On Display in Booth 1414
S-OneLP will co-present the power of overt and covert security and authentication printing with the experts at VerifyMe. We’re showcasing state-of-the-art technology, paired with HP Indigo capabilities, allowing printers to offer the latest in security printing. You won’t want to miss this demonstration!
In the booth, we’ll break down all the materials and expertise behind short-run flexible packaging printing. We worked with some of your leading peers who have mastered this — and are boosting their bottom line with their new capabilities.
Holly Gilbert | Security Management
Every year, a staggering $250 billion is lost in the economy due to counterfeit goods being produced and sold in the globally, according to the Organization for Economic Cooperation and Development. Many of those fake goods are touted online, which is all the more reason both retailers and consumers should be on the lookout for counterfeit goods during the holiday shopping season, says Neil Alpert, chief executive officer of Laserlock Technologies.
“The Internet—while we all love it—is also the best friend of the counterfeiter,” says Alpert, who explains that online shopping puts a distance between the consumer and the item, leaving the buyer unable to evaluate its authenticity. “If you think about it, you go online, you buy an item, you never see the person who’s selling it to you, you don’t know where they’re located; you don’t actually get to see the physical item until it arrives at your house.”
Alpert says that counterfeiters are masters at quickly setting up Web sites to sell their items, and can take them down in a matter of seconds. “The other thing about online shopping is that by the time that product is shipped to you, the person on the other side of that Web site could be gone. That Web site is closed down today, a new Web site is open tomorrow,” he says.
Fortunately for consumers, the U.S. government is cracking down on such sites as they’re discovered. Alpert says that Immigrations and Customs Enforcement (ICE) has shut down a number of Websites selling fake goods. “Seven hundred websites selling fake counterfeit goods have been shut down in the last three weeks alone, and those are the ones they can find when they shut one down a new one comes up,” he says.
While there are federal efforts to squelch online retailers selling counterfeit products, Alpert says both businesses and consumers should take a proactive approach to safeguarding what they buy and sell. “There are technologies and ways out there today that could cut down that number significantly. I would be lying if I said it could be cut down to zero, but it could be cut significantly,” he says.
LaserLock Technologies provides one such solution called BrandGuard, a tracking system achieved through the printing of numbers on items and packaging. “The way BrandGuard does that is through something called item level serialization, where every item that a legitimate brand produces, let’s say Louis Vuitton or Pfizer as examples, every package of medicine that Pfizer produces will have a unique serial number associated with it, and throughout the demand chain and right to the end user that item is able to be authenticated,” says Paul Donfried, chief technology officer at LaserLock Technologies.
Donfried explains that the solution works for the consumer as well, who can verify the product they are buying is legitimate through an authentication app. “In the case of an online merchant, the consumer could ensure that the online merchant makes the image of that mark available to them, and they can then locally authenticate it through their browser, and then what that can do for the consumer is verify that one, yes this is an authentic genuine article, and this particular merchant has been authorized by that brand owner to sell it.”
LaserLock Technologies has developed their product to make the serial numbers nearly untraceable to counterfeiters to prevent duplication. “We’ve taken two approaches to try and secure [BrandGuard] and make it resilient. One of those is to leverage the security pigments and inks which were our core products that we introduced in 1999” Says Donfried. “Those products allow us to put invisible marks onto products and packages that can be authenticated. And we’ve developed image processing technology that allows us to take conventional smart phones and use those to authenticate and recognize those invisible marks.”
Secondly, the company leverages encryption to ensure that the tracking number, even if detected, would be meaningless to a counterfeiter. “Rather than simply putting open marks onto the packages and products, we take the serial numbers that are unique to each item and we use advanced cryptography to encrypt those,” says Donfried.
The encrypted numbers are then put into a machine readable format, such as a barcode or GS1 DataMatrix. “What that produces is a system where, even if the counterfeiter is able to detect the mark, and even if the counterfeiter is able to recognize the mark, once they decode the QR code or the GS1 DataMatrix, they’re left with the encrypted blob and they have no way of determining what that encrypted blob represents.” For anyone authenticating the product with LaserLock’s app, a request is sent to a cloud service where the barcode or GS1Matrix is verified.
Laserlock Technologies is still in the process of rolling out the full components of BrandGuard, including the app for consumers to crosscheck retail items. Donfried says there is a lot of change already occurring on the side of the retailers in order to get BrandGuard fully up and running. “We have the central components of BrandGuard in place today. There are additional pieces that we continue to develop and work on and add into the system, but the core capabilities of the system, the cloud services for managing, the item level serialization, the inks and dyes for creating and applying the marks, the interfaces for the printing systems, those things exist today and we’re in the process of working with customers currently under nondisclosure,” he says.
WASHINGTON, DC--(Marketwired - Sep 8, 2014) - LaserLock Technologies, Inc. (OTCBB: LLTI), a leader in protecting companies, industries, governments and individuals from the rising threat of counterfeiting and fraud, announced today that it has signed an agreement to license its VerifyMe™ Identity Services platform to a major financial services advisory firm that consolidates hundreds of billions of dollars in assets for its 100,000 investment banking clients.
This financial institution, which actively updates holdings from thousands of institutions nightly, will use VerifyMe™ to protect against identity fraud when logging onto its system. The system is indispensible to firms in three countries and in all fifty states. LaserLock will generate revenues based on a user fee/annum.
VerifyMe™ Identity Services is a multi-factor authentication solution that conforms to the highest security standards set out by the US National Institute of Standards and Technology (NIST) -- Level 4. The platform utilizes three human authentication factors to verify something you are, generally a biometric such as facial recognition; something you have, generally possession of a smartphone or other connected device; and something you know, for which VerifyMe™ utilizes a high-integrity gesture swipe. The system also has the ability to geo-tag users in applications for which geo-location information is necessary.
"Identity theft is no longer just the tagline of television and movie scripts. People can barely open up a newspaper or turn on the television without hearing about another identity breach. LaserLock's technologies were created to put an end to what has unfortunately become a daily occurrence," said Neil Alpert, chief executive officer. "We are very proud of this milestone in the financial services industry. Now is the time to replace the broken system of passwords and VerifyMe™ is the ideal technology to do so."
"LaserLock's robust VerifyMe™ platform was developed to protect the millions of Americans who every year fall prey to identity fraud and password breaches online. By using VerifyMe™ people no longer have to worry that their passwords are too simple and will be hacked because VerifyMe™ replaces passwords all together," said Paul Klapper, director at LaserLock Technologies.
As a matter of confidentiality, LaserLock Technologies does not currently release the names of its clients.
ABOUT LASERLOCK TECHNOLOGIES, INC.
LaserLock is a high-tech solutions company in the field of authenticating people and products. It offers state-of-the-art solutions to combat identity fraud and counterfeiting utilizing multi-factor authentication and a suite of security pigments for governments, health care providers, the gaming industry, the financial services industry and high-end retailers.
PHILADELPHIA INQUIRER—LaserLock Technologies Inc., a Washington company that was founded by Bala Cynwyd inventor Norman Gardner to develop identity-verification technology, said it signed a 10-year, $7 million contract with a Mexican gaming company for LaserLock's VerifyMe Identity Services, which will be used to authenticate players in online casinos run by the company and to meet requirements of anti-money-laundering laws in Mexico. LaserLock did not identify the company. - Reid Kanaley
CHICAGO (AP) — Good thing she doesn't need a password to get into heaven. That's what Donna Spinner often mutters when she tries to remember the growing list of letter-number-and-symbol codes she's had to create to access her various online accounts.
