QR codes versus NFC

For a quite obscured reason to me and perhaps because of some bad QR code experiences, many love to see NFC as the killer of QR code, if not its evolved successor. The fact that Google stopped its support for QR codes in Places and announcements made on Google wallet may have contributed to this general belief.

The story of NFC started early at 2002 and until these days it has not yet been really born. Few years from then were crowned with the title – “The year of NFC”. Some examples are 2008, then 2010 has been mentioned as a critical year for NFC.  Then comes of course 2011 – again the year of NFC and finally 2012 as the year when NFC will break big.

NFC is big business; targeted to enable mobile payments and therefore motivated by the huge potential residing in futuristic mobile payments. As such it needs a whole ecosystem, from special devices to financial institution, operators, secured systems, service providers and more, everybody wants to be involved.
Truth is that mobile payments can be done with QR codes today. SCVNGRand other companies enable payments through QR codes with a click. So what are the differences between using NFC and QR codes? While it may be that QR codes do already what NFC will, is NFC really capable to outperform QR codes?

Predicted usage of NFC

To start off I looked at a list of predicted usage of NFC mentioned in Wikipedia.

File sharing – Tap one NFC device to another to share a contact, photo, song, app or any other content stored in device.
File sharing is available already with QR codes by displaying a QR code on a mobile screen. The Bump application already does this without any need for NFC.

Money transaction – To pay a friend, you could tap the devices and enter the amount of the payment.
This also is supported trough Bump technology. QR codes can do the same thing today – all you need in all cases is support from your bank app.

Mobile gaming – To enter a multiplayer game tap one NFC device to another. You will need of course to do more than this.
Games today can offer an invite friend option that will display a QR code on screen. The person scanning that code will join immediately the game – no need to wait for NFC for this.

Friend contacts – You could touch NFC devices together to Facebook friend each other or share a resume or to “check-in” at a location.
This also can be done today with both Bump technology and QR codes.

E-Commerce – NFC expands E-Commerce opportunities, by both increasing transaction speed and security. A Personal identification number (PIN) is usually only required for payments over a certain amount.

Mobile payment – An NFC device may make a payment like a credit card by touching a payment terminal at checkout or a vending machine when a PIN is entered.
QR codes are already used in vending machines for few years in Japan.

Ticketing -Tap an NFC device to purchase rail, metro, airline, movie, concert, or event tickets. A PIN is required.

Boarding pass- A NFC device may act as a boarding pass, reducing check-in delays and staffing requirements.
2D codes are already used for this exact purpose in Europe today.

Point of Sale – Tap a poster tag to see information, listen to an audio clip, watch a video, or see a movie trailer.
This happens to be the most widely way QR codes are used today, with QR codes you do not have to tap you can do this from distance.

Tour guide – Tap a passive NFC tag for information or an audio or video presentation at a museum, monument, or retail display.
QR code is better – like before…

ID card – An NFC enabled device can also act as an encrypted student, employee, or personal ID card or medical ID card. Same thing can be done with QR codes today.

Keycard – An NFC enabled device may serve as car, house, and office keys.

Rental Car and hotel keys- NFC rental car or hotel room keys may allow fast VIP check-in and reduce staffing requirements.

Evaluation criteria favoring QR codes

Price – NFC is a chip, a piece of hardware, its cost will be $1 and above per unit. QR code cost is the ink price it is printed with. On screens (TV, computers, street screens and mobile screens) his price is zero. Putting an NFC on any product will raise the product price – not so with QR codes.

Testing – In mass production a QR code should be tested once and then many copies will be printed. Print process is a well known mature art – no surprises here. On the other hand NFC is a chip. Duplicating chips is a more complicated process, in mass production each chip will have to be tested for readability. In case of NFC the already high original unit price will go even a little bit higher to cover these testing processes.

Availability – While almost every phone created in the last 5 years has a camera and a QR code reader that can be downloaded for free, the NFC solution requires a new handset. If every new handset today will include NFC it will still take at least 3 years until it can be said that NFC is widely used by public. Today very few phones support it, and every one of them has only a limited and partial NFC functionality.

Accessibility – QR codes can be scanned from a big distance (relating to QR code size). NFC on the other hand needs less than 10 centimeters and work best by touching the chip with your phone. So high posters will not contain NFC chips and contacting an item outside from inside your car will not be an option for NFC.

Vulnerability – QR code can sustain until 30% damage while any damage done to the NFC chip will disable it.

Density of codes/chips– For QR code aiming the camera to the correct code makes clear which code was decoded. With NFC chips one near the other there is no way to tell which of the chips is being read.

Richer media – QR codes can appear on TV, newspapers, printed paper, magazines, envelopes and daily products. NFC cannot use some of these media while using it on other (like magazines and daily products) will have a negative impact on price.

Metallic surfaces – No problem for QR codes while NFC may be affected.

Evaluation criteria favoring NFC

Bad lightening – Work under any lightning condition. QR code may perform bad at dark and may need flash for reading.

Curved surfaces – Work on curved surfaces while QR code cannot stand too much bending.

Eye contact – NFC do not need capturing an item into camera screen like QR code, meaning that less eye contact is needed when using NFC.

Resemblance points

Both technologies need to open an app for making the reading.
The camera cannot be always open because of battery drain and the NFC chip cannot be always active for the same reason – battery drain and of course to avoid unexpected/unwanted reading.

Visibility – NFC senses your presence blindly – with the cost of being really close, while QR codes are all about visibility – their appearance is all their essence. Since sight is our main interface with reality some visualization will be needed to guide us to where the NFC chip is hidden. No space will be really saved by NFC chips on ads.

Where NFC really shines

Whenever you must pass in a specific location in order to pay a fix price NFC is a perfect choice. The subway environment for example is a perfect example where all you have to do for paying is put your phone on a special spot on the gate while passing through.

Passing boards are also a good example for using NFC although in many places 2D code readers are used in a similar manner when all the user has to do is to put a ticket with a code on a scanning device while passing a gate.

In ATM machines or money loading points for your mobile wallet, when fast identification is needed NFC is a good choice. Just put your phone on a spot and you will be both identified and charged – although you will still need to provide some additional info for final identification.

Since NFC chips sense other NFC chips only by proximity, it might be an excellent way to communicate between devices. For example your phone will automatically talk to your computer when they meet. Similarly your phone may be updated when close to any NFC fixed contact point connected to the Internet.

