Mark Manning (iTrace Technologies) and Robert Sherwood (VeriTrace Inc.) join our co-founder, Michael Cizek, in a discussion on the critical role of traceability in brand protection and compliance, focusing on GS1 and the emerging regulations surrounding 2D codes, particularly QR codes. The conversation highlights the widespread adoption of QR codes in various industries and the associated security risks, including counterfeiting and fraud. The three share insights on the limitations of QR codes as a secure solution and the need for more robust traceability mechanisms in supply chains. They discuss real-world examples, such as the challenges faced in the pharmaceutical industry and the implications of initiatives like Sunrise 2027 and the Digital Product Passport in the EU.
Q&A
We invite our audience to contact us. GlobalAutoID will either get back to you with answers to any questions you have, or connect you with one of our members you could best answer.
We would like to know from our audience:
- Did you know that QR codes can be hijacked?
- Does your manufacturing / storage / distribution process currently use QR codes for track and trace?
- Do you have issues with counterfeit or diverted products?
Episode Transcript
Joseph Cizek (00:42)
Today we’re discussing traceability and its role in brand protection and compliance with specific focus on GS1 and the new manufacturing and trade rules and regulations they’re either involved with or driving.
GS1, as you probably know, is the global de facto authority on standardized product identification, and they are everywhere. UPCs, GTINS, GLNs, RFID, product classifications, and what’s up and coming, 2D codes.
There’s a lot going on with GS1 and with 2D codes implementation and regulations being mandated in the US, EU, and Asia. 2D code in this case is a synonym for QR code, the same consumer-friendly and widely used symbology everyone is familiar with.
What everybody is not familiar with are the ramifications of relying on QR codes for anti-diversion, anti-counterfeiting, and all-around brand protection within supply chains, as well as the risks of depending on QR codes as a safe and secure solution.
In Europe, digital product passports have been implemented as of 2024, which utilize QR codes. From GS1’s EU site, quote,
Among several ambitious goals and new requirements, the ESPR introduces the Digital Product Passport for products, components, and intermediate products being placed on the EU market or put into service, and it includes products manufactured in Europe or exported into the EU, having impacts also on global trade.
In the US, there is GS1’s Sunrise 2027 initiative. As stated on GS1’s US site, the industry has set a date to make the transition to accepting 2D barcodes at point of sale or point of care referred to as Sunrise 2027.
By the end of 2027, retailers would need to ensure their POS systems are equipped with scanners capable of reading both traditional barcodes and 2D barcodes. The shift has already begun with the new technology being tested in 48 countries across the world, representing 88 % of the world’s GDP.
Today we’re joined by Mark Manning, Robert Sherwood, and Michael Cizek
Mark Manning is the founder and CEO of iTrace Technologies, a Silicon Valley company specializing in non-clonable supply chain security and brand protection solutions. Mark is a serial entrepreneur and has been involved with brand protection and product security for over 20 years, delivering technology solutions to some of the supply chain’s biggest problems.
Robert Sherwood has devoted the past three decades to consulting, designing, and implementing printed security products and software applications. He is a specialist in printed security design and technologies, helping governments, Fortune 500 companies, and small businesses identify issues, formulate solutions, and implement and manage anti-fraud measures.
Michael Cizek is the co-founder and CEO of Global Automation and Identification Group. He has over 40 years of experience in the data acquisition and vision solutions industry, which includes senior sales management positions at the regional, national, and international level. Both iTrace and VeriTrace are members of Global Auto ID. You can learn more about these companies at traceability.fyi/members.
So let’s get into it. The problem is QR codes are insecure. Mark, we’ll start with you. When we say QR codes are insecure, can you recap what that means?
Mark Manning (04:11)
Sure. So QR code is a open source symbology originally developed by Densou in Japan back in the 90s, I think it was. That technology was developed to smoothly move components through a factory and be able to automatically identify those components. Since it was invented, it’s been used for many different applications, but there is no security layer to that symbology to prevent people changing the information in those codes, replacing those codes or modifying those codes. And in that time, we’ve seen this technology be adopted for many, different applications, including restaurant menus, parking meters, parking kiosks, and those kinds of things. But the security of those codes is not kept up with the applications that are being deployed in, which results today in issues like quishing and QR jacking, where fraudulent QR codes are placed over the top of genuine QR codes, tricking the user into performing some activity that they are not intended to do.
Joseph Cizek (05:17)
So Mark, going a little bit deeper into this, a consumer side example of why QR codes are insecure would be their use in what’s commonly called a brushing scam. You’ve spoken a lot about this in other areas. Can you summarize that scenario?
Mark Manning (05:32)
Yeah, so a brushing scam is just one use case of QR codes being used to try and trick people into giving personal information or payment information. So brushing scams occur when somebody receives a package that they never actually ordered or never actually intended to have. They’re sent a package, they open that package and inside there’s a little note saying, this was sent to you, if it’s not for you, scan this QR code for return instructions.
So you open up the package, you look inside, I didn’t order this, where did it come from? look at this nice little note that tells me to scan this QR code and follow the instructions to return the package. When you scan that QR code, it is likely going to steal the information that you’re inputting into that website and use that information for some kind of fraud or scam.
Or get you to engage in some kind of activity that is innocuous to start with but can escalate as you go along. So it’s used to trick people into giving payment information, personal information, access information to systems. It may say, hey, log into your Amazon account to return this item, but you’re not actually logging into Amazon at that point in time, but you’re giving this website your username and password that you would use normally for Amazon. So a brushing scam was originally intended by the perpetrators to get improved rankings on Amazon’s scoring system. So you would receive an item that you didn’t order, but they can prove that they sent this item to somebody and then legitimately put a review of that item on the Amazon website.
