Security Printing and Imaging : investigate

A Consideration of Processes

StevenSimske — Mon, 25 Aug 2008 06:53:00 GMT

Recent blogs have focused on how deterrent technologies can be used to support the ecosystem required to provide strong brand protection and anti-counterfeiting. That ecosystem involves the PRACTICE mnemonic:

P is for Plan, R is for Research, A is for Activate, C is for Collecting data, T is for Training, I is for Investigate, C is for Convict, E is for Evolve.

This form of PRACTICE outlines an end-to-end process for initiating and supporting an anti-fraud program. Each of these—from Plan to Evolve—involves by itself multiple processes as well. Today’s blog focuses on two quite different types of processes, each focused on the “Investigate” portion of PRACTICE.

The “Investigate” portion includes the continual accumulation of data on the counterfeiting of your product. One means to do this uses security variable data printing, or SVDP. This is the use of multiple variable deterrents to draw out the “style” of the counterfeiter. That is, SVDP regions can be used as “bait” or “decoy” deterrents—not to force the counterfeiters to “replicate” the data in the printed region, but instead to force the counterfeiter, through trying to replicate the appearance of the printed region, to identify himself. This is because complex printed regions cannot be scanned and re-printed without modification. How a counterfeiter will try to reproduce such a complicated region—the choice of color, intensity, spatial frequency, contrast and other transforms the counterfeiter uses—provide a signature for the counterfeiter’s style. This process is an example of an a priori process, in which the data to be collected is designed and deployed.

Another means to continually accumulate data on the counterfeiting of your product is to perform a posteriori analysis of the product, and compare the analysis results to those expected of legitimate product. As a non-printing example, John Jasper, head of Molecular Isotope Technologies (MIT), writes, “Process patents are mechanisms by which to protect and extend the patent-protected lives of pharmaceutical products. They are typically supported by the analysis of reaction impurities, trace metals, etc. Natural stable isotopes present a novel source of information recording evidence of the process manufacturing history – particularly, the synthetic pathway – used to produce pharmaceutical and other chemical materials…[Our] work in the area of product authentication showed that every batch of pharmaceutical materials had a highly-specific ‘isotopic fingerprint,’ allowing individual batches of materials to be tracked and counterfeit batches to be identified.” In other words, MIT’s process for analyzing the reagents in a pharmaceutical are precise enough to disambiguate between the authentic and the counterfeit processes involved in production.

Image forensics, not surprisingly, can also be used in an a posteriori manner. The process is, on the surface, similar to the a priori approach: printed regions are analyzed for their characteristics, and different regions classified and clustered to help identify the number and size of the counterfeiters in your supply chain. The difference is that, using such an approach, a suitably difficult-to-reproduce printed area must be identified without the benefit of SVDP. So, a word of advice: if you want to identify counterfeiters, don’t make it easy on them—use SVDP or at minimum a few regions of difficult-to-reproduce printing (natural images, designs such as guilloches, etc.). Otherwise, you’re simply making their job easier, and that’s one process that makes no sense.

-Steve

How to pay counterfeiters to steal your business

StevenSimske — Wed, 11 Jun 2008 03:02:00 GMT

Guido De Terenza here to complete my guest stint on this blog. And, again, here to thank those manufacturers out there who not only aren't stopping counterfeiting, but they're paying me to counterfeit their products. Let's call this blog Counterfeit Math 101 and find out how many times the cost of the product you're losing.

First off, a big hand to those of you out there who can answer this question: Is counterfeiting and the loss of present and future sales ever factored into the justification to offshore jobs?

The answer: no.

From software, to integrated circuits, to HP inkjet cartridges, to your product. If you make money off it, it's being counterfeited. And sometimes, you're asking, even paying, the counterfeiters. Ever heard of OEM? ODM? Original Equipment Manufacturer? Original Design Manufacturer? That's when you outsource your product manufacturing or even its design to some company, preferably thousands of miles away from the employees you're using to train them--all to save on cost and stay competitive.

Maybe this works sometimes, but in my experience in organized crime, it is simply a braindead, next-2-quarters strategy. Guess what those OEM/ODM folks do? They work assiduously for you, 9 to 5, producing your products. Then they work a second and third shift, still producing the exact same products, but putting them into channels you had no idea (or intention) of ever going into...don't believe me? Why don't you scour the internet, and find out who's selling your product. Now try to trace them back to your sales force/sales channels. Good luck.

If you want to manufacture overseas, hey, be my guest. I like the flat earth. It helps me globalize my money laundering, I mean, business operations. But if I were a brand owner, I'd make sure those overseas folks were vested in my company. If they're not, they're bound to spoof your company.

Loss of profits due to counterfeiting? Let me count the ways...

1. Loss of sale (counterfeit replaces your legitimate brand sale)

2. Loss of retailer recommendation (retailer won't recommend your product because she knows you'll find a cheaper price somewhere else, and so direct you to your [less counterfeited] competitor)

3. Loss of customer referral (customer either gets an inferior product, or gets a legitimate product through a non-legitimate channel, and so can't register the product, get product support, etc.)

