Fake Anti-Counterfeiting Holograms

We've all seen those anti-counterfeiting holograms: on credit cards, on software, on expensive apparel.

Turns out they're getting easier to counterfeit.

Posted on February 13, 2007 at 1:24 PM • 20 Comments

Comments

Israel TorresFebruary 13, 2007 1:37 PM

It is about time reality caught up with the land of make believe. Who in the world uses holograms as a practical form of caring if something is real or not other than those pushing the product? (...crickets...)

Next...

Israel Torres

Joe PattersonFebruary 13, 2007 2:08 PM

So what would be an effective replacement? Anything that you can see can be easily replicated. I wonder if there's a market for a small rfid reader that uses a challenge-response PKI-like system to verify the authenticity of a tag? People could get one, load up the NFL's CA, and then use it to verify that the team jersey you bought was an officially licensed version. Of course, this adds to the ubiquity of rfid, which I think is generally a bad thing, but it does seem like one of those places where something like it could be useful. The core problem is that you need to have a device that proves knowledge of a secret without divulging that secret. Anything visible will fail that test. You need the ability to do computation on a challenge and output the result. I guess a smart card would work just as well, just use something about the size of the small-form-factor SIM cards. That might even be better. "Just touch your verifier to the contacts, and if the light turns green, it's a real pair of Roberto Cavalli jeans." Somehow, that does have some elegance to it...

Sh@ftFebruary 13, 2007 2:37 PM

The only fake hologram I have seen was one on a bogus American Express travelers check. The quality was amazing in my opinion but then again I have no experience with counterfeiting.

McGavinFebruary 13, 2007 3:47 PM

Is this issue a big concern?

I always thought that holograms served a better purpose as snazzy packaging and branding than as a useful means to detect counterfeiting.

AdamFebruary 13, 2007 3:49 PM

I actually find this surprising. As others will comment, who knows what the hologram is supposed to look like, and why doesn't a cheap any-hologram work?

The threat model must be anti-counterfeiting agents, not the general public. That's a large investment in anti-counterfeiting that's driving the counterfeiters to invest in this technology.

markmFebruary 13, 2007 4:07 PM

One key phrase in that article was "embossed hologram". If the hologram is in bumps or pits on the plastic, just peel it off and use it as a mold. The reproduction won't be perfect, but no one knows what they're supposed to look like well enough to tell the difference.

Of course, the genuine labels are probably made by $0.50 per hour employees in some third-world hellhole. Track down the factory, scout out the employees, and you'll probably find some that can be bribed for amazingly little. All they've got to do is to scrap some labels as defective, and tell you where to dumpster dive...

Bryan FeirFebruary 13, 2007 4:16 PM

From what I recall, the original actual 'anti-counterfeiting' use of holograms was on credit cards, where the hologram would be affected if you tried to shave a couple of digits on a valid card to make it show a different number under a mechanical press. Which is some distance into the category of 'no measures can save you from stupidity if this actually works', anyway...

MikeFebruary 13, 2007 5:10 PM

Heck...why even bother copying them?

For some security demonstrations, I've just used a small scrap of hologram wrapping paper or ribbon. Alot of that stuff looks pretty impressive when laminated and cut right.

All people have to see is the shininess and rainbow effect. Granted, this is only for casual use, but it works in most cases.

landonFebruary 13, 2007 6:16 PM

Not news. I was talking with some financial security folks over beers in 1986 or 1987, soon after credit cards first got holograms, and they mentioned that you could already buy counterfeiting kits.

AnonymousFebruary 13, 2007 7:22 PM

@landon

Slightly harsh language there: "Not news. I was talking with some financial security folks ..." You may have access to such but most of us don't. I am happy that this is being highlighted for the non-experts.

ThomasFebruary 13, 2007 10:36 PM

@landon

Great...

Yet again, a system is known to be faulty, but the flaw is kept a secret and it's used anyway.

Anyone who claims to have been duped will then be dismissed ("No, you can't have your money back because you obviously failed to check the hologram. Everyone knows a forgery can be detected that way!")

RalphFebruary 13, 2007 11:14 PM

This is the best line:

"The hardest part is peeling the original off," says Jeff Allen

So the quality of the end security outcome depends on the glue!