So that was the initial intent of the brushing scams. I want to improve the ratings for this product on Amazon and I have to prove that I shipped this product to somebody to create a review. That since has escalated into other scams that are associated with that. But the traditional brushing scam is somebody receives a package that they didn’t order. They’re invited to scan a QR code to return that package and that will steal personal information. An example, a friend of mine had a brushing scam happen to them they received i think it was six metal fence posts these days before being long metal fence post in the package that UPS dumped on the doorstep now how do you get rid of four or five metal fence posts over your doorstep well you want someone to come pick that thing up and take it away right so you open the box is a qr code in there for you to scan and that’s going to steal your information. So these are the kind of attacks that are actually happening with QR codes around that brushing scan scenario.
Joseph Cizek (08:16)
That’s a really good example. They pick something that’s just clumsy and large and you’re gonna wanna just get rid of. And it makes it just all too easy to follow their very easy instructions.
So, and we’ll go into a little bit more detail, but the conclusion being that there needs to be traceability in the supply chain, but QR code isn’t necessarily the solution for that.
So where QR codes may not be a secure solution or be the solution that does everything it needs to, there definitely needs to be something in place for traceability in order to help protect a brand, to protect against counterfeiting and diversion.
Case in point, Robert, recently you noted a news report that last year 24,000 bottles of Guy Fiori and Sammy Hagar’s branded tequila with a value of a million dollars just simply vanished during the shipment. LAPD was able to recover roughly half of that. They narrowed it down by finding the driver, but the rest were not recovered.
At the time, you went on to ponder if a quote-unquote unique QR code applied to the bottles would have helped law enforcement recover more of the stolen goods and give them more information to work their case. Can you walk us through what you were thinking that was going to look like on the bottle?
Robert Sherwood (09:41)
Sure. First of all, it wasn’t a situation where it was necessarily true brand protection or authentication. It was, and I’m going to call it reverse squishing or maybe quashing. The idea was that if there was a QR code on those bottles that were never recovered if they hit the store shelves someplace and a customer or somebody scanned that QR code. If it was a unique code and linked to a system, it could geofence where that particular bottle was. And once that happened, what store it was in, GAVE would give law enforcement a lead as to backtrack to find out where it is. Now I’ve been involved with products that the bad guys actually take the codes off the products or obliterate them some way so they can’t be scanned. But if they sold cases of this tequila without opening them and assume they just got them into the retail sector, then there would be a quote chance of somebody scanning that code for some reason and then giving the lead. Had nothing do with anti-counterfeit, it had nothing to do with any of that. It was just the concept that if there’s something that is on there. Now if it wasn’t a QR code and it was some odd looking code, I mean people don’t feel they can scan those codes generally other than a UPC code for a Walmart price check. So that’s one of the problems right now is that there aren’t, if it’s a proprietary code compared to a QR code, people don’t recognize it as something that they can interface with. And the whole point here is we need interface, but the problem then is all these other problems related to the brushing, jacking, squishing, quishing, sorry. So the idea though is in that sense is we’re just trying to get some interface, some point, data point out there, whether that would work or not. When I posted it all of a sudden everybody came back, well, you need to layer that. Well, that wasn’t the point. The point was not trying to make it. We knew that tequila was real. That wasn’t the problem. The problem was how do we find it someplace? So that was the point of that.
Joseph Cizek (11:51)
No, good, that’s all good context. But going to that unique QR code concept, I think that is a good segue into talking about iTrace’s capabilities.
Because it sounds like something that you’ve kind of already solved for, Mark, right?
Mark Manning (12:08)
Yeah, absolutely. And that theft and loss scenario that Robert points out and the solution that Robert was describing is your typical track and trace application using either a QR code or other symbology is exactly the same as you would face with a diversion or gray market trading issue where product that is intended for one marketplace is leaving the legitimate distribution chain and ended up in an unauthorized market. It could be one of the eBay, Amazon, Alibaba marketplaces.
It could be the corner of a street in New York City, but the legitimate supply chain at that point is leaking either via distributors and retailers or via straightforward theft of a truckload of tequila. So having a track and trace mechanism that is able to identify where those products were initially intended to be delivered, where they were initially intended to be sold and identifying that when you do the sample purchase, as Robert points out, pulling one of these bottles of tequila off the shelf, where was this originally intended for? Who was supposed to receive this? And was it one of the bottles that was stolen? So being able to provide that track, trace and identification component as part of a supply chain security solution enables the investigators to, and be that law enforcement or the brand’s own internal investigation teams to identify where this product was originally intended and then track how it got into this unauthorized marketplace, either by diversion or theft. One good point that Robert brings up is that some sophisticated diverters and even smarter thieves will try and scratch off markers that would provide some track and trace. And we’ve actually had that happen with some of our clients in the watch industry where watches were manufactured in China, they entered the distribution chain, they were found for sale on eBay, Amazon, Alibaba. When the brand did the sample purchases on those watches, they found that the distributor that was diverting them, or the retailer that was diverting them, had actually taken the time and the effort to unpackage every case, unpackage the cart and the watches, unpackage the individual watch from its individual wrapping put it under a microscope, scratch off the marker, the security marker that was on the back of that watch, and then repackage the whole thing up again. Now that takes a lot of work and it gives you an indicator of how good the margins are on diverted and gray marketed product. But what the diverters didn’t know was that the eye trace markers that were on those watches are extremely damage resistant. And even though they had sanded them, they had scratched them, they tried to erase them off.