4. Return (customer returns the counterfeit product)

5. Loss of channel (you can't enter channels that already think they're selling your product)

6. Loss of future sales to the customer (customer will move to a product they're more confident is legit)

7. Loss of brand value through perceived inferior quality (word gets out...ever heard of a blog?)

You can see that for inferior counterfeits, you pay several times over. But the same is true for high quality counterfeits. You lose so many ways. So, if counterfeiting really is 7-10% of world trade, your cost could be 30-40% of your margin due to all these factors above.

Would you turn down the opportunity to increase your margin by a third? Apparently so, and that is why I am in business.

Well, I'd like to say more, but I've got a counterfeiting business to run. So, I'll leave this blog back in Steve's hands. Till then, thanks for paying me to steal your brand.

--Guido

PRACTICE Good Anti-Counterfeiting Techniques

StevenSimske — Mon, 12 May 2008 04:35:00 GMT

In the previous blog, I remarked that the approaches to counter counterfeiting depend on the relative mix of addressable and unaddressable counterfeiting occurring in the supply chain. If the counterfeiting is not addressable, then the brand must continue to message the unique qualities offered by their product so that people will want the authentic—and not the counterfeit—product. If a brand owner cannot address the counterfeiting, then the brand owner must provide a product provably superior to the customer. With “unaddressable” counterfeiting, perhaps paradoxically, the brand owner must struggle with the customer, and not with the counterfeiter.

If the counterfeiting is addressable, on the other hand, then the brand owner is in a direct struggle with the counterfeiter. And to fight the counterfeiter, a single weapon is rarely sufficient. To deter a counterfeiter takes PRACTICE. And this blog addresses how PRACTICE (Plan, Research, Activate, Collect, Train, Investigate, Convict and Evolve) leads to a multifaceted ecosystem of tactics to prevent, detect and react to counterfeiting.

So, a version of an old joke to start. Patient: “Doc, are you comfortable with your diagnosis?” Doctor: “Ma’am, I’ve been practicing medicine for 40 years.” Patient: “Well, I’d like a second opinion from someone doesn’t need any more practice, and actually knows what he’s doing.”

However, any physician worth her salt invests in CME, or continuing medical education. Life is practice. Practice doesn’t make perfect, but it can always improve on the imperfect that is the now. And PRACTICE is the acronym I’ll use for the crucial eight elements in an effective anti-counterfeiting ecosystem.

So, let’s take a look, one element at a time.

P is for Plan. The Plan is paramount, because it anticipates the overall strategy—including the research to be performed. The plan must consider the set of deterrents to be used. Will they be overt, covert, and/or forensic? Who will collect data on them to perform track and trace, inspect, authenticate or forensically analyze? When and how will these deterrents will be researched? When and how will the extent of current and future counterfeiting threat to the product be researched? The plan includes the activation of the ecosystem—the nerve-racking moment when the first products belonging to the security ecosystem roll down the production line—and the data collection roll-out. The plan includes the training: how customers, retailers, inspectors and possibly forensic analysts are educated about the deterrents. How will investigation and potential legal action—based on evidence collection and prosecution—be supported? And, finally, how will the system evolve? That’s right, we must plan for change.

R is for Research. Research includes how you pick your deterrents. Do you pick ones that are easy for the counterfeiter to spoof? If so, they should cost you nothing. Do you pick one that’s hard and/or expensive for the counterfeiter to reproduce? If so, good, but you need to research how easy it is to use for your would-be counterfeiters. Research also includes understanding the counterfeiting threat to your supply chain. If you think it is small, you’d better look hard. It’s much easier to show it is a large problem than a small problem—sorry, that’s just the nature of statistics. You need hundreds of samples from any relevant section of your market to be sure the problem actually is small.

A is for Activate. After your research plan is completed, the system must be turned on. This is a huge step—maybe more accurately a “step function”—but the bump of activation can be smoothed by starting small. A 2D barcode is one way to collect information on where your products are going, but some companies start even smaller. Think of the soda pop folks who print numbers under the caps on their 20-ounce plastic bottles. They’re not doing this so you can win a free can of pop—they’re doing it to see where the unique numbers are going, and validate their supply chain. Their “activation” is a matter of setting up a website and asking people to web/dial in the numbers under their caps. No—this doesn’t give true track and trace, and certainly not authentication, but it does help them collect data (see next step!) useful in assessing just how big a problem they have on their hands.

Activation in full-fledged, label-based security printing and imaging means having the deterrents integrated into the digital front end of the printing. It means having all of the inspection and authentication algorithms, devices and reporting systems fully tested, qualified and in place for the long run. And, it means integrating the data with your existing manufacturing, distribution and reporting registries.

The first C is for Collect. Collecting data is not just about reading the 2D barcodes and other printed features on the label, packaging or document. A lot of data must be collected beforehand, as part of the research. One way to get this kind of data is described in the previous paragraph. However, data must be collected on an ongoing basis to determine the extent, location and nature of the counterfeiting threats. To determine the extent, one must research all channels for sales—from supermarket to information superhighway. What percentage of the product in each channel is counterfeit? How many counterfeiters are there? Do the counterfeiters work together? This data is crucial for later investigation and legal reaction to counterfeiting.

