QR codes are used just about everywhere, but it wasn’t until they went mainstream in Japan, South Korea, and China before the rest of the world caught on. In those countries, where consumer use of QR codes was pioneered, QR codes became a preview for how these humble codes can become part of the social fabric. It seems no time was wasted in learning from those examples. COVID-19 and measures to control the pandemic have brought new attention to some of the use cases for QR codes. In mainland China, QR codes displayed on mobile device screens are used as an indicator of health status to limit the spread of the virus while allowing healthy citizens to go about their business without restrictions. Similar schemes have been applied in other countries, including Australia. They are also being used more widely for contactless payments and even contactless, automated menu systems as people order take-out at restaurants. They are also picking up steam as a feature on more and more product packaging for easy access to product related websites, for frequently updating supply chain data and visibility, and they are now a tool that protects consumers and brands from counterfeits. The key to using QR codes as a tool for brand protection lies in the normalizing of QR codes as a way to check or monitor authenticity. That’s been a challenge until now though since it’s well understood that it’s very easy to make a copy of a regular, printed QR code that is indistinguishable from the original.

An original print and a photocopy of the same dynamic QR Code. Both contain the same URL https://st4.ch/q/HZO2K23G5xnl redirecting the user to relevant content.

A standard QR code was never meant to be used for anti-counterfeiting purposes but there is so much convenience in that they can store information for leading someone scanning to useful and interesting information. To take advantage of that convenience while satisfying use cases that have a security requirement, QR codes can be modified or upgraded using several methods: 

  1. 1. Using serialized QR codes: statistical counterfeit detection
  2. 2. Adding optical security elements: upgrading with “physical” security
  3. 3. Embedding a secure graphic: using “marking technology” for intrinsic protection against copies

Serialized QR codes

Serialized QR codes are used to convey origin and transit information about products at the unit-level. Governments, product manufacturers, distributors, retailers, and consumers can all receive and update details about a specific product with serialization because each unit has a unique identification. When serialized labels are tied to production batches, tasks like targeted marketing or product recalls, become very easy to do. For example if you want to have 1/3 of your products set to send buyers to a website in Brazilian Portuguese when they are scanned, and the rest to an English language site, it is as simple as updating settings for the serial numbers in each region. Serialized QR codes can also form the basis for triggering counterfeit risk alerts. An unusually high number of scans on any single serialized QR code would indicate that an item has been copied and distributed and perhaps sold illegally. This is how serialized codes offer brand protection, but they could very well help save lives when counterfeit products threaten health as in the pharmaceutical industry.

The image below shows a view from a the reporting dashboard that our clients see as a real-time updating summary of what’s happening with their goods or products that bear serialized QR codes.

a view from the Scantrust business intelligence dashboard
a view from the Scantrust business intelligence dashboard

In this example, the scan data comes from a single serial QR code that was scanned 234 times by 163 unique scanners. Geographical distribution of the scans gives a good indication that the users who scanned the products are distinct. In fact, this code was flagged as “suspected counterfeit” well before 234 scans were recorded but what’s important to keep in mind is that the original purpose in this example wasn’t even anti-counterfeiting. The serializded QR codes were meant to facilitate user engagement – the brand owner didn’t even suspect they had a counterfeit problem, yet they fortunately discovered that they did and then had a chance to take action before the problem got completely out of control. 

This kind of information can mean the difference between a company having limited or no options to being able to trace hone in on where the counterfeits are being produced and a much better idea of when they entered the market. Brand protection teams can monitor this information as it changes in real-time, flag counterfeiters, and use the intelligence to disrupt counterfeiting operations. Using investigators to gather the same kind of details is of course useful, but it is also costly and time consuming and in the end it may not turn up any results at all. It doesn’t have to be that way. Using serialized QR codes we are able to capture useful intelligence even as a byproduct of an application where detecting counterfeits isn’t the priority.

