QR Codes or Quick Response codes are sophisticated 2D symbologies that allow people to interact with physical objects using a QR Code enabled mobile device or scanner. The QR Code was invented in 1994 by a Japanese automotive company to create a better solution for parts identification than the common barcode. QR Codes often contain data for a locator, identifier, or tracker that points to a website or application.
QR Code based authentication systems are now becoming the norm for consumer products. Digital marketers desperate to get a consumer’s contact information are putting them on everything in the hope that the buyer will scan the code and connect with them, potentially giving up their valuable email address for future marketing opportunities. Giving up their contact information is the additional price the consumer has to pay to verify a product is authentic. Our experience has shown that a brand will happily compromise on the security of the authentication system to make it easier for the consumer to give up their email address.
These authentication systems use a QR Code that is printed on the packaging or etched on the product allowing a consumer to scan the code with a mobile device and receive information about the product they have in their hand, including its authenticity. What we are going to talk about here is the bus-sized hole in these authentication solutions and what can be done to protect consumers from not only fake products, but also fake authentication systems.
In 2011 Kaspersky Labs reported the discovery of the first malicious QR Code on a Russian Web site1. It was positioned as a way to let people download an instant messenger app. The app would send messages to a premium subscriber and the cybercriminals could collect between $5 and $10 per message. This kind of fraud has only become more widespread in the years since then. Just search QR Code scam on youtube to see examples of how scammers switch QR Codes on rideshare bicycles to steal peoples money2.
What’s clear from this is that consumers cant tell the difference between a real and a counterfeit QR Code. In reality they’re not supposed to, the QR Code was never designed to fight that kind of fraud.
Eighty-four percent of people surveyed by security firm MobileIron last September reported they have scanned a QR code before. But 71% of those polled reported they couldn’t distinguish between legitimate and malicious codes. Who knows how the other 29% thought they could tell which codes were malicious, even the US Army is now issuing warnings about scanning them4.
I’ll take a minute to differentiate between closed systems and open systems that are going to be scanning or reading the QR Codes. A good representation of a closed system is one that requires a special app or restricted access to validate the information in the QR Code. This could be a system in a hospital or airport where the user scanning the QR Code has privileged access to the authentication data. Contrast that with any QR Code that you’ll find on a consumer product like ketchup or shampoo. These QR Codes are designed to be scanned by anyone with a mobile device or scanner that reads QR Code data. The latter has no security or privileged access controlling who can read or act on the data. This open QR Code solution is the one most commonly used by consumer authentication systems due to ease of use and low friction for the consumer to engage with the brand.
Let’s dispel a myth at this point. Counterfeiters do not copy the QR Codes from a brand’s products, well no counterfeiter who knows what he is doing does, they don’t need to. It is far easier and more efficient for them to create their own QR Codes using one of the many print or laser applications that support QR Code printing. By creating their own codes they can add any information that they want that mimics the brands own info and can send the user to any website that they want, including a copy of the brands own authentication site.
The proliferation of print and laser software capable of printing QR Codes has meant that any commercial printing company can claim to have a product or packaging anti-counterfeit solution, including anyone printing counterfeit packaging.
I’m sure you’re wondering what all this actually means for consumer authentication and how do the counterfeiters still scam the consumers with fake products when there is a QR Code on the box to tell them if the product is real or fake. Here are the steps you can take to create a fake authentication solution when used in an open application for consumer products.
We know counterfeiters already make great copies of a brand’s packaging. Once they have the packaging layout they can get the printer to implement their own QR Code that has its own serialization data and will point to the counterfeiters own website.
The second step is to get a copy of an authentication message from the brand’s own authentication website and implement a fake authentication message in response to scanning the counterfeit QR Code. Now any QR Code that takes the user to the fake website will respond that the product is Authentic. This is really simple to do even for entry level software developers.
When the consumer finds the product in the store, they pick it up and see a QR Code. If they’re one of the 0.001% that is inclined to scan a QR Code, and are oblivious to the dangers, then they get a message on the device that the product is genuine and happily complete the purchase.
But you say, “my authentication solution has a QR Code that asks the user to download our special app and is a closed solution!”. The response to that is “so what”. If the fake version of the QR Code responds immediately with an “Authentic” message when the user scans it with their camera, why would they go searching to download a special app, the item is already declared genuine right? The brand loses out twice in that case. Firstly they don’t get the sale of a genuine product, and second, they don’t get the highly converted email address from the user that the authentication solution provider promised them. The consumer loses out because they have actually been tricked into authenticating a fake product and they are lucky if they don’t have some personal information stolen or lose money from a digital payment.
You see it doesn’t matter if your QR Code authentication solution has copy detection either as that only works if the consumer downloads the enabled app. If the fake QR Code responds with an authentic message the consumer will never get to the special app anyway.
As you can see, the proliferation of QR Code based authentication solutions has actually given a wonderful way for counterfeiters to authenticate their fake products. The consumers have been trained to trust QR Code solutions by brand’s and label printers with little consideration for the long term security of their products. The brands have actually made the problem worse for themselves by using the QR Code for authentication than if they had done nothing.
You may think that this is all theoretical and couldn’t happen in the real world but you’d be wrong. This is exactly what happened to AMD with their high end Ryzen processors that had a QR Code on the box and another QR Code on the product heatsink. PCMag.com reported on this in 20173. The counterfeiters just scanned the QR Code from the heatsink of the genuine processor, printed their own version for the heatsink of a cheap intel chip with the same physical format, and put the intel chip back in the original box. The chip didn’t work, but the QR Code said it was authentic. The genuine Ryzen chip was then sold to crypto currency mining companies so in this case the counterfeiters made double the money. First on selling the fake intel chip and second on selling the genuine item.
How do we overcome this weakness in the current authentication systems? Unfortunately there is no easy way that I can see. Consumers have been trained to scan a QR Code whenever they see one, they’re used on restaurant menus, access systems and people are even proposing using them for COVID passports. Don’t get me wrong, I don’t hate the QR Code, it has endless use cases that are perfect for it, I just think that label and packaging buyers have been misled for far too long by the printing companies that a QR Code is suitable as a product authentication tool.
There is going to be the need for a massive education program to help the brands transition their clients to a more robust and secure authentication mechanism that overcomes the issues discussed today. Having a proprietary solution or a closed system that requires the user to download an app or access a web portal is really the price to pay for secure authentication. I would even recommend that whatever app download was necessary was requested of the user without the use of a QR Code to initiate it. Telling the user to go to a specific URL would be much more secure and harder to defeat than just scanning the QR Code.
Without that, there is no way to protect the consumer and the brand from fake authentication solutions that are using QR Codes as the authentication mechanism.
It’s easy to go online and find warnings from nearly every cyber security firm including Kaspersky Labs, Mobileiron and McAfee about the dangers of scanning QR Codes but near impossible to find a digital marketer or authentication solution provider that will help a brand or consumer understand the dangers. Until that changes the counterfeiters will continue to win and we will continue to highlight why a proprietary authentication solution like iTRACE 2DMI® can overcome these issues.
Founder and CEO iTRACE Technologies, Inc.