Apr 15

How safe are QR scan codes?

Product counterfeiting is a major issue in high-end or greatly-desired fashion brands of clothing and accessories. Anyone who has ever visited New York City has probably seen substantially sized shops selling Gucci bags for peanuts. Everything on these handbags looks right, only the material and / or workmanship turns out to be inferior. Gucci is very expensive when it is real, and so the prospect of a $50 Gucci handbag in New York may look like a steal of a bargain, because it is. It is fake, and it is both a loss for Gucci and the customer who wants to own one of these accessories.

Sometimes the matter is even more significant than just what a brand-name item looks like, but it can extend into how the item functions. Taking the example of our ubiquitous Gucci clones, it can be very difficult to tell them apart from the real thing. Look at this photo (courtesy

(the sophistication of the cloning process for fashion items is such that it is often virtually impossible to tell the real Gucci Dionysius bag from the fake one. Incidentally, the fake is the one in the left.)

Because the cloning process is as good as it is, the counterfeit item will cheat the real Gucci company out of business, no matter what price the fake item is offered for. To make it appear that a given sale of this fake is for a real bag, the seller can of course offer it as a “discount” while in fact marking up the price of the fake significantly. Either way, Gucci loses.

Therefore, several methods of brand product authentication have appeared in the market. One of them makes use of “QR Codes.” When QR first appeared, it seemed like a miracle technology, and in some ways it actually is. However, one thing QR cannot do is provide reliable authentication. We will examine why.

What is a QR Code?

Most of us have seen or even tried using QR Codes by now. The code is scannable by a smartphone or any other device technology that can read such codes. A sample of a QR code is shown here:

If you have a smartphone QR-scanning app, you can actually find out what this code is. It is uniquely for this website: (a great site for all your recording needs, by the way!!)

QR stands for Quick Response. A QR code uses four standardized encoding modes (numeric, alphanumeric, byte/binary, and kanji) to store data efficiently, and it can be extended. The two dimensional format makes it possible to store a lot of relevant information in a small area (compared with one-dimensional barcode), and it is scalable. The only thing that matters is the relative size of its elements to one another. For this reason, a QR code can be displayed on a huge screen and read by a scanner just as easily as on a small clothing tag.

It might seem that such a sophisticated coding system (not readable by customer eyesight but only by computer, but with a great range of possible data allowed) would make a great authentication means. The code we have here for Little Spot Productions is unique. It only goes to this site.

But how would the customer know that?

What if we could build an imitation website and use a QR code to direct the customer to the fake site? Consider Gucci again. If the bag has a QR Code on it, the code can be faked by simply taking a photographic scan of a real Gucci bag. QR Codes are not uniquely one to each product, so this sort of fakery can be very easy to create. The cheapest way to counterfeit the code would be to copy a real one, then duplicate it (perhaps several different Gucci bags would have their codes photographed) across the fake product line. The customer would do a scan and get taken to the Gucci site, where he or she might even be more duped into buying it, since the website will give authentic product information, leading the customer to think that he or she is truly getting a great deal on the real product.

It is therefore possible to take a customer “down the rabbit hole” very far with QR technology.

In summary, QR lacks several features that would make it a solid anti-counterfeiting technology:

  1. Codes are arbitrarily easy to create. Just look on the Internet. The one we presented was created on a site just for this article.
  2. A code’s real address can be hidden from the end-user.
  3. An authentic code is effortless to duplicate. Imagine simply taking a valid code for Apple and making labels with it and attaching it to the fake phones’ boxes. A customer scanning such a box is taken to the REAL Apple site, giving no indication about the fakeness of the actual item inside the box.
    Wikipedia noted more risks with more technical accuracy:
  4. The only context in which common QR codes can carry executable data is the URL data type. These URLs may host JavaScript code, which can be used to exploit vulnerabilities in applications on the host system, such as the reader, the web browser or the image viewer, since a reader will typically send the data to the application associated with the data type used by the QR code.
  5. In the case of no software exploits, malicious QR codes combined with a permissive reader can still put a computer’s contents and user’s privacy at risk. This practice is known as “attagging”, a portmanteau of “attack tagging”.[68] They are easily created and can be affixed over legitimate QR codes.[69] On a smartphone, the reader’s permissions may allow use of the camera, full Internet access, read/write contact data, GPS, read browser history, read/write local storage, and global system changes.[70][71][72]
  6. Risks include linking to dangerous web sites with browser exploits, enabling the microphone/camera/GPS, and then streaming those feeds to a remote server, analysis of sensitive data (passwords, files, contacts, transactions),[73] and sending email/SMS/IM messages or DDOS packets as part of a botnet, corrupting privacy settings, stealing identity,[74] and even containing malicious logic themselves such as JavaScript[75] or a virus.[76][77] These actions could occur in the background while the user is only seeing the reader opening a seemingly harmless web page.[78] In Russia, a malicious QR code caused phones that scanned it to send premium texts at a fee of US$6 each.[68]

In other words, that $300 Gucci Dionysius handbag may not only be a fake, but if you scan its QR code you might compromise all your own personal information from your device and send it to the counterfeiter, which may do all manner of damage to your financial and personal life!

Because there is no way of ensuring that QR-data is actually attached to the brand manufacturer, the use of this technology simply cannot be employed for product authentication.

What is needed to give bullet-proof authentication?

The notion of an immutable ledger becomes extremely relevant when we examine this question. Each instance of a brand’s product must be distinctly known, with authentication data available on the physical product itself in some manner, with the distinct record also existing on the manufacturer’s product database. We seek absolutely 1:1 correspondence, and the database must be immutable, meaning once an item is added to it, that item’s presence cannot be altered or duplicated.

The blockchain provides both of these functions. The blockchain exists as an immutable ledger and is non-destructive, meaning that data added to it remains in the blockchain forever. The unique product ID is thus preserved.

However, the fact that blockchains are decentralized adds a much stronger data protection feature. Since there is no one location where all the data on the blockchain is stored, and since the blockchain data is accurately represented by all decentralized nodes, any hacking attempts would have to succeed at changing all the data at all data points in the blockchain network.

That number of nodes becomes arbitrarily large rather quickly, and the combination of reproducing fake hash functioning and making that change across all nodes of the blockchain becomes prohibitively expensive in terms of both resources and time. While it might be theoretically possible to fake an ID tag of an item in the blockchain, it might take more computing power, and hence, more computer equipment, than any counterfeiter could conceivably afford (and still stay in business.)

In the world of computer technology, we know that nothing is impossible to fake. But, with the blockchain technology, we can make any attempts to do so arbitrarily difficult, so much so that maybe the counterfeiter would be more profitable to simple develop honest competitive products rather than try to fake someone else’s.

Verisium offers bullet-proof product authentication and supplemental services through its blockchain, supplemented by NFC tags embedded in client products. Each NFC tag is unique in terms of the product authentication data on it, and that data can be accessed from the Verisium blockchain by scanning the tag with one’s smartphone. However, the NFC ID is unique, and any attempts to fake such tagging will simply result in the item scan returning a “not genuine” value, since the blockchain only contains data for authentic items.

In this manner we have created a superior manner of product authentication, as well as resources to maintain and increase customer engagement even after the point of sale. With Verisium, a product is followed through its entire life cycle, and truly becomes a “Smart Product” allowing great aftermarket opportunities for both the brand and the end customer.

For more information, contact us at