"At my age, it just gets too confusing," says the 72-year-old grandmother who lives outside Decatur, Illinois.
But this is far from just a senior moment. Frustration over passwords is as common across the age brackets as the little reminder notes on which people often write them.
"We are in the midst of an era I call the 'tyranny of the password,'" says Thomas Way, a computer science professor at Villanova University.
"We're due for a revolution."
One could argue that the revolution is already well underway, with passwords destined to go the way of the floppy disc and dial-up Internet. Already, there are multiple services that generate and store your passwords so you don't have to remember them. Beyond that, biometric technology is emerging, using thumbprints and face recognition to help us get into our accounts and our devices. Some new iPhones use the technology, for instance, as do a few retailers, whose employees log into work computers with a touch of the hand.
Still, many people cling to the password, the devil we know — even though the passwords we end up creating, the ones we CAN remember, often aren't very secure at all. Look at any list of the most common passwords making the rounds on the Internet and you'll find anything from "abc123," ''letmein" and "iloveyou" to — you guessed it — use of the word "password" as a password.
Bill Lidinsky, director of security and forensics at the School of Applied Technology at the Illinois Institute of Technology, has seen it all — and often demonstrates in his college classes just how easy it is to use readily available software to figure out many passwords.
"I crack my students' passwords all the time," Lidinsky says, "sometimes in seconds."
Even so, a good password doesn't necessarily have to be maddeningly complicated, says Keith Palmgren, a cybersecurity expert in Texas.
"Whoever coined the phrase 'complex password' did us a disservice," says Palmgren, an instructor at the SANS Institute, a research and education organization that focuses on high-tech security.
He's teaching a course on passwords to other tech professionals later this summer and plans to tell them that the focus should be on unpredictability and length — the more characters, the better.
But it doesn't have to be something you can't remember. If a site allows long passwords and special characters, Palmgren suggests using an entire sentence as a password, including spaces and punctuation, if possible: "This sentence is an example."
He also suggests plugging in various types of passwords on a website developed by California-based Gibson Research Corp. to see how long it could take to crack each type of password:https://www.grc.com/haystack.htm
According to the site, it could take centuries to uncover some passwords, but seconds for others.
Lidinsky recommends using a "simple mental algorithm," including those that use a space, if a site allows that. As an example, he says one might try "Ama95 zon" for an Amazon account, and "Yah95 oo" for a Yahoo! account, and so on. (But choose your own combination.)
There are other ways around the password headache.
Some people have taken to using password generators, which create and store passwords for various sites you use. Generally, all the user has to remember is a master password to unlock a generator program and then it plugs in the passwords to whichever account is being used. There are numerous password managers like this, including LastPass and Dashlane and 1Password.
Some wonder whether it's wise to trust services like this.
"But sooner or later, you have to trust somebody," says Palmgren, who uses a password manager himself.
Other solutions are surfacing, too.
Researchers at the University of York in England are developing a new authentication system called Facelock that asks you to identify familiar faces to get into an account or device.
The Canadian government, meanwhile, has partnered with a company called SecureKey Technologies, which allows citizens of that country to log onto government sites, such as the country's tax bureau, using a username and password from partner financial institutions, including TD Bank. Because SecureKey serves as the go-between, the system's developers say the bank username and password are not ultimately shared with the government site. Nor does the bank receive any information about which government site the user is accessing.
SecureKey is now working with the U.S. Postal Service to provide American citizens with similar access to federal health benefits, student loan information and retirement benefit information.
Ultimately, experts say, reducing the stress of online security — and decreasing reliance on passwords — will rest on what's known as "multi-factor identification."
Those factors are often based on three things:
1. "What you know" — a password, security question or some sort of information that only you would know (but that doesn't have to be difficult to remember, just exclusive to you);
2. "What you have" — a phone, tablet or laptop — or even a card or token — that an online site or tech-based retail outlet would recognize as yours;
3. "What you are" — biometric information, such as face recognition or a thumb print.
Banks could use this authentication process, for example, using cameras that already exist at ATMs, says Paul Donfried, chief technology officer for LaserLock Technologies Inc., a Washington, D.C.-based company that develops fraud prevention technology for retailers, governments and electronics manufacturers.
"We now have the ability to shift complexity away from the human being," Donfried says. And that, he adds, should make the pain of the password disappear.
Back in Decatur, Spinner has to think about all that for a moment. It sounds rather daunting, she says.
For one, the issue of privacy is still being debated when it comes to biometrics.
But then Spinner considers the piece of paper that contains all her passwords — the one she typed that's gotten so difficult to read because she's crossed them out and created so many new ones.
"Anything to make it easier for those of us who are technology-challenged," she says," I would be in favor of."
Jen A. Miller
No cash to pay that dinner check? Instead of running to an ATM or waiting to pay your friend back later, you could use a smartphone app to settle up with her right now.
- Convenient compared with the alternatives.
- No or low cost.
- Eliminates risk of losing a paper check or paper money.
- Some services charge a fee.
- Not as instant as getting cash in hand.
- Potential hacker target as they become more popular.
- In many cases, both parties must sign up for the service to make or receive payments.
Odds are you've probably never tried it. While smartphones are pretty ubiquitous these days, sending money to a friend with one isn't, says James Wester, global payments research director at IDC Financial Insights.
These apps are being pitched as a way to split a check with friends, but the average amount transferred, he says, is in the $300 to $400 range, and is typically for things like roommates giving each other money for rent and utilities, Wester says.
"When you pitch that peer-to-peer service as being something for small things you might normally handle with cash, I don't think it's resonated very well yet," Wester says. "I do think that over time, peer-to-peer payments will be something a little more common once people discover on their own the usefulness of it."
Sending money via your bank's smartphone app or mobile site
Many banks have either created their own peer-to-peer programs or hired companies like Fiserv or ClearXchange to set one up for them.
Each bank has its own fee schedule, but most offer the service for free.
One provider of such services is Popmoney, a product of Fiserv that's used by 1,800 banks and credit unions including Wells Fargo, Chase and Bank of America.
Cost: 95 cents, paid by sender.
Whom you can send to: Anyone with a mobile phone number or email address.
How: Users can access the service through banks' apps and mobile sites. Those whose financial institutions don't offer it can still use Popmoney on a third-party basis through the Popmoney app or Popmoney.com.
Limits: If not requested by another user, $500 per day and $1,000 per month if drawn from a debit card; $2,000 per day and $5,000 per month if from bank account to bank account. You can request $1,000 per day and $2,500 per month. You can also pay requests through Popmoney of up to $2,500 per day and $4,000 per month.
Speed: After a request is accepted, the money will appear as early as the next business day for transfers through a debit card and three business days for transfers through a bank account.
Whom it's for: People who want to make peer-to-peer payments through their banks.
Sending money via 3rd-party apps
With these apps, tech companies have gotten into the financial services game to allow users to send money regardless of where they choose to bank.
Most of these are no or low cost, says Wester, because tech companies want people to feel comfortable paying with the Web or their phone.
"Once you've gotten someone comfortable with making a payment to friends and family, it becomes a little bit easier," Wester says.
Here are four of the most popular options:
Cost: Free when sending money from a bank account within the U.S. or from your PayPal account balance; 2.9% plus a 30-cent transaction fee when sending from a debit or credit card.
