Making the Right Choice: Security and NFC/RFID Tags

Jun 22nd 2016 Tony Rosati
Four Locks

Depending on the application, NFC/RFID tags may or may not require some level of security. If you were only interested in tracking assets, a simple serial number would do. However, if you were issuing chip and PIN credit cards or e-passports, then a much higher level of security is necessary to protect that credential and provide proof.

Higher security comes at a higher cost.

Three Levels of Security — All with Pros and Cons

There are three levels of security for NFC tags (or HF RFID Tags). Each level comes with its issues and security threats at the system level.

Level 1: Plain Memory Tag with Password Protection

A unique ID is encoded at the factory and can’t be changed. Passwords offer secure data access if desired.

Benefit: Very low cost.

Weakness: Password management is possible but would be a monumental task to manage. Imagine deploying a system with thousands of tags of passwords. Every UID would have a unique password. A database breach would compromise all the tags.

Level 2: Plain Memory Tag Using the Signature RTD 2.0

The content of the tag is signed using public key cryptography similar to code signing. Once signed, no one can tamper with the message in any way and the signer can be verified. Tag hardware attributes can also be included in the signature to make tag cloning very difficult.

Benefit:

  • The message cannot be modified
  • Protection against copying the message to a different tag if the hardware is signed
  • The signer can be identified for a verifiable chain of custody
  • Key management is simple

A public NFC root is stored on the NFC enabled device (say an app or a certificate store). It does not need to be protected because it is signed. Your web browser has hundreds of roots for signature verification. Signature verification can be an off-line process, no need to be connected to a cloud service. This solution is also cost effective because you can use plain memory tags.

Weakness: The whole tag (NDEF, hardware attributes and signature record) can be copied and emulated. This is more difficult than emulating just a UID. There may also be less incentive to copy given the message cannot be changed.

Level 3: NFC Tags with Additional Crypto

While the crypto algorithms may be standard the key management is not. These tags are used in closed loop systems for ticketing or payments where companies deploy their own keying infrastructure. There are two types of security chips for this application:

Symmetric Key:

Most crypto based tags fall into this camp. They use a standard block cypher like AES or Grain. Think of it as a lock with one key to lock and unlock data (i.e. symmetric key).

Benefit: Considered very secure and fast. Also, uncovering the tag's private key would be extremely difficult, if not impossible, without destroying the tag. In other words, cloning the tag is very hard.

Weakness: The main weakness is key management. The reader (or server in the sky) must have or be derived by a master key that could be compromised if not protected (unlike a public key certificate). This is especially an issue for readers. Master keys could be stored in the cloud, but now tag verification must take place online.

Asymmetric Key (or public key):

Like the Signature RTD 2.0 but the crypto engine is on the tag, and its private key is protected. Think of it as a two key system, one key can only lock (the public key) and the other key can only unlock (the private key).

Benefit: This approach is very secure and key management is very simple like the Signature RTD 2.0. The verifier does not need to protect a secret key like the symmetric case. Verification can be done offline. Chip and PIN credit/debit cards use this type of cryptography.

Weakness: Transaction speeds can be 10 times slower than with symmetric key. For example, if AES takes 50 ms for the authentication protocol, the asymmetric case may take 500ms. Asymmetric cryptography requires more horsepower than symmetric key cryptography.

Security

The Bottom Line

Increasing the security level increases cost. The application must drive the security requirements. It’s also worth noting that you can combine security levels. Closed loop systems where tags are re-used can afford higher security. Open loop systems where tags are used in a limited fashion and thrown away are much more sensitive to cost.

Here are a few example use cases driving different security requirements.

Level 1 — Low Security:

  • Inventory tracking

Level 2 — Medium Security:

  • Event tickets
  • Tracking high volume sensitive items (i.e. medical equipment, drugs, books)
  • Industrial assets requiring maintenance & software updates
  • Authentic components especially where chain of custody is important

Level 3 — High Security:

  • Credit/debit cards
  • Passports
  • Multi-use tickets
  • Identification cards
  • Key fobs

Talk to TrustPoint today about the right level of security for your specific needs.

Petition to Support NFC on iPhone

Apr 7th 2016 Tony Rosati

NFC is a great technology. It allows us to easily access and share information. Its functionality is perfect for our smartphone-connected world. At TrustPoint, we use it to help brands fight counterfeiting and allow consumers to know they're buying authentic products.

NFC has the potential to provide smartphone users with all the information they need with a simple tap. There is one significant barrier — a lack of functionality on Apple iPhones. While NFC is available on the iPhone and is used for Apple Pay, it is not available for any other use.

We want to see Apple make this safe and secure technology available for all its users. We're supporting a petition to get Apple's attention.

Help us encourage Apple to join the NFC movement. Take a moment to sign the petition today!

