Schneier on Security
A blog covering security and security technology.
« Analyzing CAPTCHAs |
| The Politics of Allocating Homeland Security Money to States »
October 6, 2010
Putting Unique Codes on Objects to Detect Counterfeiting
This will help some.
At least two rival systems plan to put unique codes on packages containing antimalarials and other medications. Buyers will be able to text the code to a phone number on the package and get an immediate reply of "NO" or "OK," with the drug's name, expiration date, and other information.
To defeat the system, the counterfeiter has to copy the bar codes. If the stores selling to customers are in on the scam, it can be the same code. If not, there have to be sufficient different bar codes that the store doesn't detect duplications. Presumably, numbers that are known to have been copied are added to the database, so the counterfeiters need to keep updating their codes. And presumably the codes are cryptographically hard to predict, so the only way to keep updating them is to look at legitimate products.
Another attack would be to intercept the verification system. A man-in-the-middle attack against the phone number or the website would be difficult, but presumably the verification information would be on the object itself. It would be easy to swap in a fake phone number that would verify anything.
It'll be interesting to see how the counterfeiters get around this security measure.
Posted on October 6, 2010 at 6:59 AM
• 52 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Why not add a tracking numbers as QR-codes, enabling people with camera-phones to photograph them, and get some info on them right away -- by presenting them as a URL to the manufacturer website.
Pretty easy: buy a box on the grey market, duplicate the box and fill it with counterfeits and then sell them all back onto the grey market? If there was no grey market there would be no room for counterfeiting in the first place.
But if the code is actually the result of encoding six characteristics of random patterns of materials with unique optical signatures, the degree of difficulty rises dramatically (consider a series of "n" random patterns that are machine readable).
Maybe if the response said "This code is genuine and has been queried n times." So if I'm told I'm the tenth person to query the code, its probably been copied.
Or, switch the response to not-genuine after, say, the third query for a code.
Both would require that the code be too long to stumble upon to stop people articifically adding to the query count by quessing codes.
Presumably the code is unique to each package, or at least that's my understanding of the phrase "His company wrote software that generates the codes and checks them against a database stored in computers run by HP."
This would mean that each time a code is texted in, it's instantly invalidated - so a counterfeiter would not gain by printing dozens of identical numbers.
Of course, that assumes the code generation method doesn't leak - or that they don't just print a fake SMS number on the box too (as Bruce suggested).
Maybe once it's live, a big publicity drive to tell everyone to text their code to 'HEALTHY' would over-ride that, as people wouldn't need a number from the package.
You code just encrypt the lot number with a unique bottle ID and print it on the bottle. Use that as the verification code. Would not require much more work than just printing the lot number and exp date.
The IDs would then be unique and could only be used once. So counterfeiting would not be profitable through duplication.
That also assumes that people care if it's counterfeit. If it is say, real drugs made by companies that aren't paying patent royalties, the end users may not care about the royalties not being paid.
Nokia has been doing this on "genuine" nokia batteries. I really don't think anyone cares. As long as it works... generic brands are generally cheaper, not worse.
"This would mean that each time a code is texted in, it's instantly invalidated"
Bad idea; the first person to check the code might not be the person that decides to buy it. And with this scheme the second person to check the code would think it's counterfeit.
I wonder, however, how many counterfeit drugs are sold through illicit channels to begin with. This plan is great if everyone in the supply chain is invested in keeping the supply chain pure, but when a spammer closes the deal on some black-market viagra, are they really going to care?
It's not about buying generic brands that also work, this aims at the problem of counterfeit medicine, which is pretty bad i some area of africa, where there are 30%+ of fake medication.
See also http://mpedigree.net
«Buyers will be able to text the code to a phone number on the package and get an immediate reply of "no" or "ok"»
But if the phone number is on the package, I can change it to a phone number controlled by me and reply "ok" for the codes I create... Or not?
This is also assuming the people who are buying the counterfeit copy even care. The prescription dependent masses are really only concerned about getting their next low cost drug. Those who are "Doctor Shopping" are only marginally concerned about the source of the drug and would be unlikely to bring attention to themselves.
This feels more like the store check out line policy "get a gift if you don't get a receipt" that uses the end customer to help police employees. There is little benefit to the customer directly and it creates more risk to the employee trying to defraud the business.
