Blockchain to fight Fraud and Counterfeiting
Dec 07, 2019
This article was originally published on Linkedin
This is the third in the initial series of five articles. The first article provided a high-level setting for the role of blockchain in supply chain. The second one deals with the concept of DID (digital identities) and verifiable claims. Now, we will explore supply chain issues around fraud and counterfeiting, and how blockchain can address some of them.
There are many posts on Fraud and Counterfeiting (F&C) of high value, branded items and luxury goods such as Gucci, Coach, LVMH, Prada and the likes. F&C costs the economy billions of dollars in revenue loss annually and impacts the reputation of the brands themselves. The issue is not just confined to luxury items, but includes a broad range of high value items such as expensive wines, watches, jewelry, drugs and medicines, art and so many more.
According to the FDA, counterfeit medicine is fake medicine. It may be contaminated or possibly contain wrong or inactive ingredients. Unfortunately, counterfeiting drugs and medicines has become a lucrative business. These fraudulent drugs often originate overseas or through internet pharmacies where counterfeiters are able to inject fake antibiotics or medication into the supply chain and sell them to unsuspecting consumers, and this problem is global. Other types of fakes include having the right active ingredient, but wrong dosage, mislabeling expired medicines or near-identical reproduction of the labels affixed to counterfeit medicines. Medicines lose their effectiveness when they go past the expiry date or are not handled in accordance with manufacturer’s specification.
Many supply chain participants, distributors, retailers and customers are very interested in ensuring that the product they supply, or buy is authentic, and that they get the maximum value for their purchase or investment. However, many buyers who do not have the money willingly go with the fakes and fall victim to sellers who intentionally stock knockoffs to cash in on the high margins. These are criminal activities require the use of more sophisticated crime fighting technologies.
Brand manufacturers apply signatures to luxury goods to ensure that the product is authentic. Several websites offer tips on how to recognize a counterfeit by parsing through these signatures. There are a variety of characteristics buyers are advised to look for to authenticate their products such as the zipper style, material, logo size font & placement, embossed stamps, information tags & inserts, provenance marks (such as “Made in the USA”), lining, dust bags and serial numbers. There are similar signatures that apply to clothing and other luxury items.
In the case of drugs, pharmaceutical companies offer guidance on detecting fakes on their websites. The Bayer website has good information on detecting counterfeit drugs.
How are companies preparing to deal with this issue?
Major brand owners are now partnering with technology firms to implement solutions. For example, Microsoft, Consensys and LVMH recently announced a consortium with Aura Ledger. Christie’s is teaming up with blockchain-secured art registry service Artory.
In the case of pharmaceuticals, the Drug Supply Chain Security Act (DSCSA) outlines steps to build an electronic, interoperable system to identify and trace certain prescription drugs as they are distributed in the United States. This is expected to enhance the FDA’s ability to help protect consumers from exposure to drugs that may be counterfeit, stolen, contaminated, or otherwise harmful. T-Systems and Zebra Technologies are using IoT and secure tagging to fight fraud committed in the supply chain processes.
Retailers like eBay and “Legos in my Louis” offer online product authentication services as a value-added service. DHL Resilience360 (a supply chain risk management platform) provides end-to-end supply chain visibility of pharma lifecycle from manufacturing to distribution. Entrupy and Goat are helping consumers identify fakes in high-value branded items using AI/ML, deep learning and computer vision to process millions of pre-stored micro-images about products against user taken ones.
Typical supply chain model
The following diagram shows a generic supply chain flow. A company designs products and then manufactures them by either using their own factories or contract manufacturers. The company operates a supply chain preparing quotes, capturing orders and full-filling them through the chain to meet the needs of their buyers. The intermediate participants in this process include logistics, in-bound and out-bound customs (if cross border), transporters, freight forwarders, warehouses, and distribution centers (both local and remote), among others. Ultimately the product ends up in retail stores and is available to consumers.
Most contract manufacturers are located in Asia where controls are lax and oversight is minimal. It does not take much to steal a few originals and replace them with fakes. It is conceivable that fraud can be committed at several points along the supply chain. Counterfeit products can be swapped for genuine ones or injected at several points in the route.
If this supply chain was moving pharmaceutical products, there is potential for inappropriate handling or exposure to abnormal conditions. Improper handling of goods can result in the damage to the goods, and if such goods are not properly tracked and removed from the chain, could lead to reputation loss and potential lawsuits. Additionally, even if those goods were moved out of the supply chain, fraudsters can move them back into the markets.
Choosing the right Architecture
Several factors determine the choice of the architecture and implementation strategy. An organization can be influenced by various risk factors:
The following graphic shows the choice of technology and architecture stack in relation to cost and effort.
The architecture stack should enable all participants in the network to collaborate, instill trust and transparency into the system and ensure that the consumer connectivity and confidence. As the stack grows, the complexity of the implementation increases and is visible in both cost and effort.
Technology elements that are fundamental and key to help build a robust solution include Tags, AI/ML, Blockchain and IOT. Let us examine each of these.