Whom you can send to: Anyone with a mobile phone number or email address.
How: You can give or ask for money through PayPal.com or the PayPal app. If your bank account is linked to your PayPal account, you can send money right from there. Otherwise, you pay via credit or debit card, which involves a higher fee.
Limits: Limits for unverified PayPal accounts vary per account. For verified accounts, total value of payments is unlimited, but you can send only up to $10,000 per single transaction.
Speed: Payment into another PayPal account is made instantly, but it takes three to seven business days to transfer money out of a PayPal account and into a bank account.
Whom it's for: Current PayPal customers and those who don't want their friends to have to sign up for a payment service to get their money. Paul Donfried, a former Verizon CTO and current chief technology officer of LaserLock Technologies, also recommends PayPal for consumers with security concerns since this is an established, legacy company.
Whom you can send to: Another Square Cash user.
How: Transactions can be either made through the Square Cash app or through email. If you want to send through email, the recipient will still need to sign up for Square Cash service. Once you've done that, you can email your friend with firstname.lastname@example.org in the "Cc" field on the email and then put the amount of money you want to send in the subject line.
Limits: $250 per week, or $2,500 per week when you upgrade by providing Square Cash with detailed personal information.
Speed: Funds are deposited into your bank account in one to two business days.
Whom it's for: Current Square Cash customers and those who want the money in their bank accounts as quickly as possible.
Cost: Free when you send money from a Google Wallet balance or bank account; 2.9% (30-cent minimum) when sent from a debit or credit card.
Whom you can send to: Another Google Wallet user. If they've ever purchased anything on Android's app store, Google Play, they probably already have an account.
How: Through the Google Wallet app, choose a friend through their phone number, email or Facebook account, type in the amount of money you want to give your friend, and then send.
Limits: $10,000 per transaction and $50,000 per five-day period.
Speed: Instantly for payment to be added to your Google Wallet balance. Transferring money out of Google Wallet and into a bank account takes three to four days.
Whom it's for: Google superfans and those already using the Google Wallet.
Cost: Free if sending money from a Venmo balance, bank transfer or debit card; 3% if sending from a credit card.
Whom you can send to: Another Venmo user.
How: Through the Venmo app, choose a friend through their phone number, email or Facebook account, type in the amount of money you want to give your friend, and then send.
Limits: New, unverified users can send up to $300 per week; after verification, which can be done through Facebook or a partial Social Security number, users can send up to $2,999.99 per week. Users can receive unlimited funds.
Speed: Instantaneous between Venmo accounts, and it takes one to two business days for money to be transferred out of Venmo and into a bank account.
Whom it's for: Debit card users who want to avoid fees.
Other money transfer apps include Dwolla and the new service, Ribbon.
Mobile wallets are only as secure as your phone is, Donfried says. Even though there hasn't been a big hacker attack on mobile wallets, it's a possibility if they become more popular. Plus, someone can just take your phone.
"Somebody can steal your phone, and if they know your PIN they can transfer money whenever they want," Donfried says.
If the mobile wallet has additional security features, like requiring a password authentication for every transaction, use them. Google Wallet offers a two-step authentication that not only requires a password to get into Google Wallet but also texts you an authorization code every time you want to make a transaction.
With a few simple precautions, you can get that pesky check settled -- safely.
IEEE Spectrum | By Willie Jones
More clarity about the vulnerability of banking and credit card data and other sensitive information such as website logins and passwords came this week, when a Google researcher and a team from the Finnish security firm Codenomicon separately reported the existence of an Internet security flaw that is being called the Heartbleed Bug. What makes Heartbleed so insidious is the fact that it can allow hackers to snatch data from a server’s memory 64 kilobytes at a time—even if the information is supposedly encrypted—without leaving a trace. While the end user takes comfort in the ability of SSL/TLS encryption to keep his or her data from prying eyes, the “https” in the URL and the closed padlock icon are a cruel trick.
Since the news broke, websites have responded, updating their versions of OpenSSL, one of the most commonly used variants of SSL/TLS. These protocols were designed to implement asymmetric cryptography, wherein a unique private key is generated for each communication session in order to encrypt and authenticate the messages exchanged between the parties. But the flaw made data such as these keys and the information they were intended to keep secret far too easy to access. What’s more, the operators of the websites were completely unaware that this was possible.
How big a problem is this? Security expert Bruce Schneier, on his eponymous blog, says that, “…anything in memory—SSL private keys, user keys, anything—is vulnerable. And you have to assume that it is all compromised. All of it.” Not to put too fine a point on it, he added, “‘Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”
Is Schneier being sensationalist? Unfortunately, he’s not.
He reported that half a million sites that used OpenSSL—including his own—were vulnerable. That’s the bad news. The worse news is that the vulnerability, which left e-mail, instant messaging, and e-commerce and everything else open to plunder, went undetected since the affected version of OpenSSL was released in March 2012.
A Washington Post article discussing Heartbleed tried to take a glass-is-half-full view of the situation, noting that, “While it’s conceivable that the flaw was never discovered by hackers, it’s nearly impossible to tell.” But if you believe that no cybercrooks exploited this target of opportunity, I’ve got some oceanfront property in a landlocked country that you might be interested in.
At least we know that the flaw wasn't injected as part of a malicious scheme. Robin Seggelmann, the German developer who OpenSSL logs show introduced the bug in December 2011, says it was completely unintentional. Ironically, Seggelmann's task included fixing several existing bugs in the code and adding new features. "In one of the new features," he told the Sydney Morning Herald, "unfortunately, I missed validating a variable containing a length."
The work of closing the barn door well after the horse has left the county is now underway. A patch has been created for OpenSSL and websites that have updated their software are advising their customers to update their passwords as a precaution. But Paul Donfried, CTO at LaserLock Technologies , a firm that sells products for digital authentication and prevention of counterfeiting and identity fraud, says the fix that is sorely needed isn’t a patch.
In response to the Washington Post article, he wrote:
“As most Internet users change all their passwords in response to Heartbleed, and most system administrators patch OpenSSL and install new certificates, perhaps it’s time to ask why anyone is still using passwords for authentication? While strong authentication incorporating biometrics can’t protect a compromised SSL session, it can avoid identity theft, replay attacks, and all the pain and suffering we’re all now going to have to deal with. The availability of strong authentication solutions that incorporate face and voice recognition, and work with users existing equipment, begs the question: Why would websites that truly want to protect their users continue relying on passwords, PINs or any shared secrets? Much stronger, easier to use and more resilient solutions are readily available.”
Donfried's company sells technology designed to accurately identify who is participating in a transaction, which would prevent online security lapses from leading to subsequent misuse of pilfered login credentials. So it stands to reason that he'd be focusing on that. But his main concern was that security problems like Heartbleed don’t erode overall confidence in the Internet.
“As an industry and an Internet community we have a responsibility to make sure that before new security protocols are released, they are thoroughly tested—at a military-grade level,” says Donfried.
He, naturally, is a proponent of biometric authentication combined with out-of-band communication for the authentication process. “Even if the sites where I have my sensitive data aren’t compromised, chances are good that I’ve reused passwords from other sites that have been compromised,” he says. Meanwhile websites are offering only an illusion of security. “Usually the first thing transmitted over an SSL channel is authentication information. It’s unfortunate that a vast majority of sites using OpenSSL were relying on the security protocol to guard that data.”