We were still able to forensically extract the original information from those marks and provide that to the legal team who were then able to use their resources to enforce their agreements. having a security solution alongside or instead of the standard logistics solution gives you that greater level of traceability and security on the product. So.
If you have a security application like iTrace 2DMI that is providing track, trace and authentication that is highly damage resistant in one symbology, that gives you the ability to enforce your agreements in these kinds of ways. And word gets out in the distribution chain at the factory in your supply chain that you are able to track, trace, identify and authenticate your product.
And that actually provides you the ability to control your supply chain and deter production overrun, diversion, great market trading of your products.
Mike Cizek (15:48)
I agree with both positions. I think the idea here is to detect when those bad players have taken, bad things have taken place, not necessarily prevent them right now, but at least to detect them and get them out of the supply chain. I think there’s something to be said for both statements. I can’t add anything to this.
Robert Sherwood (16:09)
I think part of the issue here is how much participation and who is using it and what in fact is the end game. Certainly what Mark does is more secure, provides a lot of information and control out there with the particular code.
But from the standpoint of consumers and people that if you need participation with something and it is dangerous in that sense that the codes can be cloned and replaced. But if you need participation from the general public then a QR code is kind of the way to go. And that brings up why we add other layer technologies so that the QR code is in fact something that can be used and you can track and trace it or use it either internally or of course out in the field, but other technologies that we protect the QR code with in a sense can be used to do the true authentication. Some of those and everybody knows about DNA, we don’t necessarily use DNA, but there are tags on that are available that can be specific to a product or can be generalized and they’re invisible and in some cases bad guys can find them, but the state that they are in their kind of a two state product where one is anybody can find it with the right tools, but at the nano level, they are differentiated in their structure and the way that they work. it’s kind of that situation where again, the idea with the tequila was that.
Hopefully we could fool somebody. Hopefully the bad guys aren’t taking the codes off, especially when Sunrise 2027 comes around, there’ll be QR codes on all these products. And at that point, depending on what the product is, the bad guys aren’t necessarily gonna be able to take those codes off of there because they’re not gonna scan at checkout.
So, and I totally agree with Mark from the standpoint of all these other problems with QR codes, but at the same time, we’re going to have to live with them and we’ll get into pharma situations that are out there that are just a mess. But again, at the same time, who’s going to participate and how are you going to get them to participate? And unless somebody’s familiar with something, just, going to be, think it’s going to be suspect or I can’t interface with it.
Mike Cizek (18:34)
I think we have to look, too, at these solutions. Are they aimed at the brand owners and the supply chain operatives, or are they aimed at benefiting the consumer? And Mark’s approach is ideal for the former, but again, the consumer is not going to be able to make use of proprietary symbologies. I think the direction – those are two different directions and objectives. Is that correct?
Robert Sherwood (18:58)
Correct. Yes. And I mean, one of the issues, we did a, we launched the original QR program for Yeti coolers. We put QR codes on every one of their products starting at the point of manufacture and all the way through supply chain. They even use the QR code to go through their customization program, different distributions, all of that.
But when they use, when the consumer scanned it, there was no indication that they were tracking anything. It was basically took them to the website to register their product and they would get a sticker, Yeti sticker, which was an enticement. But in the background, there was obviously information about where it was in the supply chain, where it was scanned, whether they were receiving multiple codes of the same code, which means it was cloned, those kinds of issues. So there was data behind that.
The bad guys, yes, they could do something with it, but in general terms, they knew where their products were, they knew where their participation was, and then the QR code for marketing, couponing, all the other things that you can link once you are into the internet or into the system, you can add those other programs to it.
Mike Cizek (20:11)
I think we have to be careful in GS1. What are the expectations of GS1? What are the objectives of it? And realize that it’s not going to do what a lot of people expect it to do from a security standpoint, not in its present form, without the addition of such solutions such as Robert and Mark both suggest.
Robert Sherwood (20:31)
Yeah, mean the initial objective is to get change the UPC to a QR code. mean that’s what it is. And GS1 is showing that it can be used for a multitude of things, but not every company can use all of those
Mike Cizek (20:35)
Right.
Robert Sherwood (20:44)
add-ons and not every and GS1 doesn’t have the ability to provide all of those. So getting the QR code or getting codes onto product is something that we’ve had trouble with because companies that if they’re already using a QR code we can convince them to change it to a unique identifier. But if they aren’t using a QR code and there’s no place there you have you’re dealing with depending on what kind of product is you’re dealing with marketing you’re dealing with changing labeling your design, you need space for that QR code or that custom code and that’s a whole other thing in the sense of we’re making labels with codes on them then you have operations how are you going to get that label on there and there could be pushback from those aspects so
It’s you got it. have to get a code onto the product to start with or you’re nowhere. And I don’t know, Mark, if you run into that aspect of it, it’s, you know, it’s something I have numerous times. We just we don’t have any place to put the code, but your system is a little bit more.
There’s more incentive in some senses to use your system than a QR code in that sense because they really have a problem, they want a secure code and potentially it’s going to be internal, right? Or it’s going to be a closed situation.