Counterfeit Wines, A Multi Billion Dollar Problem

Feb 11th 2016 Tony Rosati
Is your favourite wine real or counterfeit?

Counterfeit wines made headlines in the world of rare wine collecting with two fascinating stories.

The first story is the New Yorker's “The Jefferson Bottles” about American tycoon Bill Koch who purchased four 1787 Lafitte owned by Thomas Jefferson for $500,000 at auction and later discovered they were fake.

The other story is Vanity Fair's “A Vintage Crime” about a flamboyant collector, Rudy Kurniawan, who made more than $130 million in sales of high profile counterfeit wines according to the FBI.

This is not only a problem for high-end wine collectors.

Wine Spectator notes that Mid-tier counterfeit wine and spirits are now appearing on the market. Wine fraud is increasing globally especially as the demand for “small production, age worthy” wines grow.

Counterfeiting Growing Along with Our Love of Wine

The Wine Spectator recently reported that the counterfeit wine market in China is a “sizeable underground industry”. The problem is not isolated to China. In 2016, Italian authorities seized 9,000 bottles of fake MOËT. in 2014, they seized 30,000 bottles of counterfeit Brunello, Chianti Classico, and Sagrantino di Montefalco. There are many other examples.

The world drank 2.64 billion cases of wine in 2013 and it's expected to reach 2.73 billion cases by 2018 (London-based research firm IWSR). How big is the counterfeit problem? It's hard to estimate but according to some unofficial wine industry estimates, it's in the order of 20% of all international trade.

Counterfeit wine negatively impacts legitimate industry players. They reduce sales and market share of legitimate producers and dilute their brand.

Authenticating the Real Deal

Wine authenticators traditionally employ many subjective techniques to judge authenticity: the quality of the glass bottle, the length of the cork, the writing on the label and cork, purchase history, etc. This can help, but it’s not foolproof.

In the world of cryptography, if you want to authenticate a device or user, we employ digital signatures. They cannot be spoofed. They are used in every aspect of modern communications including mobile phones, mobile apps, Internet ecommerce, web browsing, and electronic payments.

Near Field Communications (NFC) brings digital signatures to physical objects such as wine in a standard way. NFC tags (similar to Radio Frequency Identity RFID tags) are low cost, paper-thin labels that can be attached to anything and do not need batteries.

Any NFC enabled smartphone can read the label and verify the signature on the tag thereby establishing its authenticity including identifying the signer (such as the winemaker). Any information can be included in the signature such as a link to the winemaker.

Blackseal from TrustPoint Innovation is a platform that manages the lifecycle of digital signatures on NFC tags. Contact us today to learn more about securing the authenticity of your brand.

Should Consumers Care About Counterfeit Goods?

Oct 7th 2015 Tony Rosati

We know manufacturers care about counterfeits. High quality counterfeits compete directly with the genuine article leading to lost sales. Low quality counterfeits damage the brand. Manufacturers employ investigators to shut down illegal operations, they train customs officials to recognize fakes, and they also employ software tools to seek out illegal online distribution and issue takedown notices. According to Google's Transparency Report, there have been dramatic increases in the number of alleged copyright infringements. The number of “URLs requested to be removed” from search per week has doubled in one year from approximately 6 million to 12 million. These takedown notices are clearly not all about counterfeits but it does demonstrate a growing online concern over copyright infringement.

Understanding The Consumers Mind Set

There is a demographic of consumers who will buy counterfeits for whatever reason but most want the genuine article. Counterfeiters know this and are evolving. They produce high quality fakes (“Super fakes”) that target legitimate consumers online with domains that look like the real manufacturer or authorized distributor.

Manufacturers encourage consumers to buy direct or from an authorized distributor but that's increasingly hard to do online. Consumers looking for a good deal can easily be deceived. If the consumer was deceived into believing the item was genuine and later discovers it was fake (i.e. through a failure or return) there is a loss of goodwill and they may never purchase that brand again.

Consumers should care! Counterfeiters are increasingly duping them. Consumers want to buy (and potentially re-sell) the genuine product but have no way to check if the product is authentic. This is especially true for high value items and collectibles.

Product Authenticity Requires Strong Locks That Can Be Verified By Anyone

The best locks for electronic verification use cryptography or mathematical codes that can't be copied or broken. They are used by our financial systems and military alike. Counterfeiters cannot duplicate them.

There is an elegant, easy to use cryptographic lock in the form of Near Field Communication (NFC) tags. NFC tags are like their cousins, RFID tags, which have been used in product supply chains for years. The difference is the consumer can read the NFC tag with their smart phones, since the phone has NFC built in — similar to Bluetooth and Wi-Fi. It's the same technology used to enable Apple Pay and Google Pay.