All this begs two important questions: What other “catastrophic” Internet vulnerabilities remain undiscovered? And how long will login-password authentication model remain the default?
The Washington Post
The massive cyberattack on Target last year unleashed efforts to protect consumers from crooks swiping credit card data from in-store transactions. But as retailers and regulators scramble to develop a solution, hackers have already moved on.
Most hackers are focusing their efforts on online transactions — increasingly with an eye on those conducted over smartphones or other mobile devices.
In other words, retailers are two steps behind the criminals.
While cyberattacks on physical systems, such as registers, card readers and gas pumps, have garnered a lot of attention lately, shoppers' online transactions are much more likely to fall victim to hackers, security experts say.
Mobile malware accounts for a small part of data breaches — Cisco estimates that malicious software targeted at mobile devices comprise only 1.2 percent of all Web malware — but security experts say it is growing at a frightening pace. MacAfee recentlyreported that the number of malware targeting Google’s Android operating system nearly tripled between 2012 and 2013, to 3.7 million.
“Although not a significant percentage, it is still worth noting because mobile malware is clearly an emerging—and logical—area of exploration for malware developers,” Cisco researchers wrote in the firm’s latest annual report outlining major security threats.
For retailers, that trend is particularly troubling. Shoppers have embraced mobile transactions, and retailers are happy to accommodate them, adding easy ways to buy goods with just a few taps on a smartphone or tablet. IBM Analytics reported that, on Cyber Monday 2013, mobile shopping accounted for 17 percent of all online sales -- an increase of 55.4 percent year over year.
When big companies start paying attention, however, so do fraudsters. Mobile malware started in the early 2000s as a way to scam users by tricking them into dialing pay-per-call numbers or responding to messages that tacked on service charges to their bills. But now, the mobile channel can turn over real money, and a time when security measures are still in early stages of development.
In 2012, Visa e-commerce company CyberSource estimated that around 1.4 percent of all mobile commerce revenue was lost to fraud -- between $300 million and $400 million -- as compared to the 1 percent lost to online fraud.
Much of the problem is that average consumers aren’t attuned to figuring out when they’re being targeted by malware on their phones, experts said. Links are often truncated for small screens, for example, keeping people from noticing that the address they’re trying to go to isn’t what it says it is. Similarly, a text message from a friend telling you about a new app or a cool Web site may seem genuine but turn out to take you somewhere you don’t want to be.
And then there are apps.
“With computers, you mostly get malware through exploits -- you browse the Web site, and you get infected,” said Mikko Hypponen, chief research officer for the security firm F-Secure. “That never happens on phones.”
On phones, he said, attacks happen because customers actively download a program that looks legitimate but has hidden features that tap into phones to collect information. This kind of mobile malware is mostly a problem for Android phones; Cisco reported that 99 percent of the malware it discovered for smartphones in 2013 targeted Google’s mobile operating system.
But other users aren’t completely safe from attack either, as consumers can also get attacked by clicking on errant links in social media or having their information intercepted if they use unsecured WiFi networks to shop.
One solution, security experts say, is to quickly educate shoppers about mobile security risks and to build in strong mobile security protocols in store apps and other mobile commerce platforms, such as biometric solutions.
Paul Donfried, chief technology officer of the security technology firm LaserLock, said that building secure solutions through voice recognition or fingerprint scanning could help cut down on fraudulent or even accidental purchases -- especially for parents who hand their devices over to their kids. The only trick is making sure it’s easy enough for shoppers to verify their identities without having to jump through too many hoops to prove who they are.
“If authentication technology can be simple enough to use and noninvasive, our customers see this as a good thing...because it makes it clear to them that someone’s looking out to protect their identity,” he said.
ABNOTE IS AWARDED CONTRACT FOR IDENTIFICATION CARDS IN DOMINICAN REPUBLIC, LASERLOCK'S TECHNOLOGY INCLUDED
ABnote, a leading global card manufacturer and provider of secure financial and credentialing solutions, announced that they, along with their partner, Copy Solution International (CSI), have been contracted to design and manufacture 7 million identification cards for the Dominican Republic. The Dominican Republic Central Electoral Board (JCE) will personalize the licenses locally.
As part of the pre-award evaluations, the cards were put through rigorous testing in a public setting, with representatives from government agencies, members of the Tender Commission, personnel from all companies involved, and the media. ABnote is supplying their Dura-7™ card, which has a lifespan of over seven years, to meet ISO requirements for identification card durability. ABnote’s secure design team incorporated state- of-the-art security features into the card design, including DuoChrome+TM ink, a pigment exclusive to ABnote under license from LaserLock Technologies, Inc. This unique pigment utilizes green technology to change color instantly when viewed under fluorescent and other kinds of light sources, enabling immediate authentication.
“We were pleased to work with ABnote on this project,” said Ruben Cordero from CSI. “With over 200 years of experience in the international market, they are able to provide outstanding expertise in card security and engineering, while maintaining the highest quality in the manufacturing process.”
“Our vast experience and expertise in producing secure identification credentials affords us the hands-on knowledge to successfully deliver solutions that meet even the most demanding requirements for security, durability and functionality, ” comments Uwe Ludwig, CEO of ABnote’s International Business Unit. “It’s been a pleasure to work with CSI and the others involved in this project, and we look forward to a successful implementation.”
TweakTown | by Michael Hamamoto
As multiple retailers learned over the past few months, improving security to defend against cyberattacks such as malware can be extremely difficult.
The massive data breach at Target garnered the most attention, but attacks against everyone from Neiman Marcus to Smucker's and Sally Beauty show consumers they need to closely pay attention to personal security.
"If authentication technology can be simple enough to use and noninvasive, our customers see this as a good thing... because it makes it clear to them that someone's looking out to protect their identity," said Paul Donfried, LaserLock CTO, in a statement.
Moving forward, security companies are developing next-generation anti-malware solutions designed to protect retailers - though consumers need to be aware of the links they click on and apps they install - with cybercriminals successfully using social engineering to cause breaches.
Federal agencies don’t have the best track record when it comes to controlling the level of access employees have to sensitive databases and systems.
Edward Snowden and Chelsea Manning — formerly Bradley Manning — proved that. But it doesn’t take a gifted system administrator or intelligence analyst to create problems or full-blown havoc at an agency.
Think about it: All employees have varying degrees of access, not only to internal technology systems but also to agency facilities. Those privileges should be cut off immmediately after an employee has severed ties with an agency, but that doesn’t always happen. Further, when employees change positions, such as through a promotion or transfer, their authorized access levels also change, leaving human resources, information technology staff and direct managers with the task of coordinating to ensure that access is either cut off or modified.
“There isn’t a standard way, and there ought to be,” said Paul Christman, vice president of the public sector for Dell Software. Christman said there are variations in agency processes for on-boarding and off boarding employees.
A 2013 survey by Dell Software and Market Connections found that 54 percent of agencies take longer than a day to de-provision users, or shut off their access to agency facilities, files, folders, applications, databases and other physical and logical access points. The survey included responses from 200 federal IT decision-makers.
Considering that thousands of employees enter and exit the government each month, any de-provisioning longer than a few hours represents a gaping security hole, the report notes.
A terminated employee can use an active badge to access the facility after hours to remove confidential information, or leak documents through malicious or inadvertent exposure.