Mark Manning (21:59)
Sure, that’s absolutely right. And we’ve spent most of our time in business replacing QR codes or other 2D symbologies on products. One, because they may not fit in a reduced product size, but two, because it requires an extra level of security to secure the supply chain. But in the back of my mind, having worked all of this time to replace QR codes on products,
I’m seeing the whole landscape of the cyber security infrastructure and the cyber security threat surface is changing around QR codes more rapidly than the legislation is changing to secure them. And I think that’s my big concern. It’s not so much that they want to put a QR code on a Mars bar and have you scan it and understand the ingredients, but the threat surface now is changing from a QR code perspective from, we’ve got, you know,
kind of a limited deployment for all of the reasons that Robert described to there’s going to be a billion products out there now with QR codes and invitations for people to scan them to understand how do I use this thing? Is this my, my, you know, my aspirin or my pharmaceutical? I can’t understand what I’m supposed to do with it without bringing out a phone and scanning a QR code because that’s going to be the new way of engaging. That’s moving rapidly.
the threat landscape is changing rapidly. The security is not following along with it. And it’s not hard to imagine two scenarios. One is I want to scam a consumer into giving me information. So I replaced the QR code on their Mars bar with something that says, hey, give us your information. We’ll send you 10 free Mars bars. You know, this easy to promote that kind of thing. Someone scans the Mars bar and they’re going to think they’re going to get 10 free Mars bars.
Robert Sherwood (23:39)
Sure.
Mark Manning (23:44)
That’s going to be easy. The other way I think is going to be more threatening to the enterprise is me as a malicious actor can say to their brand team or their security team or their supply chain team, Hey, I found this Mars bar and it doesn’t scan for me. I can’t scan it. Is there something wrong with it? And I put it in an envelope and I send it off to the brand team. They scan it. We know from Google threat intelligence group that the weaponization of QR codes allows for download of malware, access to systems and devices. So now as a scammer, I can create an attack surface to an enterprise that includes QR codes on their own products. And there’s no security behind that from a QR code perspective or from the system perspective that’s enabling Digital Product Passport and Sunrise 2027.
So I’m looking at it, not that it’s a bad idea to put QR codes on the product, it’s a bad idea to put QR codes on products without any security implementation behind it.
And to your point, they’re not selling it as a security solution. It’s got a particular The digital product passport’s purpose is to provide recycling and disposal information on products along with origin and traceability. That’s the original thing, but that’s different to security.
Mike Cizek (24:46)
And it’s informed.
Robert Sherwood (25:06)
All right.
Mark Manning (25:06)
And Sunrise 2027, as Robert pointed out, is there to provide an alternative 2D code, a point of checkout, and to allow other engagement applications to be built on top of that.
Robert Sherwood (25:18)
So the point there again is what is the pervasive theory in brand protection is that you just can’t rely on a single quote silver bullet technology. So again, that’s where we come in. What we realize is that yes, Mark’s solution is the much, much better ultimate has security behind it, QR code does not, but there’s still going to be a situation where they’re going to be billions of them, they’re going to have non-secure applications. Is there a way behind that to pull data from that, whether it’s geo-fencing, whatever it is, as he mentioned, diversion, which a lot of times when I talk to brands, they can get their heads around diversion, they have their problem. If you start talking counterfeiting, they have no idea what the real true counterfeiting problem is, and you can’t do anything with that until you start getting data back and tracking where your products are and finding out what the diversion potentially is. So…
From that standpoint, what again, what we’re trying to do is leverage off of the QR code. It’s going to be there anyway. So what data can we derive? And then again, we’re adding other technologies that would be the true authentication. Now consumers, there aren’t very many choices from what we would call overt technologies that consumers can authenticate. Color shifting inks were used for quite a while. Holograms were used for many, in many cases.
But holograms, once they became digital, are very easy to clone in a sense or substitute and it’s very, very difficult even for somebody that knows what they’re doing to look at a hologram and say, that the original hologram? Color-shifting inks, what color shift from gold to blue, blue to green? They’re very, very hard to differentiate. So there aren’t very many technologies that way.
So what we concentrate on are technologies that the investigators, the brand protection people can in fact truly rely on at the same time driving data from a QR code if they’re using that. And in Mark’s case, and the other aspect of it is, is if there is no connectivity, then…
There are other ways to authenticate that product in the field if you don’t have that connectivity to be able to scan it and access the system behind that.
Joseph Cizek (27:35)
So I think this is the right time of year to add on to this part of the conversation. We’ve been talking about what you can do to secure the supply chain one direction forward. But this is the time of year where the supply chain kind of goes backwards. And we’re talking about reverse logistics.
You have things that have been manufactured, stored, distributed, sent out, got to the end consumer, and this is the time of year where the end consumer is doing a lot of returns, where they are sending things back through the process.
Keeping the supply chain secured when it goes backwards and when they’re processing those returns, can you speak to how you can keep things secured? For example, you’ve got situations where people are sending possibly just an empty box wanting to get a refund or they’re putting in a product that was not what they bought, sending it back to try to get a refund or some kind of credit. Or they bought a couple of things with different variations and they’re just kind of mixing things up in order to pull something off, so to speak. But in those scenarios, what are your thoughts? I guess we’ll start with you, Robert.
Robert Sherwood (28:45)
Part of the situation is years ago when Densou invented the QR code, the problem with them was they just let it be open to anybody. it became used. They tried to put the Genie back in the bottle. But early on, we used QR codes in the electronics industry for returns. And we put QR codes on hard drives. And at the time, the bad guys probably would have used them. But the return problem was more of a, let’s say a kid sending in a hard drive and they would change the potentially change the label on it or do something where they were saying, I, you know, I want to return on this. And unfortunately, the company had to open up the hard drive in order to see if it was a legitimate return. Well, that’s a lot of labor. So they, they used a QR code for a while to know and look up that particular drive in their system to see in fact, where it came from, where it was sold, when it was sold, when it was manufactured, those kinds of things. That system went away when people became aware of QR codes and what they could do with them. Mark’s… One of the things about a system like Mark’s is, again, it’s one of those codes that, least at this stage of the game, and I know Mark would like it to be recognized as a QR code, but people don’t recognize it as necessarily something that they can interface with cases when it comes to a consumer application, people probably aren’t going to scratch it off. They probably aren’t going to try to change it or anything. They’re just going to say, this is just some mark on here. But that could give a company in warranty return or returns a lot of information. And again, if you said they’re sending a box back and there’s nothing in it, there’s no code anyway, there’s nothing there. Unless you put it on the package and then what is it? Where did it go? Where to come from? So there isn’t a solution for all those problems.