Final thoughts

Looks like technology did not freeze all the many years we waited for NFC. Most of its usage is already available in cheaper and simpler ways. No doubt there will be specific scene where NFC will be faster and friendlier to use. On the other hand in many other situations it will be much less suitable than current alternatives.

We are still waiting to see when NFC will be fully operative and whether it will be a major market force as (even after all these years) still expected.

Posted in error correction, print QR code, QR code and NFC, QR code file sharing, QR code scanning distance, Transactions with QR codes | Tagged , , , , , | Leave a comment

Encrypted QR Codes

QR codes can be considered as encrypted messages; after all no human eye is able to decode it. We need an extension -in a form of a mobile device – to read them.
What about encrypted QR codes for mobile devices? What if a QR code is there in public but nobody except a group of people (municipality workers for example) can decode it with their phones? Is it possible? Who may need encrypted QR codes and how hard is it to crack the encryption method?

Truth is that encrypted QR codes exist already. Few readers provide it as a gimmick – QR Droid on Android and QuickMark on the web are few examples. The encryption system in these QR codes is relatively easy to break since the QR code itself is readable, you can see the encrypted message and the encryption key is relatively short in contrast to what is suggested in this post.

Who may need encrypted QR codes?

One of the first applications that come to mind is to use encrypted QR codes on passports, driver license and other identification or even loyalty cards. Assume that every citizen will have a hidden Id residing in a secured governmental database. This hidden Id points in the database to an overt Id printed on the passport together with a name and other details. The QR code encrypts a URL and the hidden Id. An inspector scanning the QR code will get from the secured database all data linked with the hidden Id including name, birth date address and more. All the inspector has to do is compare the received data to that on the passport. With today technology even the image that should be on the passport can be sent for comparison.

Why encrypted QR codes? The authorities might not want anyone (including the inspectors) to know how are the hidden IDs like. The reason for not revealing the content of the QR codes is to minimize the chance that hackers may find how they were generated and create new Id’s.

Other areas for encrypted QR codes may be banking, hospitals, health care services and enterprise data on merchandise that should be read only by workers – not intended for general public.

Why encryption works so good with QR codes?

QR codes are composed from 3 different chunks of data. One chunk is the structural data which consists from the finder patterns, guide patterns, timelines and format info, such mask and error correction used in current QR code. Another chunk of data is the original data encoded in the QR code while the third chunk of data is the Reed-Solomon data which is derived from the original data and serves for correcting errors that may be found in the QR code or as a result of the decoding procedure.

If you happen to encrypt the original data and/or the error correction data, the QR code will simply not decode. This will happen because the original data and error correction data will not match, resulting in too many errors. All readers will fail to decode the QR code and you won’t have any clue to what is in it. This is very different from conventional encryption methods, where the encrypted data is visible.

Here is an example of an encrypted QR code. You can try reading it and see that nothing happens.

In order to see what the encrypted data looks like, you will need special software that will ignore the inconsistencies with the error correction data chunk. In that case you are totally helpless against purposeful errors that may be planted in original data region which normally would resolve by the Reed-Solomon error correction mechanism. With a false encrypted data you have a very small chance if at all to find the real message hidden behind.

Money transactions example

Assume that a banking app permits you to make transactions from your account in the following way. You type in the app the sum of money you want to pay and a QR code containing the transaction Id, current time, current location and the sum of money is displayed on your mobile screen. The first person that scans this code through his banking mobile app will have the sum of money transferred into his account. This will happen after the bank will check that such a transaction ID is indeed pending and was issued in a range of say two minutes from decoding time. Note that the transaction ID is never displayed to any user and the data transfer itself take place under a secured protocol such as TLS. The user will get a text message asking him to confirm the transaction, together with the sum of money and the identity of the transaction target.

Obviously if the QR code is not encrypted, the transaction ID generator may be emulated and false QR codes may be generated concurrently with real ones generated by the bank, ending with some transactions going to the wrong accounts. No doubt that a bank will want these kind of QR codes to be encrypted so that no reader will be able to see the transactions IDs.

The security level of such a system is very high although simple encryption systems may be involved. The amount of errors deliberately hidden in the message and their random locations will turn that system to be extremely hard to break.

How to encrypt QR codes

All ways described here will use symmetrical keys, meaning that the same key used for encryption is the key used for decryption. The length of the encryption key may be at the length of both the original and error correction data. This key can be composed from a sentence or a series of non meaningful characters, and encryption is done by performing a bitwise XOR operation on both data chunks using this sequence. Redo the same operation on the encrypted message and you will get back the original message.

Now after encryption, choose a number of random locations in data (no more than half of the permitted errors by the error correction level) and change the bytes in these locations randomly.
After decrypting the message with a knowledgeable reader (that knows the secret key), the Reed-Solomon algorithm will correct the wrongly decrypted codewords and the correct message will be formed.

For a version 2 QR code that contains 44 codewords a key of length 44*8=352 bits is equivalent to a number with 106 digits. For comparison, SSL keys with 128 digits are considered to be unbreakable today. A version 3 QR code with 70 codewords may use a key of 70 bytes equivalent to a number with 168 digits.

A harder encryption is achieved by making some errors in random places like before, this time before encryption. After that shuffling the bits of both original and error correction data in a certain order and applying to this a symmetrical key, just like before. To decrypt this you will first need to apply the symmetrical key, after that reshuffle the bits to their original position, then apply the Reed-Solomon algorithm to correct the planted errors in the message.

Two factors make this encryption method very hard to break. One is the long encryption key (in the length of original and EC data). The other lies within the fact that the Reed-Solomon data is encrypted with a different set of bits than those used on the data. Many wrong keys may create new ‘decrypted’ error correction data that will agree with the wrongly ‘decrypted’ original data within a permitted number of errors. In this way millions of possible original data streams will be generated without any indication to tell who the original is.

I am quite sure that other variations for encrypting QR codes exist and will be suggested and used in time to come. For example the QR code above was created by choosing a rectangle in the QR code and simply inverting its content.

Encrypted QR codes surely have a place and functionality in our society, the only question is where and when they will first appear in daily usage.