If the verification phone number to call is also on the box, then the counterfeiter could provide a different number under his or her control. The counterfeiter could OK their products and give a negative response for valid products. Unless the consumer took the time to obtain the valid phone number by other means, the consumer would not be able to distinguish a counterfeit from the real product.
Exactly... A counterfeit box will have a counterfeit phone number that always returns OK (or invalidating legit products like you suggest). Stupid system unless you can get customers to validate the number out of band somehow.
I came here to make Ben's point, but he got here first. It's the same hack as you see in spam emails all the time: "click here to visit our website and verify your account info".
One problem with this hack is it makes the counterfeiter traceable: ordinarily you could throw some pills in a box and sell it to your buddy who works at an Indian pharmaceutical wholesaler and nobody would know the difference. But now you have to have a 1-800 phone number with your billing address tied to it. Still doable, but more risky.
I don't know much about the counterfeit drug market, but are they trying to protect consumer from purchase or consumption? If it was consumption, couldn't they put the code inside the container? Say, under the tamper resistant lid? Purchase is a different story.
One point there is an assumption that customers will actually bother to phone/txt etc. Let us assume it's going to be about 10 times the add response rate or 1% of customers.
If it is this low a counterfeiter can use genuine codes with little worry as the probability of getting a hit is going to be 1% of 1%. Now as we know nearly all systems have glitches and problems thus have an error rate. If the number of hits is less than the system error rate...
If people are going to start relying on this system, what about the obvious denial of service attack? It's almost like people are trying to implement easily attacked pseudo-security systems for the explicit purpose of making terrifying the population easier.
It could also be as simple as a check sum mod 11. That would be incredibly easy to implement, allow the producers to talk about 'security', but not really cost them anything.
What? Too cynical?
It doesn't take a grey market. It just takes a system in which a criminal can swap out the legitimate item (a drug, a microprocessor, a $20 bill) for a fake and can derive some kind of benefit from that.
If I were in charge of this, rather than saddle the customer with figuring out whether their drugs were legit or not, I'd set up an RFID driven system where everything was scanned into and out of each distribution node. That data would go into a system with a nice thick layer of secure hash algorithm driven time stamping and audit trails. If the same bottle of pills shows up in two different places at the same time then alarms go off.
It wouldn't stop counterfeiting at the top or the bottom, but at the top it’s hard for individuals to profit directly and at the bottom it’s hard to make the effort of producing a convincing fake profitable.
Of course - at the bottom here, you could probably claim *anything* that looked 'mediciny' was the drug. When questioned about it's being in the wrong kind of container, just make up a good story about how you had to switch it to get it out of the greedy corporation's hands...
#5 by Mark Hood - "Maybe once it's live, a big publicity drive to tell everyone to text their code to 'HEALTHY' would over-ride that, as people wouldn't need a number from the package." would certainly help...
If the customer is the one who is supposed to text in the number to validate it, they might get a better response rate if you get a prize for turning in an invalid package. Even if it's just a dozen free valid packages as the prize.
Remember, when attacking or defending against counterfeiting, this has to work in low-income situations.
I'm with MyCat, but instead of receiving a prize for turning in an invalid package, make it more American... for every 10 packages you validate, you get 1 free or something.
I'd also cover the codes in that grey stuff they use on prepaid cards to keep the honest people honest.
...Or change the number on the package.
Everyone has pointed out that you can change the number.
Haven't seen anyone suggest that counterfeits get added further up the supply chain so the package is still legit but some percentage of the contents are not -- intercept the delivery system. That was a big part of the problem I worked on several years ago with SecureChain.
The supply chain was weak in defending the transportation and storage used en route to market. Ships, trucks, containers, etc. were often scarcely protected in comparison to asset value. Millions of boxes with contents worth an incredible amount of money, for example, might be stored for days guarded only by a camera and a dog, or a solitary guard with no fence.
A dial-up option sounds like a way to give a customer a feeling of security -- but no real guarantees about contents without a way to test.
> ...get a prize for turning in an invalid package. Even if it's just a dozen free valid packages as the prize.
It's a pity noone has implemented such a policy for fake USD bills! :-)
This is no different from financial institutions showing you a badge to prove you're on a legitimate site. It only works if the consumer--out of band--knows to look for it in the first place.
The counterfeit copies won't have the numbers.
The scenarious above only come in to play if the consumers (including doctors) are informed about the numbers and remember to look for them.