Mark Manning (30:38)
Yeah, so we’ve got involved in a number of applications that revolve around what we call warranty return and replacement fraud and Christmas gifts coming back from kids fall under that category. But that’s less of an issue for some of the organizations than, you know, me returning a fake Tiffany ring in exchange for the real one that I purchased and that kind of thing. In the hard drive space that Robert mentioned, we’ve actually been working on a couple of applications in that space. And the way that we’re looking to solve this for the brand today is that you have the packaging level markers, which identify what’s on the outside of the package, but also applying covert markers to the actual product itself that is linked to the logistics information on the outside of the package, because they have a problem today where hard drives are meant to go to scrap, but are being relabeled and resold in the marketplaces as brand new hard drives. Now these things may have been built five, 10 years ago, but are now being sold as new having had, you know, hopefully most of the data wiped off them and had a cleanup and put back in a counterfeit box. So their warranty replacement now needs to identify what is the origin of this hard drive that’s just been returned for warranty repair and replacement. Having a QR code on the outside of the hard drive doesn’t necessarily provide that level of track and trace and can be changed and modified and relabeled or all of those good things. But having a covert marker actually hidden on the product itself, and in many cases, this may not be at the labeling level. This would be a direct part marking component that was applied at the factory, but it is tied into the information at the label level. So then when this thing comes back for warranty repair and replacement, someone can scan or identify the covert marking and then be able to determine was this thing built last year and has now failed or was it built 10 years ago and got re-stickered and re-labeled. So there some of the things that we’re doing and that was one of the original fossil applications that we worked on with fossil and their watches that’s called out in the case study is that they wanted to be able to identify basically at the loading dock whether this item was genuine or fake.
So as they weren’t spending any more time and energy on warranty repair and replacement of a fake watch, it would just go straight back to customer service to contact the sender and say, hey, you’ve sold, you sent us a counterfeit fossil watch. Can we give you a discount code for a genuine watch or can we work with you to identify where it came from? So it’s a big problem. It’s for most brands.
It’s not just a holiday problem, it’s an all year round problem and it’s quite a large amount of fraud for many companies. think Cisco’s warranty repair and replacement fraud problem a few years back was north of a billion dollars a year. So there’s significant money involved in this and significant fraud that can occur around this issue.
Mike Cizek (33:43)
In 2025, reverse logistics returns amounted to $850.5 billion worldwide.
And 15 % of that, at least 15 % of retail returns are fraud.
Mark Manning (33:57)
Yeah, it is a huge problem.
Mike Cizek (33:58)
Huge problem.
And that’s where I think proprietary closed information systems such as iTrace are very critical.
Robert Sherwood (34:06)
totally agree.
I think we could talk about too is the fact that auditing, being able to audit subcontractors and the quote fourth shift kind of thing. Whether it’s a QR code or some other type of technology or whether it’s one of Mark’s codes, the idea that there’s this fourth shift and the idea just to get something on a product that if, and we had this scenario in the hard drive realm too. We had a contract with a major brand, but they subcontracted the five different kinds of drives that they were producing at the time and we got they were contracting with us but the subcontractors were actually buying the labels directly from us and we had of course a forecast of how many labels they were going to expect to use for a year and one of the contractor sent in a purchase order for a half a million labels. And that was a good chunk of what what was going to happen. And we understood that that was not the major supplier. Of course, every PO came in, we would send to the brand and say, hey, is this legitimate? Well, immediately they came back and said, that’s interesting, because they only produce just under 100,000 drives for us a year. So obviously, there was, you know, it was simple, but it was a way of doing, you know, keeping non-authorized manufacturing there. And so, and again, it was a situation where, a situation where obviously that could have been a major problem and dilute the potential, you know, revenue from that particular product that was out there, but we were able to at least identify that they were able to take care of it. We don’t get into policing or do anything like that. But again, that was one way of identifying that. And I know with Mark, they have more of a system in order to deal with the idea of what we would call the force shift or producing product in another factory that is exactly the same, has the same molds, those kinds of things, depending on what those products are.
Mike Cizek (36:05)
I think Mark brought up a good point too when he said, think he referred to bad players getting more sophisticated. Back in 2000, Callaway Golf Clubs started putting a data matrix symbol, small, very small laser etched data matrix symbol on the heel of their golf heads. And the purpose of that was not just traceability within the manufacturing process. It was to trace gray market, diverted products being sold through unauthorized distributors.
And it worked very, very well for them. But certainly we both know now that, all know now, that simple data matrix is not going to solve or be a technology that cannot be duplicated.
Mark Manning (36:42)
And I think that’s the advantage of working with an organization like VeriTrace with Robert. Obviously Robert has a security focus and his organization has a security focus. There’s a lot of brands out there that they know they want a track and trace or an anti-counterfeit solution and they talk to their purchaser and say, find me an anti-counterfeit or track and trace solution. They go out to their local label provider and the guy says, yeah, I got you covered. I’ll just stick a data matrix or a QR code on here for you and you’ve got a counterfeit track and trace solution from us. But knowing that that’s just not going to solve their problem. Whereas I think Robert’s organization with Very Trace is able to come at the problem with a lot of expertise, a lot of background, a lot of security experience and actually engineer a solution that will solve the problem as opposed to checking a box.