Posted in encrypted QR code, error correction, health care and Qr codes, QR code authentication, QR code identity card, QR code license driver, QR code on passports, Secured QR codes, Transactions with QR codes | Tagged , , , , , , | 5 Comments

QR Codes Viruses – Should We Panic?

In the last days an alert of a QR code virus was spread in the Internet. Twitter was full of warnings regarding the QR code virus, including tweets suggesting that this will kill QR codes. Various links covered the issue from Mashable – here  to other sites such as this. Almost all reports mention Kaspersky labs that provide antivirus software and reported the bug.

What are these malicious QR codes and can we protect ourselves from them? Should we panic and stop scanning these codes? And the most interesting questions of all – Is there such a thing as a QR code virus?

Why such an alert creates panic?

QR codes are not readable by humans. When you scan a QR code using your mobile phone you are in a sense helpless – in the hand of technology.
The code you are scanning has nothing in its appearance that can tell you whether it is safe or not. Moreover you even do not know where it will take you. That’s why QR codes are so great – they enable you to do relatively complicated things with just a click. Many times QR codes are clicked just out of curiosity only because you know that nothing bad will happen. But what happens when you take this assumption out?
What happens if by simply clicking it you have suddenly ruined your phone, or being robbed?

Well one thing is sure nothing bad will happen to you from simply clicking or decoding a QR code. QR codes may at worst take you to a web site and from there the situation is completely under your control, otherwise surfing the web would have been a dangerous thing to do – we all know this is not the situation.

QR codes cannot be viruses!

A virus must be a part of an executable – meaning a part of an app that runs on your mobile device. QR codes have no executable data encoded in, and even if they contained machines instructions for some devices – no QR code reader is capable of executing them. So one thing must be stated clear – QR codes cannot be viruses.
At the worst case they can point to a URL that will suggest you to download an app that if you choose to download it – you may (only on certain platforms) download a malware.

The problem lies in downloading the app, not the QR code itself.
You still have all the control in the world to decide whether to download the app or not.

Nobody suggests stop using apps because some apps may contain viruses that will harm you, instead some people suggest stopping using QR codes because they might point to such apps. Let’s face it, claiming this has the same logic as claiming that advertisement should not be used just because ads may suggest you to download apps containing viruses.

In most platforms it is safe to download apps, while in other platforms you will be given warnings during the app installation regarding what the app intends to do. You can in any point decide not to download the app if something looks suspicious to you.

So let’s see first how the mentioned virus operates, which platforms are safe and what can we done in the currently unsafe environments. It appears that we can protect ourselves when using these platforms with few simple steps.

How the virus operates?

A virus must be a part of an executable – meaning hiding in an app that will execute on your mobile device. The specific virus mentioned steals money from you by sending SMS to premium rate numbers behind the scenes, charging you 6$ for the each SMS. Note that this was effective only in Russia and doing such a thing in the U.S for example is much more difficult since setting up such numbers in the U.S is not a simple procedure as it happens to be in Russia.

Moreover the virus can operate only on Android devices through a security hole in the Android platform. This security hole does not exist on iPhone devices so iPhone users can continue QRing without worry. It also does not exist on Symbian and other platforms as well.

The reason it does not exist on the iPhone platform is that Apple checks every app for all kinds of security threats before confirming it to the app store, so that you cannot download an app that will contain viruses including sending SMS without your knowledge. Similar procedures exist in other platform too.

I assume that I am loosing now the interest of iPhone and other non Android users, the rest of the post is naturally focusing on the Android platform – where the problem was found.

In the Android Market Google does not check your app before putting them in Market, apps are in Market without any inspector checking them prior to publishing, that includes apps with viruses.
The situation however is far from being hopeless, Android platform still provides you with permission warnings when you are downloading and installing every application with or without malware.

When downloading an APK (which stands for Android Package – which is actually an app) you are presented with a set of permission warnings. These warnings tell you the kind of things that the application may do. Especially you should get a warning when it will use delicate system functions. Let’s look at some of the warnings that should trigger a red light for you.

Dangerous Permission alerts – Android only

BRICK – This means that the application you are about to install has the capability to disable your device. Very dangerous threats do not download any app with this threat unless you know what you are doing.

CALL_PHONE – Allows the apps to perform a phone call without using the regular dialer user interface. Again some applications are expected to do this and there is no problem in using well knows apps that may be doing this for example a result of a user clicking a number on the screen.

PROCESS_OUTGOING_CALLS – Allows the application to monitor modify or even abort outgoing calls. Again this may be the target of some applications. Look if you expect the app you are downloading to do this.

REBOOT – The app has the ability to reboot your device. Do not download games with this permission alert.

SEND_SMS – Allows the application to send SMS. This is the loophole that the virus mentioned used. Please note that this permission alert must have been presented to the user during the installation of the game. Do not download apps that are not supposed to be able to send SMS with this alert.

WRITE_SMS – Allows the application to write SMS messages. Games for example are not supposed to do this.

USE_SIP – Allows using Session Initiation Protocol for controlling communication sessions such as voice over IP and video transmission. Do not download applications that have no connection to this activity if they have this permission alert.

For a full list of all permission alerts for Android apps look at the following link

Can these viruses be stopped?

First thing to remember is that QR code in itself cannot be a virus; at worst it can just point to a URL suggesting you to download an app with a virus.
Second thing is that viruses will be always relevant to specific platforms where security holes may be found.

First steps for stopping such viruses can be performed immediately. For example the virus mentioned in last days has been removed from the Android Market by Google and therefore does not exist anymore. The QR codes containing the link will take you a page stating that the application has been removed from Market.

I am also confident that Google will close this security hole so no other Apps will be capable of doing this specific trick in the future.
It is possible however for Android users to download applications outside the Market. Here is a link to a site that explains how to download such applications http://www.androidapk.net/?p=12 – as you can see you will get few warnings during the process on your screen. The danger was and still lurks in downloading apps.

You can also download the Anti Virus from Kaspersky labs for Android device (or other antivirus software)– it costs few dollars, this may give you a more secure feeling.

The bottom line is that the real problem is in apps and in platforms that will allow apps to do bad things to us. This for sure will not kill the concept and usage of apps. Every security hole detected will make using apps in our phones safer.

It surely has nothing to do with QR codes since they are neither apps nor executables, and simply clicking them is still a completely safe process.