Other data is also collected on an ongoing basis—inspection, authentication and forensic information on the quality of the printed deterrents. I will talk about specifics of these data in a later blog.

T is for Train. Training, or educating, the actors in the product’s supply chain, is tied to the ecosystem planning described above. If you are relying on your end customers to validate—inspect and report anomalies, authenticate, whatever—the product, then you have to provide reliable and easy—preferably really easy—steps for them to follow. If you trust your retailers and want them to authenticate, the training can be a little—but only a little—more involved. If you are relying on paid inspectors, the training can be more complicated, but in general they will still need to be able to validate the products with relatively simple, cheap and portable devices.

The training plan approach is similar to the one you must take for auditing and compliance with most government bodies—for example, NASA and the FDA. The most important consideration is to have a process in place and to then follow it. If you don’t follow the process, your data won’t link together, you won’t pass an audit, and you won’t have reliable estimates on the extent of the counterfeiting. Additionally, abandoning a process just because counterfeiting is occurring causes confusion for those who wish to legitimately validate your product. Counterfeiters love confusion, it helps them in their (non-legitimate) supply chain. There are better ways to address future counterfeiting, and I’ll talk about the “innate moving target” shortly.

I is for Investigate. A lot of brand managers fail to understand that in order to investigate, you typically need an additional type of data to the data you use for track and trace, authentication or inspection. Investigations depend on the investigation plan—how data is collected, retained, analyzed and acted upon. Dynamic research is required. If you start to see sporadic counterfeiting in a new area, for example, it is often the case that these counterfeits originate in another, already “counterfeit-established”, region. Investigation is necessary to test for the link(s). And just investigating the “publicly known” security features may not be enough. Instead, additional features of the product—up to forensic analysis of the printing and/or product ingredients—may need to be analyzed to uncover the counterfeit supply chain. I’ll talk about the collection of salient investigative data in more detail in a later blog.

The second C is for Convict. How do we get a conviction? Well, first of all, you can’t convict anyone if what they’re doing isn’t illegal. So, brand owners who are not working with government (e.g. FDA) and other compliance bodies (e.g. GS1) are encouraging the counterfeiting of their products. If you’re in organized crime and are still resorting to the old ways—gambling, prostitution, weapons, drugs—you’re a fool. Counterfeiting is easier, more rewarding (higher margin!) and less risky. And, brand owners, stay with me here: counterfeiters already know this. So, help stiffen the penalties for counterfeiting, smuggling, product diversion, and other forms of fraud—security is about detection and reaction even more than prevention. Without an onerous reaction, there simply is no deterrence. Even if your deterrents cannot be beaten. With no reaction and unbeatable deterrents, all you do is force the bad guys to resort to old-fashioned insider jobs. Bribery, extortion, blackmail, eavesdropping, collateral theft—they have a lot of options. And they’re creative, so this list is just a sample. To get a conviction, you will need the laws in place.

Additionally, to get a conviction, you need an auditing, compliance and data integrity plan. In many countries, even the counterfeiters are presumed innocent until proven guilty. Make sure your data is credible, auditable, and usable. If it’s not, it’s not data, it’s just wasted storage space.

Finally, E is for Evolve. “They” say people don’t like change. Then, another “they” say that people do like change, and that to be human is to change. “They” are both correct. We like change, when we see it coming. In anti-counterfeiting, we see it coming when we design our security system to be an innate moving target. That is, the system is designed for change, benefits from change, and anticipates the need for change. However, these changes do not cause a system reset, a brand protection blue-screen, a full stop. They simply require the existing system to change its settings. Maybe the counterfeiters have to fully reboot, but that’s OK. Remember the rule, any system that makes the counterfeiters spend more than the brand owner is a deterring system. Any system that doesn’t needs to be changed. I’ll cover this topic more fully in future blogs, including the next.

For now, let’s put PRACTICE into practice. In a healthy anti-fraud ecosystem, all elements of PRACTICE are working together, deployed together and designed to detect counterfeiting as fast as possible. The world’s hardest-to-reproduce deterrents are often compromised precisely because they are the hardest to figure out by someone wanting to validate, too. The difficulty of reproduction is frequently associated with size, features or effects that are also hard to educate people on. An example when the product relies on uneducated consumers to check product validity is the “variable hologram”. Customers are used to looking at holograms for some striking visual effect, but they have no idea the effect should be different from one package to the next—let alone how. The deterrent used, therefore, must match the training given to the would-be validators. And the only way there is an appropriate “impedance match” between the deterrents and how they are successfully used in the ecosystem is if the planning occurs first, the research second, and the activation third. As with all successful security approaches, security printing will only work if it is built from the ground up.

In my next blog, we talk about one enabling technology that helps make PRACTICE possible. It is dynamic data content. And, in printing, dynamic data content is driven by variable data printing, or VDP. See you then!

-Steve