Mike Cizek (37:12)
Right.
Mark Manning (37:31)
And I think that’s going to be the difference of working with a security label provider versus just a general label and packaging provider.
Robert Sherwood (37:39)
be perfect example. A standard label printer has no procedures in place were ANSI NASPO and ISO 14298 certified. And we have procedures in place, inventory, how waste is disposed of. If you have a program and let’s say you’re doing a million products a year, you have an anti-counterfeit label from a standard commercial printer. And somebody realizes that that particular label is something that is being used as an identification for security.
They could walk out a roll of labels out the back door, put it on eBay. We saw that happen for a game platform. We were producing a label. Somebody did a simulation of that particular label. They were selling that label on eBay for upwards of $20 a label so the kids could go in and change the hard drives.
I wish I could get $20 a label for the same thing. It was not going to happen. But again, it’s about if you’re going to secure the supply chain, you have to start at your suppliers. And it’s a total supply chain to really shut it down or keep it secure and closed. But you have to do that in stages. And I think that’s one of the things that people try to bite off too many portions of that supply chain security at once, or they’re just leaving some parts of it that they don’t realize, they don’t think about it should be secure. yeah, I’ll buy labels for my label manufacturer. No problem. They can put UV ink on it and that’ll solve the whole problem. Well. you know, color shifting inks, can go for the US currency, you can go on eBay and find 25 suppliers that supply the same color as on the US currency. again, there you have to, you can use those, but at the same time, they have to be layered and the idea is to make it more sophisticated. So again, it’s, it’s, it’s about more than just the codes, the technologies, everything else. It’s how those particular technologies are handled for suppliers and for the customers that are using them.
Mark Manning (39:44)
Yeah, because if you don’t have that secure supplier and that secure supply chain at the very foundation, that’s the foundation for your whole track and trace and end account of its solution. So starting at that point, as Robert said, gives you this solid foundation to build the rest of your program around. If you’re not secure at the beginning, it’s not going to be secure at the end.
Robert Sherwood (40:02)
And part of the situation too is you can implement track and trace and other technologies. And part of the idea today is to get the most, again, we do a lot of labeling and security tapes and seals. Well, you can combine tamper indicating technology. You can combine temperature indicating technology.
Mark’s code, forensic technologies, over covert and forensic technologies, and all those can work together in a unit and replace a standard label that you’re using, a prime label, or even an on-demand label you can add those technologies to, they’re still, they’re much more secure and that places the security from the beginning and not just starting point somewhere in the supply chain.
Joseph Cizek (40:44)
What I feel you’re touching upon, Robert, you’ve got your parts of this, and Mark would have his parts of this, but it’s sounding like there has to be something or someone with a bigger picture to understand how all this fits together. And this sounds like this is where a system integrator comes in and can kind of handle those details. Mike, would you like to speak to that a little bit?
Mike Cizek (41:13)
I think a systems integrator is can be critical, but I think it’s first we need the experts such as Robert and Mark to share the security aspects of what they’re expecting out of this to learn from the supply chain. GS1 is not a security issue. It’s an information issue. I’m a little suspect of sunrise 2027 because I’ve seen a lot of these initiatives like in aerospace that they had dropped dead dates and everything else and 15 years later they still hadn’t been implemented and things like this. Putting readers at the point of sale or the point of care is not a big huge issue technologically or logistically. Using that information to get meet the objectives of GS1 is going to be another case.
Are all of these retailers and point of care going to be prepared for this? And I think this is what this podcast was about was GS1 and the implementation and how do we put security into it. GS1, as Mark pointed out, is not a security issue. But we can’t ignore that.
And I don’t know, certainly, sunrise 2027 is not going to solve that. There’s a lot of issues. So for somebody to start implementing this, which is late now, they need to talk to experts like Mark and Robert. Then, I think, systems integrators, qualified people that not only are aware and educated on supply chain issues from beginning to end and GS1 are critical. Traceability, if you go back 40 years or 50 years, it was a simple case of knowing what item was where at a given point in time. Now, because of technology with codes and things like that and software, we’re expecting a lot more out of that supply chain is critical from the beginning to the end up to and past the consumer level.
Robert Sherwood (43:02)
Educating the customers and using these technologies is a big educational process. A lot of times what we find in labels, and I’m sure Mark just doesn’t send out a database of codes to anybody out there that could download it and use it someplace else, right? Well, it’s the same thing with any anti-counterfeit feature. We have to educate them. We send labels into a facility. Somebody has to be responsible for those labels, they just can’t sit on the desk whether they have codes or whatever they are. There has to be accountability there. That’s one thing that a unique, a UID on each label can also do an audit scenario within that, wherever they’re using that so that they can keep tabs on whether there are labels missing. If labels go out on the floor, they’re added to products with a UID. How many did they use? Are they returned after that production phase is finished?
Labels accounted for minus a few scrap things, scrap labels of course, but we’ve had scenarios where roles of labels have gone missing and all of a sudden the product with those labels shows up in some other country, some other place because nobody followed the rules, kept the labels in a secure place. we lose codes. Fortunately, like Mark’s system, he could be able to detect, or there are ways for the software to detect, where is this supposed to be? Where were they assigned? And who was responsible for them so that they could then shut that down or make that supply system secure again.
Mark Manning (44:35)
I think most of what I spend my day doing is education. A lot of what I do is just helping people understand, the scope of the issue that they’re facing, and two, the options and most efficient way to fix it. So we end up doing a lot of education. It’s interesting, some of the big companies out there that put serial numbers and serialized information on their products but don’t actually track that information. There’s a very large industrial equipment manufacturer in the United States that the last point that that serial number of any of their products is read is when it’s applied to the manufacturing process. It’s never read again. They don’t know where it goes. They don’t know how it gets to where it’s, you know, in an individual item basis, how it gets to its destination. this, although as Mike pointed out, it’s, know, track and trace has been around for a very, very long time. There’s some very large organizations that still don’t track where their products go or track individual unit items of their product.