Posted in Qr code usage, QR code virus, QR codes, QR codes potential, QR codes readers, QR codes SMS, Secured QR codes | Tagged , , , , , , , | 1 Comment

QR Codes for Authentication –Real Life Example

Few days after writing about using QR codes for authenticating consumer products, I came upon a real company that uses QR codes for this exact purpose. The company is called its-true and appears to be located in Germany. Here is a video explaining their system.
The company claims having some patents pending for the technology or system. It is really great that companies are starting to use QR codes for other purposes than advertising campaigns, and I am confident that more companies will join. In this post I would like to try to analyze their suggested solution, looking for pro and cons and whether things could have been done better.


It’s-True solution

The suggested solution needs two codes to be printed on every product. One code is exposed to public eyes; it is a Data Matrix code containing a series of numbers (twenty in the provided video) while the other code – hidden under a sticker is a QR code.
The shop owner is supposed to scan the exposed Data Matrix when merchandise arrives, causing all items in the store to be marked at database as valid items for sale. When a user buys the product the sticker is peeled and the QR code is scanned. A check is done to assure the item is for sale and then the item is removed from sales list and the user gets its validity proof.

The QR code contains a phone number and a series of another 20 digits to be sent to this phone number as an SMS message. I assume the user will get back an SMS with the authentication verdict.
The consumer is supposed to download a special application for reading the codes. Using the special app will end by a confirmation screen with validity of the product info – no SMS will be used here. Here is a picture of the labels from their video


Advantages of the system

1. One click authentication – you will have to use the It’s True app for this.

2. The code is hidden to public eyes. It is hidden under a sticker, making it harder to steal it for duplication.

3. The usage of 20 digits randomly generated and marked in a database is also a very good point since it rules out the possibility to try guessing random numbers and hoping that some of them will work.

4. A solution is provided for simple readers as well – using a regular QR code reader can do the job (through SMS).

5. Good for the brand – consumer phone number may be available. As a result of scanning the QR code an SMS is sent to the solution provider or the brand with the digits encoded for authentication. This may imply a direct channel between the brand and consumer since the consumer phone number is transmitted as part of the SMS.


Place for improvements in the system

1. The weakest point I find in this system is the SMS message for regular readers. All a pirate needs to do is to create a parallel system with similar looking stickers, only that his QR codes send the SMS to his number. Subsequently all his merchandise will be proved to be original. People will automatically assume to use their reader on these codes and users have no way to check the originality of the phone number in the code. If a URL was used users will be able to check the URL in the browser to see whether it belongs to the brand domain.

2. No strong connection between the two codes. The fact that both codes are on the same sticker has no real value, since these two codes are not checked together. Since there is no real match between the Data Matrix and the QR code in the moment of authentication, it is enough for a pirate to steal only the QR codes by taking pictures of them (after peeling the sticker) or even scanning them with any reader without sending the SMS.

3. No location info. When sending an SMS the location is missing, this leaves you actually with one series of number, only one factor to decide whether the code is original. A forged product with a duplicated QR code can be sold in another store.

4. SMS costs money and provides the consumer number to the brand. The cost could have been saved if a URL was used. Not sure that all consumer likes the idea that their phone number will be available to all kinds of brands.

5. A special app is needed to be downloaded for scanning the codes. It is a bad idea to download an app for every brand or every authentication company. The special software should be available only to the brand people, since they should be the only one with the license to remove an item from the store pool.

6. The fact that the store has to scan the Data Matrix of every product to prepare it for sale is a burden.


Final words

It may be of course that the whole suggested system was wrongly interpreted. Trying to find a more elaborate explanation through the pending patents yields no results for me.
In any case I think that the point analyzed here shed some light on possible problems in possible implementations. It is not late for IT’S TRUE Company or any other service provider to improve his system, and undoubtedly such steps of improvements are inevitable here since authenticity using barcodes is still in its infancy.
I downloaded the app, and it looks that when using it no SMS is sent, instead the app contacts the database and provides you with the needed validation.

Still expecting that people will download apps for every brand or authentication service provider is naive. Regular readers should do the job; people will not go around with dozens of authentication apps on their phones.

If anyone knows about other solutions or projects in this subject, I will be happy to hear. Every suggested solution can teach us how to reach to a real effective response to brand piracy.

Posted in Authentication, Brand piracy, Data Matrix, hidden QR codes, Marketers and QR codes, QR code authentication, QR codes, QR codes potential, QR codes SMS, Tracking QR codes | Tagged , , , , , , , | Leave a comment

Fighting Brand Piracy Using QR Codes

Forgery of goods and using known brand names for fake products is a growing phenomenon. Actually the subject of brand piracy is practically present in almost every area of daily life. It includes consumer goods like fashion, food, beverages, industrial parts for cars, aircraft and other machines and even medications.

In 2008 the International Chamber of Commerce argued that counterfeiting accounts for around 5% to 7% of world trade. In the same year the World Customs Organization estimated trade in ‘fakes’ as US$512 billion.
The total loss from the counterfeit goods industry, faced by countries around the world is $600 Billion, with the United States facing the most economic impact. (See http://en.wikipedia.org/wiki/Counterfeit)

It is true that in some cases people want to buy fake products for their lower price, but it is still important that customers will be able to validate the authenticity of the product they pay for (whether fake or not).
While many companies lose a lot of money from this phenomenon it may be that with today technology there are means to fight it. I would like in this post to consider the relevance of QR codes for fighting brand piracy.

Four kinds of stores

Consumer products are presented to us in various kind of stores.
1- Exclusive brand stores. In this case there is a list of stores that are the only stores permitted to sell brand merchandise. These stores may have a wide geographical presence but still their list is well known and brand products can be bought only from there.
2- product is delivered through many non-branded stores and the brand itself does not have any idea where the product may be sold.
3- Direct distribution when buying online products directly from the brand. This option is relatively safe since you know you are buying from the real brand.
4 -Buying online from a reseller (not directly from the brand). In that case you have no idea regarding the authenticity of the product you are going to buy, unless the reseller is well trusted.

Why QR codes?

Mobile phones armed with camera are available to most consumers when making purchases today. This is true whether it happens in malls, in flea markets or even when buying online from a computer or mobile device on the go.
QR codes on the other hand are very easy to interact with having a phone. That means that with a right QR codes system a potential buyer will be able to get a quick answer regarding product authenticity.