There is a lesson in there.

supersnailFebruary 14, 2007 7:23 AM

There is no 100% follproof anti counterfieting system.

The trick is to make so difficult and expensive that only a few specialist groups have the resources and capabilities to execute the counterfeit. You can then rely on good old fashoined detective work to track down the small volumes of actual counterfeits.

The model here is money. All currencies that are actually worth anything are regularly counterfeited. Most central banks (though not the US who seem happy with the vast volume of fake dollars) still invest a lot of money in anti-counterfeit measure such as, wierd paper, intricate printing, never drying ink, ultraviolet ink, holes , holograms , microsopic images to help prevent counterfeits. All of these technoligies can be and have been defeated but the difficulty involved keeps the number of forgeries low enough to be traced with some old fashoined leg work.

Much the same applies to credit cards. You could in theory produce an unforgable credit card but it would be too expensive ( would you really want to pay $2000 dollars every time your card is renewed?) so you add just enough measures to make ot hard to do. In practical terms physical forgery is not a big problem as most transactions are authorised electronicly, where the big weaknesses in the system exist.

winterFebruary 14, 2007 7:52 AM

from the Denmark National Bank Quarterly Review 2004:

"Other countries, notably Australia, have introduced polymer banknotes. One advantage of polymer banknotes is that it is more difficult and more expensive for laymen to produce good copies. The security features of polymer banknotes differ from the security features of paper banknotes in some respects. A frequently used security feature is a see-through window, often with a motif that may vary with the denomination. Like paper banknotes, polymer banknotes may have copper print, microprinted text and fluorescent colours whereas well-known security features such as a watermark and a hidden security thread are more difficult to incorporate in polymer banknotes than in paper banknotes. Instead, the polymer banknotes have a so-called shadow image, resembling a watermark, which is made by giving the banknote different degrees of transparency. The number of counterfeit Australian banknotes in circulation dropped after the introduction of polymer banknotes. Thus, the incidence of counterfeiting in Australia was at the same level as in Denmark in 2003"

link: http://www.nationalbanken.dk/C1256BE9004F6416/side/Monetary_Review_2004_3_Quarter/$file/kap04.html

That's not to say that counterfeiting doesn't happen in Australia, it's just really hard to do.

jFebruary 14, 2007 12:54 PM

Ralph:"So the quality of the end security outcome depends on the glue! There is a lesson in there."

Darn straight. One of the best defenses against physical attack for devices that have key material memory chips as part of their hardware, for instance, is to fill the enclosure containing those chips with epoxy.

C GomezFebruary 15, 2007 1:48 PM

Personally, I think the hologram has become all but a worthless figurehead of security. Who even looks for them? Who even looks if you have a Visa or Mastercard?

The magnetic strip is probably the most effective deterrent, and I say this knowing full well that such strip is trivial to read. The reason is that most people just don't care that it's easy to read, and don't bother to make counterfeit cards.

Those that do don't incur personal liability against me. Should someone figure out how to counterfeit my account, I will simply contest the charges (as I have in the past), and the credit card issuer is stuck.

This is one of the cases where Bruce has been proven right that shifting the liability to the issuer has forced them to crack down as much as is profitably feasible to prevent it. The rest of the fraud they must feel they can live with, and their choice affects me very little.

markmFebruary 15, 2007 4:40 PM

As for counterfeiting money: security measures in the bills only matter if the store clerks actually look for them. Some years ago, there was a story in the news of some clerk accepting a bill with a picture of Bill Clinton in a large denomination that has never existed ($300?). Think how easy it would be to pass a color copy of a real bill past her!

Ashwani KumarOctober 3, 2008 10:41 AM

Once I had got the hologram master made for one of my customers got damaged accidently. I tried to remake the same hologram master again. Inspite of many attempts I couldnt. Please contact me if anyone can make a hologram same as the original hologram.

Clive RobinsonOctober 4, 2008 5:23 AM

@ Ashwani Kumar,

"hologram is an authentication tool. If anyone says that holograms are not secure, its wrong."

No a hologram unless it is an intrinsic part of the device is a "security token" all it authenticates is itself nothing more.