“Most organizations, not just government, are terrible at that,” Paul Donfried, chief technology officer at LaserLock Technologies,” said of rapidly de-provisioning users. Generally, it’s because HR and IT are separate functions. And enabling capabilities for new or existing employees becomes the priority.
De-provisioning users is an area where agencies can mitigate the security threat through automated systems and dramatically speed the process, Dell Software notes in its report. “Manual de-provisioning is time-consuming — staff must track down not only the user’s identities, but all instances of systems or applications in which that identity is given access.”
Another option: moving identity and access management services to the cloud as a way of consolidating and automating services. Some agencies are still skittish about turning the reins over to a cloud provider because of security concerns, but others are exploring the benefits. The report notes that automated services enable organizations to consistently enforce policies and regulations, while improving security.
LaserLock, based in Pennsylvania, USA, has developed a number of light-con- verting pigments for product protection and security document use. Founded in 1999 by Norman Gardner, LaserLock had its first successful technology launches in the gaming industry, pre- venting revenue losses from counterfeit dice and chips. In January 2013, it acquired VerifyMeTM, a biometric verifica- tion company, hired a new management team, and appointed a new board of directors of business, government and non-profit leaders.
The company has several patents, each covering a specific variation on its light-converting materials. It received its first patent in 2002 for RainbowSecureTM(US Patent #6483576), an IR up-converting ink invisible to the human eye which is activated with laser beams tuned to correspond to a unique frequency matching each batch of ink. In January 2004, it received its second patent, for the product it calls SecurDox (US Patent #6,672,718), which enables printing of selective invisible informa- tion with a standard desktop printer.
Later in 2004, a third patent was issued for an applied ink with two levels of security, overt and covert. This prod- uct, called Rub&Secure (US Patent #6,813,011) was designed to help secure supply chains with an overt ele- ment which becomes visible when rubbed with a finger. In 2005, a fourth patent was issued for InkJetSecureTM(US Patent #6861012), a method for coating pigments for use in inkjet printers which can then be used to invisibly mark and track products through proprietary track software. In 2011, a fifth patent was issued for SecureLightTM(US Patent #7939239) for pigments that instantly change colour under both CFL (com- pact fluorescent light) and LED light sources.
In 2013, LaserLock filed four patent applications: one for an enhancement to SecureLight called SecureLight+, that incorporates multiple covert and overt
features into a colour-changing security ink; a second for SequrPaperTM, to protect classified and secure documents from removal or copying; a third for the Characteristic Verification System, the underlying technology behind LaserLock’s combination of security inks and digital technology; and a fourth to allow LaserLock’s customers to simultaneously perform multiple authentication mechanisms on digital devices.
Customised Combination Ink
Paul Donfried, Chief Technology Officer, discussing RainbowSecure says: ‘We have three particular pigments: one that emits green, one that emits red, and one that emits blue. We can actually combine them to formulate an ink for a particular customer or product line’. RainbowSecure can be verified by illu- minating with IR energy so that it is vis- ible to the eye typically with a laser.
‘With cards and dice, the dealers and the pit bulls will have a little IR laser pen and when they want to verify the authenticity of the product, they point the pen at the product to look for the colour we have created for them,’ said Donfried. ‘A laser has the advantage of being a small, compact inspection tool, but the disadvantage of lasers is spatial coherence and spectral coherence of a very small beam, so to read marks or logos or machine-readable marks like a QR Code or GS-1 Datamatrix you need a bigger illuminator. We tend to use IR LED illuminators’.
In contrast to RainbowSecure, SecureLight is overt. According to Donfried, it takes advantage of the unique spectral emission characteristics of fluorescent lighting. ‘If you look at emissions of a fluorescent light, either a compact or a tube like in most offices, there is a discrete, well defined spectral emission, and that emission, particularly the peaks, is quite different from any other light source including LED, halo- gen, incandescent, or sunlight’. SecureLight appears one colour under
fluorescent lighting and another colour under all other light sources. Three colour combinations are available: pink, purple or green under fluorescent light- ing and changing to beige, light green, or grey respectively under other light sources. ‘We are comparing and leverag- ing matched and mismatched narrow spectral bands. The matched bands being the fluorescent spectral emission bands, SecureLight appears to be one colour when it is under a matched spec- tral emission source, and a distinctly dif- ferent colour when under any other spectral emission source,’ added Donfried.
Managing the UUID
LaserLock’s BrandGuard builds upon the multi-characteristic pigments of RainbowSecure along with invisible QR codes to provide item-level serialisation that uniquely authenticates individual items and fully supports track and trace applications. Embedded in the invisible QR code is an encrypted Unique Universal Identifier (UUID). LaserLock provides a cloud service that fully manages UUIDs and the encryption/ decryption process using military-strength, standards-based cryptography to manage, activate, revoke, and terminate codes. This sys- tem can interact with retailer and brand owner product management systems. For high value goods, merchants can reg- ister a consumer at point of sale with the UUID. If the item is stolen, the con- sumer can report it, and with the invisi- ble UUID, original ownership and evi- dence of theft can be established. Even if the thief isn’t caught, returning the item to a warranty centre for service would cause it to be flagged in a data base as stolen, and the manufacturer could refuse to service it and then seize it.
LaserLock plans to continue to inte- grate, improve, and design its technolo- gies so that product manufacturers and their consumers can have a relationship nearly free of middlemen and infringers intent on cheating or harming them.
LaserLock also decided they needed a way to identify the human being per- forming the authentication. For some applications this was for product regis- tration, for other applications this was so that specific information could be relayed back to specific inquirers along the supply chain. This was the reason LaserLock acquired VerifyMe. ‘This now allows us to do very strong authen- tication of human beings using multi- factorial authentication. We authenti- cate people by proving they have their registered smart device, a knowledge factor, and facial recognition,’ said Donfried. ‘We use the built-in camera on smart phones for facial recognition’. This system continues to be marketed as a stand-alone product but ultimately LaserLock plans to integrate it into their brand owner service platform.
As most LaserLock solutions are print-based, the technologies tend to be priced in the fractions of a cent range for even high value items.
Over the last 35 years, I have witnessed firsthand many drastic changes in the manufacturing industry, but nothing has ever compared to the entrance of counterfeiting. However, the criminal underground should not be exclusively faulted, because the manufacturing industry has unwittingly but directly contributed to the explosive growth of the counterfeit and the gray market (a system of trade that’s unauthorized, unofficial and frowned upon, but not illegal).
Historically, the growth of the global counterfeiting industry has been attributed to seven driving forces, including:
- A slumping economy
- Low-cost, advanced technology
- Trade globalization
- Consumer complicity
- Channel and market expansion
- Powerful global brands
- Weak international regulations and enforcement
The explosive growth in counterfeiting is mainly attributed to the digital era, as the Internet turned counterfeiting into a low-risk market by affording counterfeiters a nearly unlimited global market, low-cost communications and potential anonymity. Additionally, the general practice of information sharing allows counterfeiters to readily access proprietary information and ultimately capitalize on the demand for high-end brands.
Assess your vulnerabilities
Given the fragile nature of a manufacturer’s most valuable equity, seasoned supply chain leaders shouldn’t be surprised by the emergence of brand counterfeiting. As a whole, the manufacturing industry’s efforts to protect intellectual property (IP) have been ineffective thus far. Even the most highly regarded global organizations have shared their standard operating procedures (SOPs) with external parties, trained them on quality manufacturing and even transferred tooling and printing plates. To truly mitigate the risks of counterfeiting, manufacturers must objectively assess the effectiveness of their existing efforts by considering the following:
- Do we conduct due diligence in regards to contractor and employee background checks, as well as facility security, inventory accountability and destruction of unsalable materials?