QR codes have another important attribute; they can contain a vast number of digits in a relatively small area. A version 2 QR code can contain 77 digits in a Low EC and 34 digits in a High EC. In a mixed mode (where both letters and digits are used) a version 2 QR code (Low EC) can contain for example 16 alphanumeric characters -for a web site, and additional 44 digits for a unique serial number. Let’s take for a moment only 30 digits for serial number. This means that a company can produce randomly 1 Billion different serial numbers with the probability of less than 1 out of 1 Billion Billions to guess one number from the series at random. This is a much lower chance than winning any lottery, and if you have this chance than congratulations you are able to fake one item of the series, you can send only one fake copy.

A QR code with a dummy website and 35 digits serial number

How it works?

For the first case where only branded stores can sell the products, a QR code of the brand and location info will do the work. The QR code can be on a membership club card or simply in the user phone – taken from the brand site for example. In that case the user in the shop simply scans the code from his card and gets a confirmation from the brand that the store he is in is a legal one. Location can be sent using GPS or Wi-Fi connection Id or any other way (like triangulation or IP).
Additionally the items may be tagged with QR codes as suggested for the stores from the second kind, where product may be purchased from non-branded stores.

When QR codes will be used on non- branded store, we will put a different QR code on each product. Let’s assume that we are encoding until 20 letters for URL and 30 digits for serial number. We will take shirts for example and we are going to put a unique QR code on an internal label of every shirt. The QR code contains a URL to the company site and a series of 30 digits generated randomly by a computer program and kept on a database. To check authenticity the user scans the QR code and is taken to the company site with a description of the product and a statement regarding the legacy of the code and whether it is still available for buying. When scanning the code, the location of the scanned item (using for example GPS/Wi-Fi connection id or other means) is send to the URL with the code data.
When a person purchases such an item, the cashier scans the code with its special software (with a phone, iPod touch or any other handheld scanner) and removes the item from the pool. At this point the user scans again the QR code to assure that it has been deleted (meaning that the merchant uses the authentic software of the brand).

For shops of the fourth type – buying online from a reseller, check the code when getting the product. After confirming the code, the company site might ask you for your details, reseller details and keep contact with you if you wish so. In that case it will remove the code from the items for sale list (check for this also later). In case there is no code or the code takes you to a false website or even scanning the code still tells you it is for sell – cancel the deal.

I believe that brands will allow you to type the serial number into a form on their website and tell you whether the code is authentic. Although typing all these numbers it is not a pleasant experience, it may be worthwhile for expensive items where quality is important.

To check out the robustness of the suggested system we must look into possible scenarios that pirates may try, in order to overcome the suggested system. Let’s see some of them.

Strategy 1- Steal the codes

In this scenario a pirate agent enters the store and takes pictures of all labels on the shirts. Assuming he is a real professional and he is not being caught, he handles the photos and all the labels are printed on fake shirts pushed into the market.
Another way is trying to steal the codes through a computer program checking them online. This method has less chance since the constant queries coming from same source will draw immediate attention not to mention the amount of time it takes to check billions of billions of codes.

Now when a customer scans the code he/she is directed to the company website and gets a statement on the legacy of the code (being a copy the answer will be –legal) and whether it is still in the pool for buying – (let’s say a fifty/fifty chance). The location info is the key factor here, the location is not the location of any legal store – the user may be asked in that point to report to the company on the fake store for further checking. This may turn out as a new tool for revealing fake stores or stolen property.

In case that no location info is available the user can still check after purchase that the item has been taken out from selling pool. To be able to fake this pirates must hack the brand database which is another hurdle they need to overcome without getting caught.

Stealing the codes strategy has too many flaws and most pirates will fail to overcome all of these obstacles.

Strategy 2 – Faking the codes

Here the pirates print a whole parallel line of fake codes which point to their site that looks very similar to the real company site. From now on all goes well even deleting the items from their database after the purchase.
The good thing in the suggested system is that it is neither expensive nor too complicated to execute. This is the reason why pirates can emulate the system quite easily.
How do we overcome this?
The answer is simple. Look at the URL of the website you are in. All big brands have a simple distinguished domain. If in doubt try browsing to the expected brand site and see whether that one exists.

From the two suggested strategy – it looks like the second way has a better chance to fool people. Consumers will have to check the URL and there is a chance that many will fail to notice. However if one person notices and reports the case the pirate store may immediately be in trouble.

Fake brand stores are a big issue; look at the following links for example.

Please feel free to comment on the suggested mechanism. It may help to find an even better solution for fighting this phenomenon. After all we all want to live in a better world…

Posted in Authentication, Brand piracy, QR code authentication, Qr code usage, QR codes, QR codes potential | Tagged , , , , , | 1 Comment

QR Codes Versus Data Matrix

Unlike 1D codes where all information can be found in one cut through the code, 2D codes need a second dimension since they contain many different ‘lines’ of data. Among the most popular 2D codes are the QR codes and Data Matrix. QR code was created by Denso Wave in 1994 and Data Matrix was invented by ID Matrix around 2005. The Data Matrix that is in popular use is the EC200 (there are other variations less popular). Both can be used free of any licensing or royalties, and hence their popularity. In this post I would like to compare these two codes and see when one of them might be more suitable to use than the other.

General structure

Both codes contain areas of data and recognition areas that helps to detect the code and inform the decoder how to decode it (like version, masks etc). Both of them use the Reed Solomon system to recover damaged part of the code data. Here are typicals QR code and Data Matrix with their non-data areas marked in red.

From first sight it is quite obvious that QR codes has more recognition area than Data Matrix (which uses only its perimeter for this purpose). The Data Matrix to the right uses only 84 modules of its 22×22 modules (17%) as recognition area, while the QR code to the left uses 228 modules of its 29×29 (27%) as recognition area. It means that Data Matrix has 10% more of its area available for data and hence they are more compact in size and more effective – using less area to contain same amount of data.

When this may be the situation in few cases, it is not always so. Let’s see why and when one of these codes is more appropriate to use than the other.

Versions and recognition data

Both QR codes and Data Matrix modules will grow by steps as data is added. These steps create what is called versions of the codes. For QR code the smallest possible version has 21×21 modules, when Data Matrix smallest version is 10×10 modules. QR codes grow in steps of 4 modules in each direction for every version until its final version 40 which is 177×177 modules. Data Matrix grows in steps of 2 modules in each direction with some gaps and even few rectangular codes where the number of modules in each direction is different. Its largest size has 144×144 modules.