A distributed ledger technology that enables organizations to participate and execute transactions in a decentralized environment, where data is stored in an immutable ledger. The blockchain provides native support for transparency and privacy, and enforces trust through a consensus protocol. Blockchains are classified as permissioned, public and fit for purpose. The two most popular technologies in the market today are Hyperledger, for permissioned blockchain solutions, and Ethereum for public & private crypto driven solutions. Within the Hyperledger family, Indy is a “Fit for Purpose” blockchain to manage individual or corporate identities. The choice of blockchain technology is dependent upon the use case and the capabilities that the platform must provide natively.
Tags and Tagging Technologies
A tag is a label attached to a product containing or providing information. A tag can be electronic or printed and usually read using scanners, mobile applications or electronic detection systems. The most common tags used are bar-codes and QR-codes, but there are other tagging technologies available today.
RFID or Radio Frequency IDentification
RFID Tags have been around for a long time and have two parts: an IC (integrated circuit ) for storing and processing information, and an antenna for retrieving and transmitting data. RFID technology uses readers to bounce off signals on the RFID tag and read information stored within the tag.
Each product can have a unique ID, such as an Electronic Product Code (EPC), and be read without being in line of sight of the reader. This allows the chip to be embedded into an asset. In terms of security, RFID tags use one of many ways such as challenge-response authentication ( CRA ) and “shielding” to prevent information from being hacked.
NFC or Near Field Communication
NFC tags are small integrated circuits, either square or circular, designed to store information that can be retrieved by NFC-enabled devices like smartphones and tablets. NFC tags derive their origin from RFIDs in that they are passive devices and do not require native power supply to drive them.
NFC tags can store wide ranges of information, from product identification, short lines of text, web address or contact details. NFC tags can be secured so that once data has been written, it cannot be tampered. NXP manufactures a range of tags with features like authentication, memory protection, encryption and tamper detection. When combined with IoT devices, these new tags can enable smart sensors.
Special Purpose Security Tags
Copy or Tamper proof tags are companies like Scan Trust, Veritrace, Verinetics and Zortag. These tags have some additional digital information that prohibit the tag from being copied. Zortag uses a combo of a 2 dimensional and 3 dimensional print that renders the label impossible to duplicate.
Temperature and light sensitive tags can be applied to pharmaceutical products and provide data on how the product was exposed during the supply chain process. The temperature sensitive ink changes colors based on exposure to light and heat. It is possible to calibrate the effectiveness of the drug based on the color changes of the label.
Micro-Tagging using edible chemical additives, such as highly purified silica and optical signature encoding are available from companies like True Tags.
AI/ML – Artificial Intelligence and Machine Learning
AI/ML holds tremendous promise and provides new capabilities to tackle traditional problems. In fact, machine learning, artificial intelligence and deep learning have been compared to the Russian Doll, where the smallest piece fits into the next higher piece and so on. RPA or robotic process automation is a key part of ML. RPAs help automate common repetitive workflows, and in addition to speeding up the process, they bring efficiency and discipline in the execution of business rules.
Millions of shipments are received into the country every day. It is impossible to open and check every package for illicit drugs, counterfeit items and prohibited shipments. Machine learning can be used to teach the system such that pattern matching algorithms that can identify shipments that should be opened by creating knowledge graphs using data such as point of origin, shipper, handler(s), handling unit(s), carrier, originating country, manufacturer, factory(s) etc.
IOT or Internet of Things devices
The ubiquity of the internet and new innovations in sensor technology make IOT devices an integral part of any supply chain solution. These devices can be discrete or composite and can measure a range of attributes such as temperature, acceleration, exposure to light, altitude, force, velocity, GPS co-ordinates, vibration to name a few. Technology firms have been able to pack a lot of sensors into a small form factor.
Temperature sensors measure changes in temperature against a set threshold and is very useful in drugs and pharmaceuticals logistics.
Photosensitive sensors can be used to check if a packed box was opened during transit, thus notifying the seller or the consumer that a package in transit was opened.
GPS Sensors help in tracking package handling deviations from a prescribed path during the movement of the shipment, thus highlighting potential fraud. A Geo-Fence can be defined around prescribed routes and designated areas and smart logic can calculate diversions.
Vibration, Tilt, Altitude, Pressure, Force and Velocity sensors can provide data on elements such as packaging, transport, handling and delivery
IoT devices are now available to operate in Narrow bands (NB). This allows operations with low power consumption, minimal hardware, leverage wide area networks and existing infrastructure, and NB signals can penetrate concrete walls. This makes them cheap and easily deploy-able. The graphic from Postscapes and Harbor Research presents a visual of the IOT landscape.
Tamper Proofing the Asset
All assets, be it a luxury bag, a $1000 bottle of wine or an expensive retro-viral drug, carry identities such as a serial number. A few concepts can be combined to evaluate if an asset can be genuinely protected from fraud. Any approach must be able to address the following concerns.
- Discriminability: An inspector with minimal training should be able to identify the genuineness of the asset
- Inimitability: Counterfeiters should not able to create something similar
- Self-Destructiveness: The protection element must guarantee that any attempt to remove and place it on another package will result in its irreversible destruction
The key elements are key to defining a solution include secure tags, DID (digital identity), asset token and verifiable claims. Any tagging solution should be physically and digitally verifiable.
