Working at Laava has exposed us to counterfeit vectors of all types. This Blog Post is the first of many where we will be highlighting counterfeit methods and ways our technology can help mitigate some risk. No solution will ever be 100% poof against counterfeit, but the methods and solutions used by brands can be improved to establish a higher barrier to counterfeiters.

Laava works at its core by attacking counterfeit at scale, that said we will now delve into the world of coping NFC, UHF, RFID. All of these types of radio based methods can be overcome, and we will discuss the most basic fundamentals.

Like most most security breach methods typically counterfeit starts somewhere in the supply chain, either at the shipment providers or warehouses at the destination country. Sometimes a specific partner may be responsible. Information is key to identifying weakness in the supply chain. In the world of codes which have readers and writers available readily, coping a electronic code is fundamentally not much more difficult than a physical code (QR). Part of the journey starts with better serialisation and information compartmentalisation. Inevitably counterfeiters will copy the codes in RFID or other electronic codes, and they can do so easily.

If you eat a meal with meat you have a 50% chance of getting the meat you paid for, Australia beef is substituted not just for other beef but often other animals. If you go to a bar or restaurant you have a 30% chance of buying counterfeit alcohol. For the longest time, Brands have suffered at the hands of counterfeit and employed a variety of anti counterfeit measures to stop them. Many of these are of the forensic variety and don’t allow normal consumers the ability to check a product.

Which electronic solutions are good to stop counterfeit.

NFC, RFID, UHF. All these electronic codes can be copied or overwritten.  Because often the information is sequential or similar and unencrypted with strong cryptographic methods, these codes are vulnerable in almost all cases. With some good practices these are good but more often than not the supply chain doesn’t allow mass writing and reading and tracking of unique codes, often codes are just information about the product and a number which is sequential.

The kit above can be used to read, write and crack these codes. The kit above can be purchased for $100 USD and provides enough hardware to get started cracking cards. Multiple vendors can supply these kits, many suppliers of anti counterfeit systems use these RFID, NFC and UHF systems, the reality is the cracking methods are known and overtime better cracking systems will become available.

‍

‍

‍

‍

Hotels and many other identity cards use use even simpler systems in some cases. This technology is basically the same for all solutions and in the past vendors and users of the technology used obfuscation to hide the way this works or the way keys work.

‍

‍

‍

‍

The Chameleon Kit above can be used to gain access to hotels, copy a card, use this card or use this card to see if you can break in.

The truth is that there is no one size fits all solution to anti counterfeit, but its layers of security that make the difference. Transport protocol codes will always be vulnerable, and over time the triviality of breaking them will become apparent. This is because fundementally the encrypted data is exposed and easy to read. Even if you have specific frequencies and wavelengths because of the standards these are all detectable. Rolling systems are required or one time read systems, even these there are problems. Good security is a key per person issued a card, but these keys once one is known can be broken usually.

Armed with that knowledge here is our simple sales pitch

Why not an optical solution, rather than transmitting a set of encrypted bits, use a smart finger print combined with multi factor to allow access or authority. These chips paired with our smart finger prints provide a stronger authority which is less easy to crack as only the chip can be brute forced.  

‍

How does Laava Smart Finger Print provide better protection?

1. As the only way to send data to a Laava Api is via an image, this minimises the brute force approach.
2. No information is returned when an image is not matched, this means that as there is no sequential finger prints, no vector is available to incrementally force the system. Only the finger prints in the system are matched, and only those finger prints.
3. Its incredibly obvious, we see every scan that is transmitted over the system so multiple images of fake finger prints will present alerts to our team.
4. Algorithm is different for each client. What works for one does not work for another, and these data sets are seperate so the chance of finding a match is dramatically reduced.
5. Other anti counterfeit methods are available and Laava is a great low cost solution, there is probably no solution which is lower cost.

Read more about cracking techniques.

https://smartlockpicking.com/slides/Confidence_A_2018_Practical_Guide_To_Hacking_RFID_NFC.pdf

‍