QR codes add an overhead of a fixed size (the finder patterns) and a varying size (the time lines) that grows with the version of the QR code. The overhead area of Data Matrix on the other hand is totally dependent on its version. It is should be easy than to see when QR codes will become more effective in data/area ratio.

QR code overhead is:
7x7x3 (the finder patterns)
5×5 (the guiding pattern)
29 modules – the version and mask information
2(L – 14) – the timelines (where L is the number of modules in each direction)

Data Matrix overhead is 4L-4 (where L is the number of modules in each direction)

To see when QR codes overhead area will be smaller than Data Matrix overhead area we have to find the smallest L that fits into the following equation 4L-4 > 7x7x3 + 5×5 +29 +2L-28

This starts happening when L is 89 modules. For QR code it means version 18. Version 18 can contain 721 characters or more than 1900 digits. For example a typical business card contain between 60-150 characters, which means that Data Matrix is more suited for business cards than QR codes.

Here is a QR code with some contact data and a Data Matrix with exactly the same data.




The QR code has 37×37 modules (version 5) while the Data Matrix has 40×40 modules.
Surprise! How is this possible? It is truth that 2 additional lines of recognition area were added to the Data Matrix (the vertical and horizontal lines in the center) but still the Data Matrix should have been with much less modules than the QR code.

The reason for this resides in the Error Correction levels. The EC of all Data Matrix in all versions is around 30% when QR codes have 4 different EC levels. The QR code in the left has only 7% additional data area for EC while the Data Matrix has 30% additional data for EC. The additional 23% cause the Data Matrix to be larger than the QR code at the end.

When Data Matrix may be the better choice

1- The lowest version of Data Matrix is 10×10 modules, so whenever you are tight in print area and your encoded message is short enough to go into a 10×10 to 20×20 Data Matrix – go for Data Matrix.
2- Whenever you need to put your logo or any other image on your 2D code, and printing size matters – consider Data Matrix.

Here are the same codes as above with a logo in the maximum possible size for each of them.




The only reason for the difference in logo size is the Error Correction level. Same size of logo will work for a QR code with a High Error Correction (30%) – only the QR code version will be higher and therefore with a bigger print area.

Note: It is not a good idea to use all of EC power when drawing on a 2D code. You should always leave some extra safe zone for unexpected damage to the code or to the images that will reach decoders.

When QR codes may be a better choice

1- Whenever you are tight in print area and your encoded message goes into a Data Matrix of size 22×22 or more go for QR codes with a low or medium EC.
2- Whenever the esthetic of your code matters, QR codes have an advantage over the Data Matrix due to their finding patterns and general look. For some reason decorated QR codes look better than decorated Data Matrix.
3- QR codes has few modes of encoding data, some of them are more compact than the 8 bits for character used by Data Matrix. In situation when an encoding mode with low EC gives you a smaller print area, go for the QR code.

Readers for Data Matrix

Many readers that support QR codes support also Data Matrix.

Here is a list of these readers.
iSite TV

For Android devices you can find also – Barcode Scanner, wBarCodesList, ixMat, BaroScan
By the way – I’m sure there are other readers for Data Matrix that I am not aware of.

Posted in Data Matrix, Data Matrix EC, Data Matrix readers, Data Matrix vs QR codes, decorated Data Matrix, designed QR codes, error correction, Image on QR code, logo on Qr code, QR code size, QR codes, QR codes readers | Tagged , , , , , , , , , , | 2 Comments

Decorating a QR Code – Part Three

This post is going to look at the more aggressive means of decorating QR codes.
The first mean I will look at is adding a drawing as if it was a layer above the QR code, drawing on the QR code. There are ways to estimate the damage made to the QR code data when drawing on the QR code. A good estimation can guide us on how to make these changes in order to end with a QR code that is decodable and with a safe zone for additional damage that our final QR code may be exposed to.

Draw above the QR code

Here is a QR code with a logo over it. The EC of this QR code is High and its version is 2 (25 modules in each direction). The logo on the QR code to the left is drawn on a white rectangle as a background while the logo to the right has a transparent background.

14 codewords corrupted                                        10 codewords corrupted
No safe zone                                                             9% left as safe zone

The table below contains information on the first five versions of QR codes and all EC levels for these versions. Looking at the table for version 2 and EC High we see that we can corrupt 14 codewords (an area of 14×8=112 modules – each codeword is 8 modules). The white rectangle that the logo is drawn on in the left QR code has dimensions of 10×8 modules which cover 80 modules. The codewords however do not fit exactly under the white rectangle and as a result 14 codewords are corrupted instead of the minimum 10 provided by the rectangle area. The transparent background around the logo in the right QR code reveals few modules along the logo bounding rectangle borders – which appears to rescue 4 additional codewords. 4 codewords out of the 44 total codewords are 9% of all data that can additionally be corrupted – which is a good safe zone.

To see how to get a good estimation on the amount of codewords that a drawing might corrupt look here

One thing that we can see from the last example is that whenever you can turn the background to be transparent – do it! It will provide you with few more codewords that will make your QR code more readable during its lifetime.

 Bounding rectangle orientation

Codewords are arranged in clusters of 8 modules that usually span over 2 columns. Most of codewords do not sit exactly on 2 columns and 4 rows. Here are the two common patterns of codewords

This means that if your rectangle has one dimension longer from the other; put the long dimension to be vertical on an even modules border. The short dimension should be horizontal. The longer the horizontal dimension is the more corrupted codewords you will get be due to the broken pattern to the right above. The illustration below shows why.

This leads to the fact that tall rectangles have an advantage in QR codes over wide rectangles.
In the following QR codes the same area is covered by the blank rectangles drawn on the QR code
The tall rectangle to the left corrupts 11 codewords while the wide rectangle in the right corrupts 16 codewords – too much for Quality error correction level version 2 (only 11 codewords can be corrupted) – the QR code to the right is not readable.