@Vlad: If they did then counterfeiting would be even more profitable.
"Where'd you get this bill?"
"I don't know -- I noticed it looked a little odd when I was going through my wallet. Where's my reward?"
How do you text a barcode? If you only text the numbers then the system is also prone to DOS when invalidating already texted codes.
Meantime, big-pharma has reaped your mobile number, has you in-database as a customer, and will spam you later. And sell your details too.
Realize that this system is expected to be implemented in Africa, where the likelihood of counterfeited drugs (and other items) is higher than it is in other parts of the world. Add to that, the likelihood of those African citizens to be cell phone owners. Further, are they as vigilant as people in the western hemisphere?
This idea is stupid, because it completely misses how the market for counterfeit drugs works. Counterfeit medicine is actually just the same as the original, and usually manufactured up to the standard of modern science. The thing that's counterfeited is the brand name and patent restrictions. People buying so-called counterfeit medicine actually know this. They know they get the right stuff for less, because they don't pay for brand and patents.
Having a number to call and find out that yup, what you bought on the black market for a fraction of the original costs actually is what you thought it is won't change that market even a bit.
This idea is a stupidly broken system. Why would I waste time texting when i could just type it in online much more securely in an https session?
The phone number of the package can't really be trusted anyway.
It's much more secure to google up the company and check it on their site.
Sure, the internet or their site could be hacked, but it's still harder for the bad guys than just printing the packaging differently, and the company can do spot checks for that when counterfeit material is found.
I was under the impression that the code on the box is hidden under a scratch off panel, like a lottery ticket.
So the order is...
1.) Consumer purchases item.
2.) While in store, consumer scratches off panel, reveals code, texts it in.
3.) If it comes back good, consumer leaves with item, if it's bad, consumer gives item back to store for refund.
If you are trying to circumvent this measure by changing the phone number on the packaging, then why not take the simpler route: Remove the whole message.
No unique code, no phone number to call. How's the consumer to know that there was ever supposed to be anything on this brand?
Unless the system was mandatory and ubiquitous for all drugs then it has zero chance of success.
>Why would I waste time texting when >i could just type it in online much
>more securely in an https session?
Because text messaging is low bandwidth and much more widely available in developing countries.
Using https essentially presumes three things -- you have a computer, electricity, and either a POTS line to dial out or a broadband connection.
SMS messaging simply works better in the targeted developing nations.
As to whether the whole scheme would work, I don't know. But the media is appropriate.
"Counterfeit medicine is actually just the same as the original, and usually manufactured up to the standard of modern science."
My experience is quite different. Living in a country where nearly every pharmaceutical drug is OTC, but the supply chain to the local pharmacy is uncontrolled. If what you need is an effective antibiotic, and what you got was a placebo, sugar-pills, or paracetamol, then the intervention might not have the desired effects:
"For example, in Cambodia in 1999, counterfeit antimalarial drugs were responsible for the deaths of at least 30 people. A 2001 survey in Southeast Asia showed that among 104 tablets presented as the antimalarial drug artesunate, 38% did not contain any artesunate."
So as it turns out I'm quite interested in any mechanisms that might show whether the drugs I have in hand are legit, and highly motivated to use any techniques there are.
There is actually a security and masking de-crypto component to this as well.
Malaria, like several febrile diseases,
is often identified in particular by its strength and phase of variations of fevers.
Counterfeit drugs may be:
a - unlicensed replicates of working drugs at lower cost
b - total sham and fake drugs
c - alternate or adulterated drug [cocktails],
producing their own unique interactive profiles of fever behaviour
while presenting false drug identities
d - or whatever substance, toxic, allergenic, pharmaceutical grade, or not,
happens to be look-alike and handy at the time of manufacture.
Since most drug counterfeiters ARE drug dealers,
levels of concern for users welfare are remarkably low.
In avenging cultures, honest medical practitioners are also actually victims
of this practice when their patients are.
I have seen it.
It is interesting to be reported in an economic review, because this adds
another valuation dynamic to the monetization of phone minutes
as a trading currency in this economic area.
Why not print the code on the inside of the cap and use a seal? Like those soda bottle lotteries many years ago?
Oooh, maybe because you wouldn't want to find out the status AFTER you took the medicine...
As fast as mobile phones are developing . . . . encrypt the phone number and the code in a 2D barcode on the package, scan it with the camera in the phone, and have the app in the phone send the SMS message to a number that the user can't even know.