Robert Sherwood (45:33)
This is kind of a side note but I posted something recently and a guy that was in brand protection years ago now works for a bank and he said what may be happening is brands instead of doing any kind of protection what they’re actually doing is they’re working like the credit card companies do as long as the fraud doesn’t they’re they’re writing the cost of counterfeits directly into their financial picture. So they’re saying as long as it doesn’t exceed X amount of percentage of our our finances, then we’re fine with it. We’re not going to do anything, which is very sad actually. But there are other ramifications that they’re not realizing at this point. Brande-rosé, all those kinds of things. And when it comes to pharmaceuticals, it could be people dying. And obviously that’s some other thing.
Mark Manning (46:10)
And it’s actually when you find out how big the problem is for some of these brands, it’s very, very easy to show an ROI on these solutions. I had an email yesterday with a personal care brand and their legal team are estimating that they’re losing $4 million a year, $3 to $4 million a year to counterfeit and gray market trading. That’s their legal team’s estimate. It’s $100 million business. So that’s 4% of their sales are going to counterfeit or gray market trading of their product. And that’s the loss. So we look at a calculation of, you could implement our technology. costs you X amount per year. Even if we’re only 10 % successful, you’ve got a 4X return on your investment. And if we’re 90 % successful, you know, you’ve got a 50X return on your investment. So the ROI is definitely there, but it’s the education that this needs to be solved with the right technology, the right solution in the right way. And you can recover these revenues.
Mike Cizek (47:21)
Airline parts, aerospace parts can be disastrous, just like the pharmaceutical that Robert alluded to. But I talked to somebody in the automotive industry, and I won’t mention the company name, and talked about anti-counterfeit parts. And they said, it’s not a big enough problem to us to warrant doing anything beyond what we’re already doing.
Robert Sherwood (47:41)
Actually, we’re doing a project right now where a chemical company makes a chemical that is used in a commercial sense and another grade of it that is used in a medical sense. And their problem was that people were buying the commercial grade and labeling it and selling it for the medical grade. And unfortunately, some children died. And unfortunately, some companies don’t do anything until they get to that point. But we did help solve that problem and they have not had any of those issues since then. It’s kind of minor tracking in a sense, but it also has to do with tamper evidence seals and all the other technologies that the counterfeiters would have to produce or simulate or copy in order to replace those labels and change it so that it would appear to be something else.
Well, one of things that frustrates me, and I think maybe you saw one of my posts, is that people just, even though the problem of counterfeiting, diversion, fraud is so pervasive the general public doesn’t seem to understand how bad it really is. the idea now that there are, quote, dupes that are totally acceptable out there is also a problem for the brands. And in some cases, you know, they’re pushed, they’re close to the real thing. And major corporations are doing it.
But it’s more the true counterfeit issues when it comes to things like auto parts, airplane parts, pharmaceuticals. I’ve just run into many people that just, online pharmacies, 80 % of them are illicit and you have no idea what you’re getting. And people just don’t believe it. They’re like, oh, you know, and I can tell when I talk to people, the ones that are buying their medicines online from Canadian pharmacies, you can tell in their face that they’re doing that and they never realized that they might be not getting exactly what they were purchasing. So I think that’s one of the issues. And that rolls over into the brands. We don’t have a counterfeit problem. We don’t have a diversion problem.
They know they sort of do, but they aren’t spending the time to look at it and certainly aren’t looking to use and make that product go, or excuse me, make that problem go away.
Joseph Cizek (49:52)
I was seeing you’ve put a lot of posts on the Safe Medications Initiative and everything. It was some very interesting reading.
The India pharmaceutical traceability, that the issues they’re having, there was an assumption that the initiatives from GS1 were securing things but was not. Mark, was that your post?
Mark Manning (50:14)
Yeah, there’s a series of posts on that from Dr. Chouhuri, who’s the former chief scientist at Cistec One. Avi has been in the industry for a long time. He’s a very well-known technologist in the brand protection supply chain security industry. He went out to India and needed to, while he was there, needed to find pharmaceuticals and he went out to purchase the pharmaceuticals but was unable to verify whether these pharmaceuticals he was about to purchase were genuine or fake. In fact, he understood that what was being scanned as genuine was not a genuine product. That drove him to do a deeper investigation and his initial article was seven case studies that he put together on how to circumvent the QR code based traceability initiative that was mandated by the Indian government on the top 300 pharmaceutical manufacturers. Now the project was called the top 300 and it had two components, one an international component and the other a domestic component. And this was only three or four years ago that this was implemented and it was according to the articles from Abhi Chahuri,
It was heavily lobbied by GS1 as a solution for India’s drug supply chain security and provided traceability. But he found that the system was so porous, it was unfit for purpose. In fact, it was eventually a benefit to the counterfeiters in that they would just put their own QR codes on those products and it was easy to reproduce. My understanding was that
The international program had to be scrapped because of its ineffectiveness and they’re in the process of reviewing the domestic program to understand whether that needs to be scrapped, reworked or revised in some way. But currently it’s very difficult, even with the traceability program mandated by the Indian government, to find genuine pharmaceuticals or verify genuine pharmaceuticals in India.