Consumers simply tap the NFC tag with their smart phone to verify the product. In addition, the NFC tag can be used by manufacturers as an advertising platform. The NFC tag can hold a URL that can be re-directed to any promotion, anytime.

Does a Consumer Verification Model Help Manufacturers?

YES! Manufacturers have limited investigative resources to tackle the counterfeit problem. Customs officials have a limited impact because they must be trained to look for brand specific design marks and trademarks. With the ability to verify a product positively with a smart phone, consumers can't be duped by super fakes when they want to buy the genuine article.

Are Intermediaries in Supply Chains Legally Responsible for Counterfeit Goods?

Sep 30th 2015 Tony Rosati
Trust in the Supply Chain

Intermediaries refer to all parties in the supply chain. They include raw material suppliers, manufacturers, distributors, shipping companies, transport operators, payment processors and retailers. Retailers include both brick and mortar and ecommerce web sites. An Intermediary can also be a landlord who rents space to any party in the supply chain.

Intermediaries are clearly vital to the manufacture and delivery of goods. They are also vulnerable to criminal activities and counterfeiters exploit them.

Many people think of recent high profile cases related to copying digital content. P2P file sharing services Kazaa, Mininova and the Pirate Bay were all found liable for authorizing copyright infringements and were directly liable for unauthorized communication to the public.

According to the 2015 BASCAP study on the “Roles and Responsibilities of Intermediaries”, laws are different in every country/jurisdiction, however, in general “the law condemns parties who have actual or constructive knowledge of infringement and play some sort of causal or participatory role. Key factors that the courts consider, in addition to knowledge, are: 1) failure to exercise control or take steps to prevent continuing infringement; 2) the receipt of revenues derived specifically from the infringing activity; and 3) specific steps taken to promote or encourage infringement.”

The bottom line is that intermediaries are legally responsible for counterfeit activity and there is plenty of precedence to prove it. Below are examples of liability directed at intermediaries from the BASCAP study. Blackseal allows investigators, intermediaries and consumers alike to test the authenticity of a product.

Ecommerce Websites

Tiffany (NJ) Inc. v. eBay Inc., the court found that generalized knowledge that trademark infringement was occurring was not sufficient for action, but willful blindness could be a cause for action.”

Chloe SAS v. Sawabeth Info Svcs. Co., the court found that the web platform TradeKey fell on the wrong side of the line in its complicity with the transactions occurring on its site.”

“In Gucci America, Inc. v. MyReplicaHandbag.com, following a default judgment in favor of Gucci, Chloé and Alfred Dunhill against defendants claimed to be distributing counterfeit handbags and wallets. The court ordered third-party financial institutions to liquidate all of the assets they held for the defendants, and to give those assets to the claimants. Over $500,000 was recovered.”

ISPs

“In Louis Vuitton Malletier, S.A. v. Akanoc Solutions, Inc., trademark and copyright infringement was occurring on websites hosted by the ISP. At trial, the jury found the hosting ISP liable and awarded Louis Vuitton $10.8 million in damages.”

Payment Processors

“In Gucci America, Inc. v. Frontline Processing Corp., the court found that intermediaries could be liable for (contributory) trademark infringement under a number of circumstances.”

Shipping

“Europe — In a ruling in interim proceedings against China Shipping, the Summary Judge of the Rotterdam District, confirmed that article 6 and 11 of regulation 1383/2003 does not give the carrier the right to claim payment by the rights holder of the demurrage costs.”

Shopping Mall

“In April 2011, the Brazilian Superior Court of Justice found the 25 de Março Shopping Mall in Sao Paulo liable for reselling counterfeit products. It imposed a daily penalty of R$50,000 (about $30,000 USD) if the Mall did not stop marketing and selling counterfeit items from Nike, Louis Vuitton, and Oakley, who had sued for damages. The Court ordered the payment of moral damages to these companies.”

LandLords

“China — In July 2011, the Beijing Higher People's Court issued decisions that clarified the duty of care for the Silk Street Market and other landlords. It affirmed the
 2010 rulings of the lower courts, which had specified the landlord's duty to take reasonable measures in dealing with infringers. It also found that failure to do 
so could make the landlord jointly liable.”

Banks

“In Gucci America, Inc., et al. v. Curveal Fashion, the magistrate ordered the New York office of the United Overseas Bank to produce relevant account documents after obtaining information showing [the defendant's] transfer of $900,000 into accounts at UOB Malaysia. UOB refused to comply with the subpoena, and the district court held UOB in contempt of court, awarded Plaintiffs attorneys' fees, and imposed a fine of $10,000 per day for each future day of noncompliance. The two parties settled the case with a $250,000 payment from UOB.”

Customs Broker

“In the US, in Coach Inc. et al v. Celco Customs Services Co. and Shen Huei Feng Wang, a jury found a customs broker liable for $8 million for contributory trademark infringement.”

Previous

Recent Posts