- Do we regularly audit every external facility that participates in our supply chain?
- Do we ensure all of our retired tangible assets are properly destroyed and inaccessible to counterfeiters?
- Do our existing processes, procedures and knowledge enable us to trust with verification?
Companies that are unable or unwilling to address each component of this assessment are vulnerable to and likely enabling the counterfeit production of its brands.
Leveling the playing field
Though counterfeiters are reliant on a manufacturing source, they have the advantage of mimicking a legitimate brand. Fortunately, an arsenal of risk mitigating practices and countermeasures are available today and highly recommended, especially for companies in high-risk countries like China, Brazil, India or Paraguay.
Despite the available solutions, the industry will continue to struggle with counterfeiting until it properly leverages the knowledge and unique perspectives of its supply chain counterparts. Incorporating these perspectives equips companies with the ability to comply with stricter supply regulations, realize the benefits of anti-counterfeit (ACF) technologies and utilize a layered approach to secure their brands.
Diversifying and combining all of these, as well as updating tactics periodically, can drastically reduce vulnerability. However, the lack of a single entity or legislation that provides end-to-end supply chain security has led to technology experts being tapped for help with brand protection. Likewise, manufacturers are returning the favor by providing technologists with inside knowledge of the best methods for installing and integrating authentication solutions into existing SOPs.
Any expert can present a case in support of adopting ACF technology and brand protection solutions. The problem lies with manufacturers who are convinced that high supply chain visibility is detrimental to success. Likewise, traders and distributors are reluctant to share transaction records, fearing it diminishes their value as intermediaries and may result in lost business. To date, many parties in the supply chain still resist collaboration despite the harmful - or even fatal - consequences that a diluted brand can pose to the industry, supply chain, retailers and consumers.
Manufacturing executives who are hesitant to invest in fighting counterfeiting can gain confidence by adhering to these guiding principles:
Embrace the counterfeiting threat. Manufacturing leaders must accept responsibility by holding themselves accountable for supply integrity and demonstrating an awareness of the growing threat to their business, supply chain and consumer health and safety. To accomplish this, stakeholders can publicly campaign for the implementation of a zero-tolerance policy for breaches by employees, suppliers and third-party providers.
Protect IP and operational practices. Prudent operational managers and executives should focus on protecting IP and other proprietary information by increasing visibility and control of production materials throughout the supply network. Best practices for protection include:
- Instate mandatory ACF awareness training for all employees and contractors;
- Monitor supply and demand trends across trade channels for aberrations that may indicate the presence of fake goods;
- Respond aggressively to all incidents of fake goods;
- Revise third-party agreements to ensure that any transactions outside of your authorized network are explicitly forbidden;
- Authenticate returned goods before restocking and trace suspicious goods back to their sources;
- Update disposal procedures for unsalable products and retired equipment to prevent access by counterfeiters;
- Redesign facility and freight processes to ensure full asset protection; and
- Continuously purchase and authenticate your finished goods in the open market.
There are several options available for companies in need of ACF solutions. Before investing, companies can determine which ACF solution is the best fit by evaluating its supply chain’s projected risk based on three components: the brand profile, active trade channels and target markets. Unfortunately, brands in highest demand are at greater risk due to increased global counterfeit production. ACF technologies, particularly those capable of full operational integration and downstream authentication, fall into three categories:
- Sensory authentication: Overt and semi-covert packaging markings, such as holograms, color-changing inks and other sensitive materials;
- Digital authentication: Forensic markings, barcodes and taggants that authenticate via package or product scan; and
- Track & trace systems: Custom-built scanners or mobile applications that use unique identifiers to track product movement and/or retrace the chain of custody through the supply chain.
These solutions have strengths and limitations. For example, hologram authentication is relatively inexpensive, easily recognized and nearly effortless to implement by the commercial sector, but it’s also highly vulnerable to replication by counterfeiters. Digital authentication adds a layer of sophistication to the technology, but its process remains contingent on the use of a corresponding interrogating device.
Generally speaking, covert markings are more expensive to implement than its visible counterparts, and track and trace systems require the largest investment due to its multi-layer approach to security monitoring. Industries yielding high-risk goods, such as pharmaceuticals often prefer track and trace, and despite the financial drawbacks, legislators are increasingly mandating its adoption to better control the flow of goods.
Leave it to the experts
Before exploring the endless array of brand protection options and technology providers, it’s important to consult a brand specialist who can provide an objective risk assessment and help with the decision-making process. Specialists can advise on equipment specifications, such as vision systems and security materials, and their experience helps companies avoid project delays and unforeseen costs. In developing a comprehensive brand protection program, consultants can provide recommendations for the best practices, market monitoring tools and investigative support that will align with your overall strategic goals.
As criminals continue to profit off of the double-digit growth rate of counterfeit production, supply chain leaders must invest in aggressive brand protection initiatives, from auditing existing SOPs to revamping security and distribution practices and adopting ACF technology solutions. Such a commitment is mandated by the threats to consumer health and safety, as well as the potential for brand dilution.
Most importantly, is understanding that no single company, technology, practice or program will mitigate these risks alone. The most viable solution for the future of manufacturing relies on multi-lateral cooperation on all fronts, from legislators and regulators to manufacturers, distributors and retailers—even consumers have a role to play. Gaining a competitive edge is not an option when consumer safety is on the line, so despite any initial misgivings about collaborating, the industry must ultimately find success together or not at all.
This is the second article of a three-part series, co-authored by Neil Alpert, chief executive, and Ron Guido, chief marketing officer for LaserLock Technologies.
The first article - Exploiting Your Supply Chain: Confessions of a Counterfeiter - appeared on SecuringIndustry.com on October 20, 2013.
The annual Black Friday shopping surge sees cost-conscious consumers hit the stores and online retailers in search of bargains. Yet some deals really are too good to be true, with counterfeiters keen to exploit shoppers by undercutting legitimate businesses.
With millions of Americans looking for deals, Black Friday represents a big opportunity for counterfeiters. Fraudulent retailers are conscious of consumer trends, particularly the obsession with certain brands, and aim to exploit these desires. The Better Business Bureau list of the top 10 most common counterfeit gifts shows this strategy, with fraudulent retailers selling lots of fake shoes, handbags, smartphones and DVDs.
While a genuine Coach handbag is too expensive for many consumers, counterfeit versions are far more affordable. These fakes attract unwitting consumers who believe they are buying a genuine product for a bargain price. In these cases, sophisticated websites, some of which feature fake SSL security certificates, make it hard for consumers to tell the difference between genuine and fraudulent retailers.
"Business-savvy counterfeiters are pricing products just below their authentic counterparts, leading consumers to think they've found a better deal. As such, it's important for consumers to research every merchant before making a purchase, and understand that the safest course of action is to buy directly from the manufacturer rather than a third party," Neil Alpert, CEO of LaserLock Technologies, said.
Signs that the site is selling fakes include the use of terms like 'factory overstock' to justify prices that just undercut the recommended retail price. The Better Business Bureau advises consumers to shop on well-known websites, officially-licensed organizations or direct from the manufacturer. Consumers should take particular care when buying brand-name products from sites like eBay that make pre-inspection difficult.