Statistical bias can be minimized with serialized QR codes too. When gathering product consumption data, such as in mystery shopping and market surveys, an approach relying on QR code scans is the way to go. A system that extracts and visualizes scan data combined with machine learning algorithms for extracting insights and alerting relevant stakeholders is proven to be more effective.

But serialized QR codes are not perfect: unlike QR codes displayed on a digital screen in payment applications or two-factor authentication (2FA), printed and serialized codes are static for the lifetime of the product. This leaves them wide open to copying and being used repeatedly in a way that usually wouldn’t trigger a counterfeit alert immediately. Equally worrying is that as serialization becomes more widely used for anti-counterfeiting efforts, criminals will certainly adapt: it’s only a matter of time. If a counterfeiter captures and uses one hundred different valid QR codes instead of just one code copied 100 times, each counterfeit code is likely to be scanned only a few times as opposed to 100 times. Hacking this isn’t rocket science, it’s just a cumbersome speed bump. Even if some QR codes are correctly flagged as suspicious at lower scan rates, the brand protection team gets much closer to connecting the different flagged codes to the originating counterfeiters but they don’t just get an address and a phone number. At the individual product and package level, QR code serialization has substantial benefits, but still more robust measures are needed for some applications. Fortunately, those are available.

An additional physical security element: optical security

QR codes can also be combined with a physical security element like a hologram or optically variable ink. You may have seen optically variable ink: they colors in the designs will change at different viewing angles such that replicating the same effect becomes yet another challenge for counterfeiters. Working demonstrations of this approach typically display instructions on the user’s device once a code has been scanned. In this way, the user is told what to expect when evaluating the optical security feature, hopefully ending up with an accurate verification of the graphic. Consumers typically aren’t going to be familiar with this verification process, so there isn’t much of a way around this. The responsibility of authentication lies in the hands of the consumer though and that’s not ideal. Providing users with instructions is helpful information, but it also offers a nicely packaged and detailed blueprint for counterfeiters to copy and defeat the security feature. That’s not great.

Variable ink security features can be verified by physically turning the image

To improve the burden on users trying to authenticate these kinds of optical features with a mobile phone, there is an opportunity to trigger on-screen prompts directing the user to correctly position their mobile device, in other words to tilt it this way or that or to move away from shadows.  There’s still a problem here though. Optical security feature authentication can verify the presence of an optical feature, but it can’t distinguish an original security feature from a copy. The bar can be raised slightly by using a different security feature for every single QR code, but that’s usually going to be out of scope for most anti-counterfeiting efforts. What’s worse is that simple nail varnish has been enough to fool some optical security verification applications. Cost and implementation complexity of these features, including scaling to multiple production sites, are also challenges. With that in mind, some other copy protection is likely needed.

Anti-counterfeiting with secure graphics

irreversible information loss in a Scantrust developed secure graphic

Copy detection patterns, or secure graphics, are digital images optimally designed to irreversibly lose information when they are copied and printed. Copies always contain less information than original prints. By inserting a randomly generated secure graphic into the digital image of a QR code, it becomes a secured QR code that takes advantage of this basic but impressive copy protection.

inserting a secure graphic into a QR code creates intrinsic copy protection

This is a mature technology already deployed in many industries and markets and it is growing because it is far more efficient to integrate with packaging than physical security features, like holograms. Serialization is not a dependency either: you can add it or not. It’s also very scalable – every single unit is protected against copy by the same principle, even if the same QR code is literally printed billions of times.

When secured QR codes were introduced years ago, it was the only technology designed with the goal to be authenticated in real-time with a smartphone and without any specialized equipment. Today there are already several competing technologies, most of them using digital watermarks or unique fingerprints. These appear to offer a seemingly similar core functionality, yet Scantrust secured QR codes stand, particularly in terms of implementation costs. Regardless of which solution you choose for your business anti-counterfeit and brand protection initiatives, now is the time to consider secured QR codes as an economical and effective defense against counterfeiting.