Perhaps pharmaceuticals should start treating a consignment of drugs like a parcel tracking code. Require each supplier along the chain to scan the code on the box / pallet before redistribution.
By the end of the line there should be a very clear trail of evidence showing where the consignment came from, which supplies it passed through and if there isn't a clear trail at least it narrows down where potential frauds / counterfeiting may have happened.
Yet another case where security techniques spoof Mission: Impossible.
Does this really matter, for medicines? I suppose customers for meds only care that it works, not at all that it's "original", right?
Nokia had (has?) this for batteries: There is a hologram that has an object with sides and dots on the sides. Presumably, trying to require high quality duplication.
More interestingly, the battery has a scratch-off bit of the hologram, with a unique serial number under it. You go to Nokia's web site, and it informs you if you're the first person to scratch off that serial number.
You can sell a counterfeit battery used, but not new. Assuming people check it.
As another reader suggested, you should scratch it off in the store before leaving.
Now I'm wondering, how dense is the keyspace, and could a large battery counterfeiter produce a DDOS work to "invalidate" a significant number of valid codes? They could try to have their system feed back valid codes to them, perhaps, but merely invalidating enough to generate *publicity* would be sufficient to cause distrust in the system.
Wouldn't this work to verify votes. When you go to the poll, you get a receipt with a long number on it. At some time in the future but before counting closes, you verify that your vote has been recorded correctly. If it hasn't, you complain and force the electroate to locate the ticket and correct the vote on the computers.
Guido: The problem in places like Africa isn't patent or trademark violations, it's pills that contain no drug at all, or not the drug it's sold as. That's criminality that kills people.
Of course, the most fakes are sold where it's very unlikely the customer can make an international phone call to check it out - assuming the customer can even read the label in the first place, and that the counterfeiter was stupid enough to leave the correct phone number on it. (Which is possible; the counterfeiter also probably didn't get much past kindergarten, and so may not have realized what he was copying.) As for seeing the correct phone number in a TV ad... First you've got to have power to run the TV, and then you've got to save up about a year's income to buy the TV. And make some more money to buy the drugs. So only the top 1% or so can benefit from this directly.
And then, when one of the elite does spot a counterfeit, do they call the cops? Or suspect that the cops are involved, so it's better to quietly trash the crap and try to buy somewhere else?
>Wouldn't this work to verify votes.
>When you go to the poll, you get a
>receipt with a long number on it. At
>some time in the future but before
>counting closes, you verify that your
>vote has been recorded correctly. If it
>hasn't, you complain and force the
>electroate to locate the ticket and
>correct the vote on the computers.
Because what will happen is either:
a) You'll be beat up because you didn't vote the way you were told to;
b) You'll be put under social pressure by your wife / husband / etc who didn't like the way you voted and checked;
c) It makes the Democrat's use of street money really freaking efficient when they can verify the vote electronically before handing you the cash.
In other words it inextricably undermines the principle of the Australian ballot -- a secure, secret vote.
Of course those thugs who support card check would probably endorse it whole heartedly.
Applied DNA Sciences (OTCBB: APDN) - Just signed an 8.7 million dollar deal with a luxury brand for botanical DNA authentication services to protect against counterfeiting.
Using plant DNA to code an object, document or ink is a perfect anti-counterfeiting measure. Not only does it ensure 100% authenticity but it can be embedded right in the materials to prevent any tampering. I am sure we will see many other companies and government agencies start to use this method to combat counterfeiting of all forms.
Here's my idea:
Every item has a unique serial number, and it's printed (or maybe burned in) on it in a way that makes it hard to alter.
It should be something like a 2D barcode such as Qr codes, and the serial code should be listed below it in text too.
You have a few big databases of these serial numbers that some big companies and organizations might run. These have open API:s.
Your phone has a Qr code reader. The Qr codes on the items should also list which databases it's in, and the phone would have a list of trusted databases. If it's in one of these, the phone contacts the database over an encrypted connection and asks about details.
The user then gets a bunch of details about the item, possibly including instructions for how to verify other authencity markers (like "holographic stamps").
This requires a phone with 2D barcode reading capability, ability to run an application that can take the info from the barcode and contact a database with it, internet connection and encryption support.
Most people in the world will have access to this "very soonish" (probably +50% worldwide by the end of this decade).
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.