QR codes are used all over the world but they were adopted first in East Asia, especially China, Japan, and South Korea. In those countries where wider QR code usage was pioneered, they are already part of the social fabric. The rest of the world is quickly learning from those examples. COVID-19 and measures to control the pandemic have brought new attention to just how useful QR codes can be. That may sound counterintuitive at first, but it shouldn’t be. In mainland China, QR codes displayed on mobile device screens are used as an indicator of health status to limit the spread of the virus while allowing healthy citizens to go about their business without restrictions. Similar schemes have been applied in other countries, including Australia. QR codes are also being used more widely for contactless payments and even contactless, automated menu systems for ordering in restaurants. It’s clear that QR codes have really hit their stride. They are also proving to be very useful when placed on product packaging. QR codes on packaging provide easy access to product related websites, give businesses supply chain intelligence and visibility, and can even help protect consumers and brands. The key to using QR codes for protecting brands is that QR codes need to be trusted as an indicator for when a product is counterfeit. That’s been a challenge until now though, as it is well understood that a copy of a regular, printed QR code is indistinguishable from an original code.

An original print and a photocopy of the same dynamic QR Code. Both contain the same URL https://st4.ch/q/HZO2K23G5xnl redirecting the user to relevant content.

More demanding QR code use cases require the codes to be modified or upgraded. There are 3 ways that this can be done, making them useful in detecting counterfeits and in doing so, helping put a stop to counterfeiting: 

  1. 1. Statistical counterfeit detection using serialized QR codes
  2. 2. Optical security elements added next to QR codes for more physical security
  3. 3. Secure graphic embedding for intrinsic protection against copies

Statistical counterfeit detection with serialized QR codes

Serialized QR codes are used to convey origin and transit information about products at the individual unit-level. Government entities, product manufacturers, distributors, retailers, and consumers can all record and receive details about a specific product more easily because serialization allows for unique identification of products. When serialized labels are tied to production batches, many tasks, like targeted marketing or product recalls, become manageable affairs. As a bonus, serialized QR codes can trigger alerts regarding counterfeits in the market. An unusually high number of scans of any one serial QR copied from a legitimate product would indicate that an item has been copied and distributed or sold into the market. As you might imagine, this could very well help save lives in industries like pharmaceuticals.

The image below shows a view from the Scantrust Business Intelligence Dashboard and reveals what Scantrust clients can see when they have Scantrust serialized QR codes on their goods or product packaging.

a view from the Scantrust business intelligence dashboard
a view from the Scantrust business intelligence dashboard

The scan data displayed comes from a single serial QR code. The system registered and shows that a single QR code was scanned 234 times by 163 unique scanners. These numbers need to be interpreted by looking at the geographical distribution of scans, or the number of different users who made scans. In fact, the code was flagged as “suspected counterfeit” well before 234 scans were recorded. Keep in mind that the original purpose of implementing the serialized QR codes in this case was user engagement and not at all anti-counterfeiting – the brand owner didn’t at all suspect they had a counterfeit problem, yet they discovered that they did. 

The data displayed can mean the difference between a company having limited or no options to finding out where the counterfeits are being produced and when they entered the market. Brand protection teams can monitor this information as it changes in real-time, flag counterfeiters, and use the intelligence to disrupt counterfeiting operations. Using investigators to gather similar data is costly and time consuming and may not turn up any results at all. It doesn’t have to be that way. Using serialized QR codes we are able to capture useful data even as a byproduct of an application where detecting counterfeits isn’t the priority.

Statistical bias in product consumption data, for example when conducting mystery shopping and market surveys, is minimized with an approach relying on QR code scans too. With the right system for extracting and visualizing scan data, as well as machine learning algorithms for extracting insights and alerting relevant stakeholders, serialization with an alerting system is more effective than forensic or covert anti-counterfeiting technologies although they are designed specifically to make copying difficult. Those security elements cannot be detected easily or at all with the naked eye. Special equipment is required for verification and often specialized staff is needed as well. Serialized QR codes require none of that.

But serialized QR codes are not perfect: unlike QR codes displayed on a digital screen in payment applications or two-factor authentication (2FA), printed and serialized codes are static for the lifetime of the product. This leaves them wide open to copying and being used repeatedly in a way that usually wouldn’t trigger a counterfeit alert immediately. Equally worrying is that as serialization becomes more widely used for anti-counterfeiting efforts, criminals will certainly adapt: it’s only a matter of time. If a counterfeiter captures and uses one hundred different valid QR Codes instead of just one code copied 100 times, each counterfeit code is likely to be scanned only a few times as opposed to 100 times. Hacking this isn’t rocket science, it’s just cumbersome. Even if some QR codes are correctly flagged as suspicious at lower scan rates, It will still be difficult for a brand protection team to connect the different flagged codes to the originating counterfeiters. At the individual product and package level, QR code serialization has substantial benefits, yet more robust measures are needed for some applications.

An additional physical security element: optical security

One way to address the vulnerability that regular QR codes have to being copied is to combine them with a physical security element such as a hologram or optically variable ink with colors that change at different viewing angles. Working demonstrations of this approach typically display instructions on the user’s device once a code has been scanned. In this way, the user is told what to expect when evaluating the optical security feature to, hopefully, end up with an accurate verification. More often than not, consumers aren’t familiar with the verification process, so there isn’t much of a way around this. This leaves the responsibility of authentication entirely in the hands of the consumer. That’s not ideal. Providing users with this information is helpful, but it also offers a nicely packaged and detailed blueprint for counterfeiters to defeat the security feature.

Variable ink security features can be verified by physically turning the image

An improvement on this is when the user scans the QR code and optical security feature to trigger on-screen prompts that simultaneously direct the user to correctly position their mobile device, speeding up authentication and delivering results on screen. Instructions to manipulate the phone, tilting it for example, would ensure capturing the optical security feature from multiple required angles, verifying the presence of the optical effect like color change depending on the angle, specular reflections for specific angles, etc.  

Optical security feature authentication verifies the presence of an optical feature, but it cannot distinguish an original security feature from a copy. The bar can be raised slightly by using a different security feature for every single QR code, but for most projects that isn’t convenient or possible. Simple nail varnish has been enough to produce a sufficiently similar effect and can fool some optical security verification apps. Cost and implementation complexity of optical security features, including scaling to multiple production sites, are also challenges to this approach.

Intrinsic copy protection with secure graphics

irreversible information loss in a Scantrust developed secure graphic

A copy detection pattern, or secure graphic is a digital image, optimally designed to irreversibly lose information when it is printed and copied. Because of this feature, copies always contain less information than original prints. By inserting a randomly generated secure graphic into the digital image of a QR code, it becomes a secured QR code, with intrinsic copy protection.

inserting a secure graphic into a QR code creates intrinsic copy protection

This kind of graphical security technology is a mature technology already deployed in several markets and is far more efficient to integrate with packaging than physical security features. Serialization is not a dependency either: you can either use or not use serialization alongside intrinsic copy protection. And it’s scalable – every single unit is protected against copy by the same principle, even if the same QR code is printed billions of times.

When Scantrust introduced secured QR codes seven years ago, it was the only technology with real-time authentication using a smartphone. Other companies followed and there are already other competing technologies on the market, most of them using digital watermarks or unique fingerprints. While these other technologies offer a seemingly similar core functionality, including allowing a user to authenticate a product with a smartphone, the Scantrust solution stands out far and away, particularly in terms of implementation costs. Regardless of which solution you choose for your project, wIth the current state of QR code technology, there’s no better time than now to consider QR codes as a great first line of defense against counterfeiting.