Now, the unfortunate thing about this is it’s a QR code based traceability application. It will look to a consumer very similar to digital product passport to sunrise 2027. The same applications are being pushed into or sold into or recommended into other nations around the world, specifically in Africa who traditionally have a very high incidence of counterfeit drugs. So the frustrating part about this is that the solution that’s already proven to be ineffective, QR code based, is being deployed in other applications around the world to try and solve the same problem. So I think again, this goes back to the fact that the threat landscape is changing so rapidly. The counterfeiters are moving so much faster than the brands that the brands are just not able to keep up with the threat against their product, even with regulation from governments.
Robert Sherwood (53:21)
So I’ve had a conversation with a brand recently that they found examples of their product that had QR codes for authentication and they don’t use QR codes for product authentication. And of course that begs the question, the whole scenario of the whole program, of those types of programs.
And that’s not the first time in back in the day, holograms were put on counterfeit products and they weren’t using holograms on genuine product. And the people that were the counterfeiters were having a area of sales than they had more percentage of sales than the genuine product did because of the hologram because people just said, it’s got a hologram. It’s got to be genuine.
Mark Manning (54:06)
Yeah, they’ve done a very good job of becoming an international standards organization that has now a commercial arm alongside it. And the two are separate, but connected and related. So people are there because they trust GS1 as the standards organization, not understanding that the commercial side of their business may have different incentives and different motivations.
Robert Sherwood (54:07)
Yeah, and they’re promoting 20 different potential uses of the QR code, which includes authentication, includes track and trace, all of that. again, this like Sunrise 2027, their main deal is just let’s replace the UPC code with something else that maybe somebody else can use. But that doesn’t necessarily mean it’s the best use of that particular code.
Well, I think one of the situations is, again, that printing techniques are an adjunct to the codes, whether they be Mark’s code or QR code or some other proprietary code, utilizing printed technologies on packaging. And let’s face it, in many cases,
You need to put the anti-counterfeit or the track and trace features on the packaging because investigators don’t want to go out there and have to tear the packaging apart to the product to find it. It’s best if you can put technology on both the product and the packaging because then you have a paired scenario that has to match up. But again, there are times when you don’t have connectivity. mean, everybody, the cloud is great, AI is great, but just like Verizon went down the other day. If you don’t have connectivity, you don’t have the ability to use your mobile phone or scanning, that kind of thing. And if you need to check something in the field, don’t have that capability, there need to be other multiple ways to effectively authenticate that product and know that it’s real. again, this is mostly from the standpoint of investigative brand protection people where they’re tracking down these problems. Again, it’s very difficult to get the consumer to engage in something like this because they just don’t know or they just don’t think about, how could it be counterfeit? And even if it’s much less expensive than normal, hey, I’m getting a bargain. That’s, you know, especially today. That’s the first thing. You know, as far as industries or sectors of the economy that could use it, you know, use it where, use it in almost any sector. I mean, this is, there’s nothing that is immune from counterfeiting. We looked into the issue of somebody was counterfeiting shoe polish. Now you would think, forget shoe polish. Well, if you take a barrel of wax with carbon in it and put it in container and then you stamp it with Kiwi, you can get four times the amount of money for it than if it just said, sure would shoe polish on it, right? Nobody would think that, but that’s a program that could be done in somebody’s garage easily, but it could do serious damage if they started really expanding that particular program. So again, it’s everywhere. you need to use, look at the tools, look at your problem and then make the right decision as to which technologies, which programs. And that includes, you have to look at the scenario from investigation, online monitoring, all of those things because you can’t just silo this because you need all the different types of points of data in order to have a program that really works for you.
Mark Manning (57:35)
The organizations that we work with are very large organizations. There’s many, many state holders in these different programs. So getting the sponsor in the organization that is able to understand the ROI of a program like this and is not out to just check a box for a regulatory requirement, they’re actually trying to solve a business problem. That’s the people that we get involved with, the people who are looking to solve real business problems that they have with can affect great market trading, an insecure supply chain, and want to solve those problems with a solution that has real effectiveness, as opposed to I’m checking a box that says I need to comply with this requirement. So I think that’s the, you know, the getting buy-in from all of the different stakeholders, having all the executives involved in driving these kind of programs forward is the critical piece to the success of these programs. And that’s generally the organizations and the companies we work with.
Robert Sherwood (58:31)
I’d like to add too, as the times are changing here and people are relying on AI and they’re going out and doing their and there are all these hallucinations in AI and there are all of these different solutions that are out there, I think sometimes people are getting this, there’s a lot of misinformation and I think that sometimes people grasp onto the misinformation because in some cases it seems like an easier solution but not realizing they’re just spinning their wheels or they’re going to be spending resources on something that isn’t going to work because they’ve got no experience in the space to really look at it from a holistic standpoint. And I think that’s something that a company, a person, a group that has experience and basically has seen many of the scams that are out there so that they can address those that may not be thought about by people that are looking to fix a problem within their company when it comes to counterfeits, track and trace, diversion, those kinds of issues.
Joseph Cizek (59:29)
Mike, any closing comments from you?
Mike Cizek (59:33)
I just think that we have two great experts here talking about the GS1 in general, Sunrise 2017, and its implications in the supply chain. I think it’s been a great session.
Joseph Cizek (59:48)
For further reading, to answer some questions we have for the audience, and to direct your own questions to today’s participants, please visit the episode page for this podcast at Traceability.FYI/podcast1. You can learn more about iTrace and VeriTrace and make contact with both Mark and Robert by visiting their member pages at Traceability.FYI/members.
Thank you, Mark. Thank you, Robert. And thank you, Mike. And thank you, audience, for your time. Have a great rest of your day.
Robert Sherwood (1:00:17)
Thank you for inviting us.