The difference and the obvious failing of "security tokens" is,

If I steal a real of the holograms you or others produce and attach them to my counterfit goods then the token authenticats it's self and will pass all tests it is subjected to. The goods however are just as fake as ever they where.

The next issue with security tokens is cost of production. The manufacturer of the goods they wish to put the token on for reasons of cost effectivness is not going to want to spend more than a fraction of a percent of the retail price less infact than on the throw away shipping packageing.

So the token has to be cheap to mass produce which indicates the process involved is going to be available to others likewise the materials that go to make the tokens. Therefore to a sophisticated counterfitting organisation the only obstical is the design and hidden features of the token.

And this is where the security tokens purpose splits into two different functions,

1, The design should be such that it is recognisable to the unassisted human as being the "genuine item".

2, The hidden features are their so that an aided detective can check if the token is possibly genuine or good counterfit copy.

From the counterfitters perspective they allready know the limitations of the technology and finding out the other hidden features is usually just a matter of making a sales enquiry.

Therefore hidden features are just security by obscurity and doomed to fail.

Therefore the only sensible option is that used by those who produce curency tokens (ie print money) to include a unique identifier with each token that is self authenticating by a hidden key. The obvious one is a serial number that contains a cryptographic checksum. Unfortunatly this is very difficult to do with numbers that are short enough to be read on a reasonable sized token.

The less obviouse approach is a serial number that when subjected to a mathmatical transform produces a small binary number, the bits of which are used to turn on and off other hidden features.

But in reality this is the limit of the abilities of the "off line" use of low cost printed security tokens such as holograms, they have reached their evolutionary dead end and have been out evolved by technology.

They do have a limited lifetime left as online tokens (think mobile phone top up cards, print at home tickets etc) the serial number is made up of a (semi) secure pattern, which is stored in an online database. The first person to use the number gets the service, subsiquent attempts are blocked.

All of this evolutionary behaviour has been played out by Microsoft and other large vendors and in all cases low cost off line tokens end up being circumvented by counterfiters and thus rendered usless from the revenue protection point of view.

The cost of running the online tokens is bourn by the product manufacturer and as Microsoft has found it is both expensive and unreliable and has significant issues down the line.

Which effectivly brings the industry back to "dongles" which are tokens that the prodct needs inplace to work.

Unfortunatly these are expensive to produce, and counterfiters find ways around them such as replacing the checking code in the product with a deliberatly weakened version then providing their own counterfit tokens.

After a little thought you get to realise that in mass produced items security tokens only function to give consumer confidence not effective revenue protection.

Which is why the online product model is so seductive to intelectual property (IP) owners.

However the thing to be protected has to be "active" not "passive" IP. A passive IP system like a film or song can always be recorded no matter what watermarking is included. An active IP system like a wordprocessor however is a more difficult prospect but ultimatly is counterfitable, however the effort involved would be more profitably used to develop a compeating product.

With passive IP the next step in the process is to stop people copying the original which is what DRM is all about but as has been shown it fails in the offline mode and is only partialy succesfull in the online mode.

The next stage is watermarking and tracing back to the counterfitters. Unfortunatly this is not going to work for passive IP due to redundancy and the human brains ability to work around noise.

Tracing back watermarked systems is very expensive when done by humans so automated processess are used these unfortunatly don't work very well as a binary file is just a collection of bits and changing just a few (content dithering) or all of them (encryption) will defeat the automatic systems.

Eventualy the IP holders will realise that they are in an arms race they can not win but quite a few will go down in flames fueled by the highly volatile snake oil token / watermark / DRM vendors will be happy to foist off on them...

The solution to the issue of revenue protection is "online" only systems of "active" IP of high complexity. We are starting to see this with things like Second Life and multiuser online games.

For "pasive" IP online systems will give a limited revenue protection but probably the cost is not justiffied (think of what Sky has gone through and still failed).

The obvious answer is just to accept that it is a buyers market and you cannot "hog tie" it into a premium price controled market. But this requires new less profitable business models but it is the way the market is going to go.

As for security tokens such as holograms they will still carry on but only on tangable goods. Either as "off line" for customer confidence in mass market items or "online" audit trail serial numbers for high value items such as drugs or spares for aircraft. But in the latter case they will increasingly be replaced by active devices such as RFiDs...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..