Product Authentication With NFC Tags

The trade in counterfeit goods is substantial by any measure and it's growing: Estimated to reach 1.2 Trillion USD in 2018*. It affects almost every product sector including luxury goods, clothing, technology, food and drink, automotive parts and many more.

And it's not just consumer goods and industrial products. The WHO estimates 10% of drugs sold in developing countries are fake and can be linked to 100,000 deaths in Africa alone. While it's very difficult to truly know the scale of problem, it's estimated that counterfeit pharmaceuticals alone are a 200 billion USD business**

Crucially, the problem is not just that finished products are entering the market. There's an increasing problem with counterfeit parts entering the supply chain along the way, risking brand reputation and ultimately user safety on end products.

There's been documented cases of food being tampered - high quality olive oil and wines being diluted and mixed down with cheaper variants between supplier and producer. However, there's a widespread and growing problem including counterfeit car parts, replacement electronic items and even aircraft spares.

Seritag are currently working with a manufacturer that had discovered problems with fake replacement parts being made for domestic boilers. A dangerous potential long term fire, carbon monoxide and electrical risk.

How NFC tags can help solve the counterfeit problem

There's fundamentally two benefits with using NFC tags.

Firstly, tags can be integrated directly into products. This helps because the tags can be added into the supply chain without knowledge which can act as a substantial additional protection. Additionally, it makes the tags difficult to remove and re-use.

Secondly, no special equipment is required to read an NFC tag which means that a large number of nodes along the supply chain can check the validity of the product. This includes the end user who can check the validity of a product, part or item with simply a mobile phone.

This is very difficult to achieve with any other system. While UHF RFID tags can also be used, they require specialist equipment to scan the tags. This can make full end to end monitoring of the supply chain more difficult.

QR codes or similar barcodes don't have the technological barrier that NFC tags have. QR codes need to be visible so they can't be hidden in the same way that an NFC tag can. They are also very easy to copy, providing no barrier at all to copying and replication.

Using NFC tags throughout the supply chain isn't a magic bullet, but it can add a substantial level of security with very little effort.

How to use NFC tags for product authentication

Let's have a look at the options available on using NFC tags for authentication.

Standard NFC Tags : Using encoded data

It's quick and easy to encode data within the standard memory space of an NFC tag. Additionally, each NFC tag can be encoded with unique data so that, for example, each tag can link to a website with additional unique data. That unique data can be used to check if the tags are genuine.

It's a simple method but realistically, as easy as it is to encode data into the standard memory space, it's also very easy to copy it. So what's the benefit of this ? Well, simply it works at three levels.

Firstly, if the tag isn't visible and generally people aren't aware that it's there, then it works on a very simple 'tag is there/tag isn't there' level of security. In short, if there's a product at the end of the line that doesn't have a tag then something isn't right.

Secondly, it does add a small additional layer of protection in that anyone looking to copy the product must go to the additional effort to include an NFC tag. On high end goods this might not provide much of a barrier but on cheaper products such as a t-shirt, then it might just be enough.

Thirdly, for anyone to copy the tag, they would need to have access to the original. If each tag is encoded with a unique data reference, then any copies would simply be multiples of exactly the same ID. While this would create a problem for the original, it would make it obvious that certain ID numbers have been compromised and thus, relatively simple to classify that ID as fake.

Standard NFC Tags : Using the UID of the chip

Every single genuine NFC tag has a UID encoded into it during manufacture. This UID cannot be modified on genuine NFC tags and is globally unique (or unique enough).

This UID can be used to verify the authenticity of the NFC tag. It's relatively simple to do on Android and can now be read on Apple's iPhone using the latest version of their iOS. This doesn't necessarily mean it's useless. If it's used to manage the supply chain then specifying the use of Android phones may not be an issue. If, however, it's used as a mechanism for end users or consumers to authenticate then it's not ideal.

It's not perfect. It's possible to purchase NFC tags from certain sources which allow the UID to be encoded. Which means that the UID from a valid product can be copied to a fake product and the situation ends back with encoding into the standard memory space.

Again, as with encoding into the standard memory space, any copy would need access to an original. And because the UID's are unique, any copies would be multiples of a single UID which would be easy to spot in a supply chain.

In short, Seritag wouldn't consider this as much more than a very basic method of authentication and in many cases no better than encoding into the regular memory space. However, it's an additional level of protection which can easily be used.

Authentication Tags : Advanced protection

We are now into our second generation of NXP's NFC authentication chips. We won't go into full detail on how they work here but in summary, authentication tags create a unique sequence each time they are scanned. This unique code can be checked against a cloud based database to check that the code sequence is correct. This prevents tag cloning because as soon as a code has been used, it becomes invalid and the next would not be known without the original NFC tag.

In short, they offer a substantially increased level of protection over standard NFC tags.