The consequences of buying a fake product are potentially far reaching. Counterfeit cosmetics are unlikely to have been properly tested and may contain dangerous chemicals, putting the user's skin at risk. Similarly, fake electronics pose a fire hazard.
The knowing buyers of counterfeit goods
Following the Better Business Bureau tips can help prevent unwitting purchases of counterfeits, but these buyers only make up a proportion of shoppers. Others are happy to knowingly buy fakes. An EU survey of 26,500 people aged 15 and over found one-third of people think buying fakes is justified by the cost savings, while even more view it as a legitimate protest against the market-driven economy.
The result is perhaps surprising as the same survey found Europeans value intellectual property (IP). Almost everyone surveyed said IP is important because it supports innovation and creativity by rewarding inventors, creators and artists. Similarly, 86 per cent of respondents agreed that protecting IP helps to improve the quality of products and services. Yet some of these people will buy fakes to save money.
In these cases, stopping counterfeiting at the source is an effective way of preventing sales. Technology is facilitating these anti-counterfeiting strategies. "Companies are leveraging cutting-edge technologies to trace the movement of and authenticate products, as well as verify the identities of those who are managing the products through every stage of the supply and demand chains," Alpert said.
Friday, October 25, 2013
Ink Drying on Security Print Deals
Near-term markets for security inks show the way for brand protection at large
Print-ready brand protection technologies are currently in a sweet spot for market penetration. For some, there is now legislative motivation for introducing authentication – with new regulations either expected or being discussed, in product categories like pharmaceuticals, or in managing the supply and distribution chains in a given region.
Beyond regulations, the threat of counterfeiting, while always substantial, is reaching a tipping point for various brands. Companies looking to crack high-growth markets, such as regions of Africa or South America, are looking to better protect their brands. Often they are making their products more widely available to growing middle classes in areas where counterfeiting is high. The efforts of cosmetics brands like MAC to extend distribution in these regions will come only with a solid anti- counterfeiting strategy.
These factors are increasing the engagement of brand owners and the print supply chain that serves them with brand protection technologies in general. Suppliers of RFID, track-and-trace solutions, and other elements of the brand protection toolkit are reporting high and growing degrees of interest from commercial partners, with some services graduating to considerable revenue.
For security inks, these factors are translating into commercial orders at an even faster rate. Brand protection solutions provider LaserLock Technologies recently announced an initial order for its SecureLight+ pigment ink, for the protection of game pieces used in a nationwide contest expected to launch in early 2014.
Neil Alpert, CEO of LaserLock, comments: ‘This was a modest initial order, but the value of the pieces is significant, which is why our client chose to use SecureLight+.
‘While there has been no discussion about other uses in this specific client’s portfolio, the contest is expected to experience significant growth, during which LaserLock will be responsible for ensuring its integrity. Accomplishing this may present us with more opportunities in the future.’
A further order was announced in October 2013. A Japanese pharmaceutical labelling company is conducting a pilot project for this industry using the technology.
A 2011 market report from Smithers Pira predicted that the security ink market would increase at a compound annual growth rate of 7.5% to 2015, compared to 2010 figures. The Future of Security Printing to 2015 outlines the variety of security ink technologies and their current market use.
Of ‘luminescent, phosphorescent and fluorescent inks,’ the report notes: ‘Whilst the fluorescent inks are available on the open market, inks used in security printing are usually more sophisticated, reacting only to specific wavelengths, for example, or emitting different colours at different wavelengths. These subtleties are often only detected by experts or by machines. An example of a specialised ink that reacts to both UV and IR illumination is Fire & Ice from Luminescence, which is invisible in normal lighting conditions, fluoresces in long-wave UV and emits a bright red flash at a specific wavelength. Luminescence is confident that ‘even sophisticated fraudsters would probably conclude the feature was a conventional fluorescent blue ‘ink and not locate the red flash’.
For security inks generally, there appear to be some positive opportunities for further market traction on the horizon.
Though the initial order for SecureLight+ is a modest one, it underlines what could be a trend for near- term markets in brand protection inks, as the growing demand from brand owners pushes the adoption of solutions that require the fewest steps to implement into existing production processes.
Alpert adds: ‘One of the advantages of SecureLight+ is its seamless integration with existing production and packaging systems. We have successfully incorporated a pigment-based marking solution into ink or dye form for all commercial printing methods – flexography, gravure, silkscreen, thermal transfer and inkjet. There are some limitations surrounding offset printing related to the amount of material that can be applied, but typically, this can be resolved as easily as changing the ink on the printing machinery in place.’
Initial market traction for security inks has been in government documents, such as ID documents and cards, as well as passports. Yet the technology seems set to excel beyond these categories.
Alpert adds: ‘[There] is a potential for LaserLock to meet the large-volume demand as well.
‘Unlike most standalone security inks, SecureLight+ is a unique pigment in that it uses multi-layer security features. SecureLight+’s value is demonstrated through its versatility, as the solution consists of both covert and overt components that are activated in various ways. For example, under different lighting conditions, the ink visibly changes colors but reacts differently in diverse conditions, such as natural, incandescent or fluorescent lighting.
‘The solution also includes concealed characteristics that respond to a variety of devices, such as laser beams that are only visible when they’re shined on the ink to which they’re specifically tuned.’
These features lend themselves to future markets where consumers are central to the authentication process.
Alpert says: ‘Because SecureLight+ is a consumer-level solution with forensic capabilities, it often provides substantially higher returns than the competing solutions on the market that require specialised equipment for authentication. Any consumer who uses readily available light sources – fluorescent, incandescent or LED light, for example – can easily authenticate SecureLight+, but its covert characteristics also allow for multi-layer authentication for forensic purposes.
Crucially, the low barriers to implementation for security inks will make this technology an important precursor for the brand protection industry at large. Security inks will help companies understand the benefits of implementing a combination of overt and covert brand protection technologies – and could even play a part in familiarising consumers too.
Alpert notes: ‘There are likely to be more high-volume markets on the horizon for these brand protection solutions, considering the ease with which the technology can be adapted to existing processes and products.
‘Implementing the SecureLight+ solution is as easy as changing inks, so our customers require very little initial investment. Oftentimes testing and quality control will represent the extent of the upfront costs. However, the solution can work with the existing printing equipment, so there is rarely an upfront investment required by the customer.’
As a result the return on investment case should be easier to make for other technologies requiring more concerted integration efforts, or greater upfront costs.
For a digital copy of the article, please click here.
Monday, October 21, 2013
Pharmaceutical Compliance Monitor
Ron Guido | LaserLock Technologies
I don’t envy the FDA’s role in driving compliance for thousands of regulations and standards, from approvals to post-market surveillance, additives and import and export issues. Based on three decades of personal experience working alongside the agency, I’m impressed with their understanding of the issues and commitment to public safety. However, as pharmaceutical demand continues to rise, the reliance on foreign manufacturers and third-party contractors to manage quality and distribution increases accordingly. Given the FDA’s exhaustive efforts to regulate the U.S. supply chain quality and safety, it may be surprising that its reign is not limitless, as it can only control the supply chain so far without having the benefit of international governance.
Perhaps the biggest disadvantage of the booming pharma market is that the FDA’s quality and safety control system hasn’t stayed parallel to the scientific and technological advances of the market, leaving gaps and weakening the capabilities of regulatory authorities. As the FDA works to tighten product, contractor and supply chain quality, however, a bigger beast has emerged, making all existing efforts look inconsequential – the counterfeiter.