However many times we want our rectangle to be horizontal – for example you may want to write some text in the available area such as below

Obviously the text would not fit so well in the vertical rectangle above. On the other hand the QR code will not decode with a horizontal rectangle. So – is there a solution?
Fortunately there is a solution! We can use the same area with a wide rectangle and let the QR code still be decodable. You do not rotate the rectangle but you rotate the QR code instead. QR codes can be read from any angle so if we take the QR code to with the tall rectangle and rotate it, we will get the same decodable QR code but this time the rectangle is short and wide and the text can go in; like this

Note that the position of the finder patterns changed. To the human eye there is no big difference between the last two QR codes, however one has no chance to be decoded while the other will be decoded.

Posted in color QR codes, designed QR codes, error correction, Image on QR code, logo on Qr code | Tagged , , , , | Leave a comment

The Quiet Zone

The quiet zone is a part of the QR code. It is defined in the following way in the QR code spec:

“This is a region 4X wide which shall be free of all other markings, surrounding the symbol on all four sides. Its nominal reflectance value shall be equal to that of the light modules.”
The X mentioned above refers to the width of a dark module (which should be same as the width of a bright module), 4X means width of 4 modules.

The quiet zone is an area that should be taken into account when calculating the print size of your QR code on any printed media. According to the spec a version one QR code will take on print twice the area of the QR code itself due to its quiet zone. Technology however may change this. What if all readers work fluently with 2X quiet zone? Area after all is a central factor when it comes to print – do we have to comply to specs when technology allows us to bend them or even ignore them? Is there a new quiet zone rule that we can stick to and if there is what the relevant new quiet zone area is?

First tests with quiet zone

Here are three QR codes the left one has a 4X quiet zone area and the right one has 1X quiet zone and 2X quiet zone in the middle . Below are tests results of various readers on iPhone and Android devices, I assume that the same readers will perform similarly in other platforms like Blackberries Symbian and Windows phones – where they exist.

4X quiet zone                        2X quiet zone            1X quiet zone

As you can see all readers have no problem to scan a 1X quiet zone QR code. So there is no need any more for anything more than 1X quiet zone.

The question is – can we go further? Can we go inside the 1X quiet zone and still get a readable QR code?

Invading the quiet zone

In the left is the same QR code with 1X quiet zone where the quiet zone here is violated once in each direction without destroying original QR code data. In the middle is the same QR code but here the 1X quiet zone is violated around the finder patterns. The right QR code has a quiet zone violation that encircles the finders without violating the quiet zone for the finders themselves.
The last QR code has a high EC to help it recover the corrupted data.
The reader results follow.

When only one reader had a problem to scan the codes in the left and in the right, more than half of them could not read the middle code where the finding patterns quiet zone was violated. It is interesting to see that almost all readers (except one) do not need a fully surrounding 1X quiet zone when the spec requires a 4X surrounding quiet zone.

This means that not only a 1X fully surrounding quiet zone is all what QR code needs today, it means also that this 1X quiet zone must not encircle fully the whole QR code. What is really important is giving the finder patterns a 1X quiet zone and nothing more. Going down from a 4X quiet zone to 1X quiet zone around the finders only is a huge space saving. Use that space to increase your QR code on print or alternatively – your QR code will consume a much smaller printing area!

To make sure that only the finder patterns needs a quiet zone for practically all readers here is an extreme example of QR code where only the finder patterns quiet zone exists.

Checking this code with all the readers above will show the same results we got for the right QR code in previous example. So not only 1X quiet is enough but this 1X quiet zone can be limited only to the finder patterns of the QR code. Not only it saves print area, it also permits new kinds of decorated QR codes.

Posted in create QR codes, designed QR codes, print QR code, QR code quiet zone, QR code size, QR codes, QR codes contrast | Tagged , , , , , | 3 Comments

Decorating a QR Code – Part Two

After dealing in previous post with neutral (non damaging QR code data) decorative means, we are going to look at more aggressive means and learn their possible effect. We will try to estimate their damage amount and ways to control it in order to create decorated QR codes that are still decodable.

Pattern colored QR codes

A more aggressive way (in terms of QR code readability) to color a QR code, is to use a pattern as a color. This effect can be achieved by using the bucket tool and painting the QR code with a pattern instead of a simple color (in Photoshop for example). When painting with a pattern use the Medium EC level and above. Here is an example of such a QR code created in this manner with a grass pattern (created from an image) in Photoshop. The QR code EC level in this example is Medium.

The problem with pattern coloring is the contrast between the elements in the pattern. Readers must in some point decide which module is bright and which module is dark. To simplify this we can imagine a black and white QR code somehow created from the original colored image. The contrast play in pattern elements might create white spots in dark modules in this final decision image of the reader. Here are two possible black and white interpretations that readers may face in trying to decode the image above.

As you can see the main problem is the white stripe in the upper right finder patterns. The following readers were able to read the original colored QR code on an iPhone.
NeoReader, Scanlife,MobileTag,RedLaser,Scanit,Qr scanner, Optiscan, BeeTagg, i-nigma, QuickMark,Qrafter,and Scan.

Only Qr Reader for iPhone failed to read the original code. After correcting the contrast in the upper right finding pattern in the right image below, all readers including QR Reader for iPhone were able to decode the QR code.

Original image                              Corrected image

What can we learn from this? First thing is that most scanners can handle the contrast level in the pattern at the left QR code above. Secondly – look for areas in the pattern that might be too bright in the QR code finder patterns and try to lower the contrast in these areas. The finder patterns are sensitive since readers must find them clearly as a first step in decoding. Third thing is to look at other areas in the QR code, if there is a suspect for too much brightness, consider changing the pattern or lowering the contrast in the original pattern.

Hiding the QR code

Using patterns for coloring QR codes can easily create a QR code which is hard to detect for a human eye but is easily detectable by a machine. Here are some examples – the first from Set-Japan (www.setjapan.com) a company that created really nice decorated QR codes.

To my surprise this QR code is detected by almost all QR code readers in the market when you are close enough to the image.

Using a pattern that our brain is trained to recognize like bars or circles in a QR code will make the QR code even more difficult to detect. Here are two examples I created using bars and circles.

I used for this example a QR code with high EC but I am afraid I did this only because it looks hard to detect in our human eyes. As it appears it would be totally detectable also in a low EC, since once the background is detected from the foreground the QR code data is fully available here.

So – which readers were able to read these ones? Here is the list
i-nigma, scanlife, RedLaser and ScanIt.
Almost all other readers decoded only the left QR code above. The reason for failing the right one for most readers is not the pattern or the ability to detect the QR code. The same QR code painted with red (instead of yellow) was read successfully by all readers on an iPhone that decoded the green QR code above.

