, which usually happens after thousands of counterfeit products have already been bought and scanned in the wild.
  5. The brand gathers anti-counterfeiting data including the individual motor oil bottle’s unique QR code which has been scanned hundreds of times, in many different locations.
  6. Eventually, the brand identifies a specific QR code which is counterfeit, and using their anti-counterfeiting solution, changes the information displayed to any future scans of this code to, “this is a counterfeit product.” This is called “blacklisting.”
  7. The brand gathers geographic information on the scan location, where the product may have been purchased, pictures, and otherwise gather evidence for pursuing legal action against the counterfeiters.

Counterfeiting-a-bottle-with-serialized-codes-800x396
Note: In this example, the QR code is on the outside of the packaging which makes it possible that many scans are done pre-sale. When the QR code is hidden within the packaging, such as under a cap, the likelihood of pre-sales scans is reduced to zero, making duplicate scans even more indicative of a counterfeit.

Serialized QR codes provide data invaluable for anti-counterfeiting efforts

scantrust-dashboard
Example of counterfeit product data one can see in an anti-counterfeiting solution using serialized QR codes. The above screenshot is of the Scantrust platform.

Case study: How Dupont uses Secure QR codes on water filters

The above image shows real-world scan data from a single serialized QR code scanned 234 times by 163 unique scanners. The geographical distribution of the scans gives a good indication that the users scanning the products are distinct. This particular code was flagged as a “suspected counterfeit” well before 234 scans were recorded, but at this point, it’s more or less a certainty that there is a counterfeit problem.

This data can mean the difference between a company having legal options against counterfeiters or having none. What’s most interesting about this real-world example is that the original purpose of serializing QR codes on the brand’s products wasn’t to address a counterfeit problem; they were applied to drive personalized, segmented marketing campaigns; another function for which serialized QR codes are useful. In this case, the brand owner did not at all suspect they had a counterfeit problem!

Strongest protection: Secure QR codes with an embedded security image

secure-qr-code
Secure QR Code: A serialized QR code with an embedded security image

A copy detection pattern, also known as a copy-resistant image or embedded security image, is a digital image designed to lose key information when copied and re-printed, thus signaling that it is a copy. It’s just like when you use a photocopy machine, the copy never looks as good as the version you printed from your inkjet printer.

Using this principle, it’s possible to insert a randomly-generated security image into a portion of the QR code, making it a “secure” QR code that can be authenticated as the original.

secure-qr-code-copy-1
Once the secure QR code is copied by a counterfeiter, it loses key information which make it possible to detect the code as counterfeit.

When counterfeiters copy secure QR codes, the result is detectable using a simple mobile phone camera.

Here is an example wherein a customer buys a counterfeit product with a Secure QR code (it has a security image embedded in the QR code):

  1. Print or apply secure QR codes. A motor oil brand puts a Secure QR code on every bottle.
  2. A counterfeiter copies the bottle packaging of one product, including the Secure QR code.
  3. Several customers buy counterfeit motor oil products and scan the counterfeit QR code directly.
  4. The customer checks the authenticity by following on-screen instructions in the product authentication web or mobile app.
  5. The anti-counterfeiting solution identifies the Secure QR code as a “lossy” fake.
  6. The customer is notified of the counterfeit and the brand is alerted.
  7. The surrounding QR code is blacklisted so that all future scans of it also result in the customer being informed that it is a counterfeit product.

Why can’t counterfeiters just use their own QR codes to bypass the serialized or secure QR code altogether?

In the following example, a sophisticated counterfeiter attempts to bypass the secure QR code.

Counterfeiting method: Copy the packaging but replace the QR code with one controlled by the counterfeiter

QR-code-counterfeiting-replace-QR-code-800x303
Here, the QR code for anti-counterfeiting is replaced altogether with a QR code created by the counterfeiter and placed on the counterfeit product in an attempt to completely bypass any of the original QR codes’s security features.

The counterfeiter is using their own QR code, domain name, and website, and thus control’s the full journey of a customer or user who scans the counterfeit product’s QR code. The domain name is often a slightly-altered spelling of the brand or anti-counterfeiting technology provider’s actual website and easy to mistake for an official authentication website.

Even in this scenario, using serialized QR codes or a secure QR code in a well-designed anti-counterfeiting program enables the brand owner to use crowdsourcing to detect the counterfeit products in-market. This is because a well-designed anti-counterfeiting program will provide two ways to authenticate:

  1. Users can authenticate by directly scanning a QR code. This can be circumvented by a counterfeiter who completely replaces your serialized or secure QR code with theirs, and sends the user to their own fake website.
  2. Users can authenticate by first visiting a trusted channel for authentication, such as an official web or mobile app or social media account, and then begin the authentication process there.

Let’s flesh these out in more detailed examples:

“Untrusted channel” scenario: User authenticates by directly scanning a QR code made by the counterfeiter (ie, it’s not a copy of a genuine product’s code). This sophisticated counterfeit is not detected:

QR-code-scanned-by-an-untrusted-channel
The user is scanning the QR code directly, opening them up to being victim of a sophisticated counterfeiter which uses their own fake QR code and product verification website

“Trusted channel” scenario: User first visits a trusted channel (official mobile app or website) then scans the QR code within that web or mobile app. The sophisticated counterfeit is detected.

QR-code-scanned-by-an-trusted-product-verification-app-800x244
By using a “trusted channel” approach outlined the second example above in your anti-counterfeiting program, supported by the right anti-counterfeiting analytics and case management platform, you can “crowdsource” counterfeit data collection and detection, and use that information for domain name takedowns and legal action.

How practical is it for consumers to scan QR codes on packaging to authenticate a product?

As a rule of thumb, between 1% and 20% of products with a QR code are scanned by an end-user, varying widely by market, product category, and the incentive or use case for scanning the code. There are use cases where the scan rate can be higher than 20% – for example, warranty registration or to claim a reward. A successful connected packaging solution rollout requires designing a connected packaging approach that will make it easy for your customers to authenticate your products and understand the benefits of doing so.

How do you choose the right QR code security technology for anti-counterfeiting on products?

Generally, there are a few key considerations when deciding what QR code security level to use.

Get Scantrust codes now