Counterfeiting is described as the ‘crime of the 21st century,’ affecting goods in virtually every industry and global market, from pharmaceuticals to retail, electronics, food and beverage and government. It is impossible to determine the exact amount of counterfeit pharmaceuticals that reach consumers, given that the primary objective of the counterfeiter is to remain undetected and covertly penetrate an unsuspecting supply chain. However, does it matter whether it’s one or 10 percent, as a dated World Health Organization study suggests? There must be a ZERO tolerance commitment by our collective industry. Nothing greater than zero is acceptable.
Interestingly enough, in both cases of implementing anti-counterfeit supply chain protection and ensuring contractor quality, manufacturers initiate the same regulatory compliance checks using Good Manufacturing Practices and Standard Operating Procedures.
Let’s examine the efforts of the FDA, manufacturers, authorized distributors of record and pharmacists – the “good guys” aligned in purpose to fight counterfeiting and contractor quality. The public safety risks associated with consuming counterfeit medicines are obvious and therefore support the general consensus that additional regulations and legislation will help fortify the legitimate supply chain – but what’s wrong with that approach? Each case is treated uniquely, ignites increased surveillance and even a product recall.
However, we must take an individualistic approach to every counterfeit case. The circumstances of dealing with counterfeit drugs are far more complicated than a random occurrence, and should be viewed as a strategically planned operation. If, in fact, the counterfeit rate of prescription drugs were eight to 10 percent globally, maintaining that rate year-to-year would ignite uproar in other industries – even those without fatal consequences. So why do we blindly increase audits, surveillance activities, customs inspections and other superficial methods when we really have no clue as to the extent of the operation that we uncovered?
We must recognize that one of the most vulnerable areas in the supply chain is at the nexus of the counterfeiter suppliers and the contracted operations of the legitimate manufacturers. Does this suggest counterfeiters may operate in the shadows of the legitimate manufacturer it’s counterfeiting? Perhaps. Contractors know how to manage supply chain specifications, critical quality checks and operating procedures, allowing them to be more independent from the internal operations of the intellectual property (IP) rights holder. Given this increasingly common scenario, the FDA’s choice to extend focus onto the suppliers and contracted partners of the IP rights holders was warranted – maybe even a small, strategic win for the good guys.
Counterfeiters are shrewd, tech-savvy, and connected by sophisticated global trade networks, allowing them to utilize the same equipment, especially packaging machines, as the legitimate manufacturers. They’re always well funded, often by organized criminal enterprises, and driven by financial profit so they’re unlikely to use any ingredients or trading practices that would risk exposure. Unfortunately, the absence of active ingredients (underpowered drugs) can be as devastating as replacing with harmful ingredients or a placebo.
In order to address counterfeiting and contractor quality holistically, we must assume the problem extends infinitely further than what’s seized from border and transit searches or extracted from the supply chain. So what’s the remedy to a problem that is, by design, clandestine in practice, yet pervasive throughout the supply chain and often indistinguishable without forensic equipment?
It’s clear that our solutions now are not the answer. When faced with evidence of counterfeit or poor-quality products, we knee-jerk into the following frenzy:
- Issue a product recall – leaving fakes to enjoy the pent up demand.
- Increase raw material supplier inspections– they’re the only entities with records on file.
- Inspect packaging – it’s easier to interrogate and not destructive to the pills.
- Prosecute the distributors, importers/exporters – since you can’t find the big fish.
- Conduct market surveys by buying from wholesalers and retail pharmacies – we already know they’re cooperative and visible. It’s the secondary distributors, Internet and local open market retailers you need to worry about.
All of the above methods are orchestrated to engage the legitimate supply network in resolving unintentional contractor quality problems. The contractor quality issues are usually unintentional and can be diagnosed and traced back to a certain batch, machine, operator or administrative error. So why is the FDA continuing to tighten focus on contractor quality? Simply, put, it’s not working well enough to eliminate the issue altogether, and now it has compounded to strengthen the effect of the counterfeit market as well, producing a different breed of quality issues. The counterfeiters’ goods are designed to remain undiagnosed, produced outside any regulatory purview and few, if any, are traceable. Though rare, if we have the chance to trace products back to the manufacturing site, the principals are rarely found
What should manufacturers, their authorized distributors of record and regulators/inspectors do individually and collectively to mitigate the risks of counterfeit drugs?
For starters, the best solutions are not framed from the mindset of addressing quality defects, but in the mindset of the counterfeiter. Here are some suggestions:
- 1. Live by the ‘trust, but verify’ mantra. You can trust them after they’ve proven they deserve it. Perform your due diligence through the form of contractor Quality Agreements (QAs) and anti-counterfeiting practices, including facility security, strict inventory and records accounting, supervised destruction of non-salable components and employee background checks.
- Take advantage of track and trace. Integrate secure track & trace technology to enhance visibility in your product lifecycle, from manufacturer to wholesalers and beyond. Closely monitor long-term supply and demand patterns and observe deviations.
- Demand exclusive, non-competitive rights. Contractors, suppliers and third parties should be contractually prohibited from conducting business with manufacturers of similar goods, as well as using proprietary equipment for shadow operations.
- Build sustainable, trusting partnerships. Focus on establishing long-lasting relationships with your contractors, suppliers, raw materials vendors, printers and everyone else in the supply chain.
- Manage your own product distribution and lifecycle. Require retailers to sign authorized distributor agreements that forbid purchasing your company’s products from any distributor unless pre-approved. Likewise, to ensure your goods aren’t repackaged and sent back into circulation, require the return of excess and obsolete inventory.
Authorized Distributors & Retailers
- Abandon opportunistic buying practices. Per each contract terms, purchase only the required quantity from approved sources.
- Balance real-time supply and demand. It’s achievable by establishing two-way inventory management processes between buyers and sellers.
- Track & trace (again). Partner with manufacturers using secure forms of track and trace technologies and invest in authentication technologies.
- Leverage sales-in, sales-out. Implementing a SISO strategy can impact business by reducing inventory levels and improving demand forecasting, but it’s important to respect requests to conceal end user information.
- Link financial and physical inventory movements. Contractors will always ensure safe quality and delivery if financial gain was at stake, so implement a new business model wherein financial transactions are recorded in parallel with inventory movement.
Regulators & Inspectors
- Update security protocols. Make sure you have procedures and processes in place to address poor quality as well as suspected counterfeits, such as the use of Raman Spectroscopy to classify pharmaceutical ingredients, and enforce stricter consequences for violators.
- Observe all sides of the supply chain. Work with manufacturers to obtain limited access of proprietary data to study distribution patterns of high-risk brands and covert authentication techniques on package and labeling.
- Hold contractors accountable for operations integrity. Perform audits and hold contractors accountable for the integrity of their end-to-end operations, such that off-quality production and shadow operations are similarly treated as compliance violations.
The net effect of the above recommendations will add transparency and control to a supply chain design that did not have security and supply integrity built into its original conception. Most importantly, however, is for every single government organization, manufacturer, distributor, retailer, law enforcement authority and technology provider to understand how important it is toleverage knowledge sharing and promote global collaboration to share incident details, emerging trends or technologies; hold contractors and other third parties accountable for their operations; enforce penalties for counterfeiters; and work with legislators to better regulate the international supply chains for prescription medicines, including the Internet.