Combining effects on QR codes

The QR code below is a result of applying a ripple distortion on a regular QR code. Although it is much obvious to human than the hidden QR codes above, it is harder for the machine to decode it. Actually the rippled QR code needed the Reed-Solomon error correction since two codewords were corrupted in the rippled QR code, while none of the codewords was corrupted in any of the hidden QR codes above.

Here is a combination of ripple and the green bars

Complicated as it might be seen almost all readers reads this code and the damage made to the data is very small – only 2 codewords were damaged out of 22 possible for a QR code version 3 high EC.

Applying a decorative means that damages X codewords on a QR code over a decorative means that does not hurt the data at all, will usually end by a damage of X codewords as happened above.

However applying a decorative mean that damages X codewords upon one that damages Y codewords will not always end by damaging X+Y. codewords. Here is an example.

Spherical QR code – 2 codewords corrupted

Rippled QR code – only 2 codewords were corrupted.

Spherical and rippled – only 2 codewords corrupted

Posted in color QR codes, designed QR codes, error correction, hidden QR codes, pattern coloring QR codes, QR codes, QR codes contrast, QR codes readers | Tagged , , , , , , , | 4 Comments

Decorating a QR Code – Part One

Decorating a QR code is not a simple task as it may sound. Decorating QR codes has been taken by some artists to a level of an art in itself. Some decorative means will not affect QR code readability, we will call them neutrals. Other decorative means will undoubtedly affect it. Decorating QR codes using neutral means enables you to work with low EC (Error Correction levels) and probably with lowest version of QR code. Using lower QR code versions increase readability, assuming that total QR code area is fixed on the printed media.

Some decorative means will disrupt readability just a little while other might affect readability seriously up to the point of non readability.

What are the neutral ways to decorate your QR code? Which means will hurt readability to small extent and what means should be measured carefully when used? How can we know how much of the readability we are hurting? I will try to answer some of these questions in this post.

Neutral decorative means for QR codes

The simplest non harming way to decorate a QR code is to color it in a different color that the default -black. If this is all what you plan to do and your QR code is not going to live in a harsh environment (see here), use a Low error correction level. Normally coloring the QR code with one color is not going to affect readability at all. You must however to take into consideration the contrast between your color and the white background. For example coloring your QR code with a bright color will surely affect decoding with some readers.

Bad foreground color

The next step in complexity is adding the background into play – changing the default white background to another color. This is more complex because a new factors should be taken into consideration – who is darker the foreground or background?

It is hard to state a rule for the contrast since not all readers achieved the same minimal contrast for decoding. Here are test results observed on an iPhone with some readers. I used for the test a black Low EC QR code on varying backgrounds. The lines with reader names along them are the points where the specific reader was able to read the code in this contrast.

So if your QR code is dark on a brighter background see if one of the three weakest (contrast related) readers reads it. If one of them does, your contrast is ok.

In case your foreground is brighter than the background you should know that not all readers support this (although their number grows with time). This situation of darker background arises whenever a darker color is used for background. Here is an example:

This is a list of readers that supports the inverted option:
I-nigma, Neoreader, MobileTag, Qrafter, Lynkee, Scan

More disruptive decoration

The next decorative steps may make decoding a little more hard. The first step is rounding the QR code finding patterns. Doing this should not affect readability for small versions and very slightly for big QR code versions. Here is an example for a QR code with rounded finding patterns.

The QR code error correction level should not change for this kind of decoration since the effect on readability is very minor if at all. The way to achieve this effect in Photoshop is selecting the fQR code finding patterns and then using the select/modify/smooth filter with a small value. This will modify the selected finding patterns to be round as in the image above. Create a new layer and paint the selected area with your foreground color. As a last step remove the finding patterns from the layer below the topmost layer to get the desired effect.

Using more than one color for the QR code creates a good visual effect. A common way to do it is to color the inside of the finding patterns with a different color as in the image below. If the new color is in good contrast there should be no effect at all on the code readability although minor damage might sometimes occur by greater rounding of the corners.

t has been recommended in few places to use only black and white colors due to readers compatibility. I have tested all iPhone QR code readers that I know of and all of them had no problem to read the multicolor QR code above except the MobileTag reader (which by the way decoded smoothly the all blue rounded QR code).

Rounding all QR code modules will hurt readability more. Here is an example –

The main impact is on the isolated one module boxes which changed shape. Their area is now smaller. This might affect QR code readability since scanner usually sample the environment of the module to decide its color (dark/bright). When rounding the QR code elements take into account the size of one module in pixels. In general do not smooth with more than half of module width in pixels, since this would affect the isolated dark modules too bad. In the example above around half of permitted errors occurred in reading this QR code (Low EC)– leaving only 3.5% percent secure zone. It is recommended to go up to a Medium error correction (15%) level whenever rounding all QR code modules. The rounding itself should not harm more than 5% of data area – leaving more than 10% for secure zone which should suffice for most QR codes.

Adding shadows with or without embossing is further step that still (as above) should not affect more than 5% of data area. Here is an example

The reason is that some of the isolated one module boxes that lost area gets now some support from the close shadow. So some errors might now be corrected while some other white modules might be calculated now wrong because of the same shadow. Here again the Medium EC (or more) is recommended for this type of decoration.

Coloring some of the modules with an additional color as in the image below should not change matters dramatically as long as the other color is dark as the first foreground. Here the color is brighter which may cause a difficulty for some readers although most readers will handle multi colored codes reasonably. In case the color is too bright the impact can be calculated by counting the isolated colored modules.

n our example there are 23 orange modules (the orange module inside the guiding pattern is not part of the data and should not be counted). If they were all white the code would be unreadable because only 4 codewords can be corrupted in a QR code version two with Low EC (see table below). Remember that a codeword is 8 connected modules in two connected columns of 4 rows each(see here for detailed explanation). Since the orange modules (in this example) are spread in more than 4 clusters (and hence more than 4 codewords) the Low error correction level is not enough here, and the QR code would not decode if they were too bright.

Here is a table that shows how many code words can be corrupted for each EC level of the first four QR codes versions.

Posted in color QR codes, designed QR codes, error correction, QR codes, QR codes contrast, QR codes readers | Tagged , , , , , | 3 Comments