The Secure Tag, depending on the technology selected by the company can be the asset ID tag or mapped to the Asset Serial Number. Secure Tags can be generated by the factory or purchased in bulk from a Tag Supplier like Zortag. The factory purchases the secure tags in advance and then assigns them to serialized assets that come out of the production floor. They could assign it by either receiving a bulk file of the Tag Numbers and using the application to do the assignment, or they could use a scanner to scan the Secure Tag and the Product Bar Code to establish the assignment.
A secure tag can be generated using a function by the factory as shown in the example below.
asset_tag = function (signature attributes, tag generation pattern, cryptographic algorithm)
Signature attributes can include a host of elements such as serial number, factory id, manufacturing date, tag supplier etc. The pattern can define how the attributes are processed or the algorithm is applied and the algorithm indicates the crypto processing approach to be used for generating this label. The resulting tag can be printed as a QR code, Bar code, Data Matrix Label, NFC encoded tag or any other form.
The Proof of Ownership is a generated tag that is like the secure tag generation process. It combines various attributes surrounding the sale and embeds certain secrets that the consumer provides.
The DID (discussed in my previous post) can support Proof of Authenticity. Tags can be associated with a DID so that each asset has a unique global self-sovereign identity pointing to verifiable credentials. Verifiable credentials originate from various sources including manufacturers, authenticators, certifying documents etc. One of the verifiable credentials could be a pointer to the certificate of ownership.
Additionally, an asset could be linked to a Digital Token such as a compatible ERC 721 to enable trading and ownership tracking..
A solution could use one or all of the elements depending on the nature of the asset. For assets with short life, a smart tag with a token may be enough. For long living assets, such as fine art, expensive artifacts and luxury goods, a combo may work best. By tying the physical to cryptographically linked assets together, we can have digital and physical protection.
A Systems Architecture View
The following diagram shows an architectural view for a solution. We will not delve deep into each element, but describe them at a high level. The core solution must support two types of use cases.
- The Supply Chain Track & Trace (may be extended to support Provenance)
- Product Authentication and Tag Verification
In this architecture, there are three environments:
The Blockchain Environment
The blockchain environment can be a single environment or multiple environments. A permissioned blockchain such as Hyperledger (Fabric, Sawtooth or Iroha) manages all the smart contracts associated with the actual supply chain transactions. These contracts support transactions such as recording and querying products, assigning secure tags to the assets, recording product & product profile signatures, supply chain scans, emitting smart events based on IoT data, and verifying and/or authenticating tags.
In addition, the same permissioned blockchain or an interface with a public chain like Sovrin or uPort could assign DIDs and manage the verifiable credentials supporting the asset. The advantage of DIDs are that they are universally resolvable.
One could optionally tokenize the asset and leverage an ERC 721 supporting platform ,such as Ethereum. Interoperability between the three chains at a business level is very important consideration.
Security is a very important aspect and the blockchain provides the necessary identity and access management for the millions of IOT devices that support the supply chain, secures the data and intelligence that the AI/ML systems generate, and provides role-based access control for all the participants and personas in the ecosystem.
The API Environment
This environment provides a number of APIs as seen in the diagram. The three areas of interest are:
- The Supply Chain APIs to support various personas to validate the movement and handling of products from origin to destination
- Associate smart tags to products, and enable various stake holders to authenticate the tags
- Enable end consumer to protect their asset through digital certificates that are tamper resistant and copy proof
The solution is technology agnostic, providing an environment where multiple scan & tag technologies can coexist with APIs to connect with various external technology clients.
The Client Environment
This is the layer that links all the interfaces into the solution. Most clients that deal with tagging, scanning and authentication are end-user apps that run on mobile devices, desktops or other devices such as scanners. The apps themselves may be many to support the workflow for individual personas – for example a consumer app, a retail POS app and a Supply Chain App.
No solution is complete without integration into enterprise applications. In addition, the architecture should support integration into various third-party technologies for scanning, authenticating and payments.
Lastly, the system supports a variety of IOT devices that keep their senses open during the supply chain process.
The Client Environment
This is the layer that provides all the interfaces into the solution. Most clients that deal with tagging, scanning and authentication are end-user apps that run on mobile devices, desktops or other devices such as scanners. There may be many apps to support the workflow for individual personas – for example a consumer app, a retail POS app and a Supply Chain App.
No solution is complete without integration into enterprise applications. In addition, the architecture supports integration into various third-party technologies for scanning, authenticating and payments.
Lastly, the system supports a variety of IOT devices that keep their senses open during the supply chain process.
The participants in this network include the Company, Factory, Logistics Operator, Transporter, Tag Supplier, Retailer and Consumer. At a high level, the system should support the following use cases by persona
There are other elements of the architecture such as the assets, transactions, registries, access controls, integrations and contracts that are not discussed here.
Anti-Fraud and Anti-Counterfeiting can be solved using a combination of various technologies such as Blockchain, Self-sovereign Identity, AI/ML and IOT. The main aspects of the solution fall into track & trace, asset identity management and verifiable credentials.