The downside to using authentication NFC tags is that they can be more complicated to use and they cost more than standard tags. However, the price will gradually reduce and software services such as our Ixkio tag management platform will gradually reduce the technical barrier to using them.

Authentication Software : Off the shelf solutions

With the market for counterfeit goods being as large as it is, it's not surprising that a number of companies are releasing NFC and QR code based software within this space.

Seritag are already working with a large number of these companies and more are talking to us every week. We expect to see market specific solutions starting to appear and some great companies and options becoming mainstream.

The downside for most of these systems is generally that they lock the brand and product into using the technology. Once a tag is in a product, particularly a luxury product, it will be there for a long time.

For the lifetime of that product, for the NFC tag to function, the software will need to be working. That means that it will need to be paid for but importantly it will also mean that the company will need to survive. In any start-up market, there will be some companies that don't make it.

Therefore, Seritag would suggest that any counterfeit software options need to be carefully considered to make sure that embedded NFC tags will always work.

The scan flow - why it's important

Let's have a look at the scan flow of the NFC tag scan as it makes a substantial difference to the overall level of security of the system. For this discussion, we will assume that the tag is visible and anyone within and outside the supply chain might scan it. If the tag is hidden and only used within the supply chain, then many of these issues don't apply.

To make it simple, the issue is that while an NFC tag with secure data might link through to a secure service - what happens if the entire system is fake. In other words, what if the tag and what the tag links to is all completely fake.

Consider this possibility. An NFC tag is placed into a product and the NFC tag is scanned without an App. The tag, while secure, will link through to a website which will indicate that the tag is secure. The user, never having used this system before, assumes that this message is authentic and is happy. But what if the tag is fake and the landing page is fake - the user will not know the difference.

The only way around this problem is that the tag must be scanned with an App. Clearly, it must be an App that is also genuine but let's assume for the moment that it is. Because the tag is scanned from an authorised App and then the App can make sure that the check is correct and therefore secure the chain.

This means that to secure the system, the brand must use a third party App or build authentication (or access to an authentication system via an API) into their own App.

Much of the discussion at this level balances between two arguments. On one hand, how important is the 'frictionless' NFC tag scan (a tag scan that doesn't require an App or a specific App) and on the other hand, how important is the security. In reality, at the consumer level, how crucial is it that such a high level of authentication is required.

As mentioned, this generally isn't a problem when the tags are used within a known supply chain. In these cases, the user scanning the tag is likely to know or expect a certain page and therefore even with frictionless (app free) scanning, it's not typically an issue.

How to integrate NFC tags into products

So, how are tags integrated into products ?

Generally, there's three general ways to do this. Let's have a look at each of them.

Integrated tags

Essentially, the NFC tags are fully integrated into the product. In the case of a pair of shoes, the tag might be in the liner. On a product, it might be behind a plastic moulding. The key element is that the tags are added during the manufacturing process. They are fully integrated.

Additional hang tag

In this instance, the tags are added to additional swing tags, epoxy hang tags, PVC cards or similar items which are either attached or provided with the product. For example, a luxury watch might include an authentication card within the presentation box.

External tags

In this instance, the NFC tags are applied to the outside of the products. This can be an easy and flexible solution if, for example, the tags are added to food packaging or similar where integration or additional hang tags might be problematic.

Combining authentication with tamper detection

In addition to NFC authentication, there's also the option now of using tamper detection tags. While they both can be used to act as a protection mechanism, they are different in their function.

Tamper detection tags work in one of two ways. Either the tag is completely destroyed when an attempt is made to remove it - the NFC tag will not scan and will no longer work. An increasingly common alternative is a new generation of tamper tags which detect the tamper but continue to work.

The new tamper tags work because the data on the tag is automatically changed when a tamper is detected. The data change will typically be a variable within a URL which can then be checked either using a frictionless scan (no specific App) or using an App.

The important point is that this is quite different than authentication tags. Tamper tags work in the same way as normal tags and their security is simply to detect tampering. There's no inbuilt function to check that the tag itself is genuine in any more than using a unique URL or using the UID as described above.

However, this situation is changing as well. NXP recently launched a new NFC tag, the NTAG424 TT which combines authentication and tamper features together. It's not the only chip and there are others on the way.

Additional benefits

In itself, preventing counterfeit goods, protecting the consumer and adding brand protection is more than enough reason to add authentication tags to products. However, there's often additional benefits as well.

Consider a tag embedded into a luxury item without authentication. Some information supplied with the item might ask the user to scan the tag for promotional offers or to register the product. The user might, but it's not perhaps an unusual request and therefore perhaps not a particularly powerful call to action.

Now consider that the user is asked to scan the NFC tag to check that the product is authentic. The performance is likely to be substantially higher.

The result of this is an increased user interaction which in turn can improve brand loyalty and customer interaction.

*Global Brand Counterfeiting Report 2018, Research and Markets **PricewaterhouseCoopers, June 2011