application guidelines and implementation roadmap · 2012-01-25 · the implementation roadmap...

Building Radio frequency IDentification for the Global Environment

Application Guidelines and Implementation Roadmap

Authors: Mikko Lehtonen (ETH Zurich), Jasser Al-Kassab (SAP), Sebastian Lekies (SAP)

June 2009 This work has been partly funded by the European Commission contract No: IST-2005-033546

About the BRIDGE Project:

BRIDGE (Building Radio frequency IDentification for the Global Environment) is a 13 million Euro RFID project running over 3 years and partly funded (€7,5 million) by the European Union. The objective of the BRIDGE project is to research, develop and implement tools to enable the deployment of EPCglobal applications in Europe. Thirty interdisciplinary partners from 12 countries (Europe and Asia) are working together on : Hardware development, Serial Look-up Service, Serial-Level Supply Chain Control, Security; Anti-counterfeiting, Drug Pedigree, Supply Chain Management, Manufacturing Process, Reusable Asset Management, Products in Service, Item Level Tagging for non-food items as well as Dissemination tools, Education material and Policy recommendations. For more information on the BRIDGE project: www.bridge-project.eu This document results from work being done in the framework of the BRIDGE project. It does not represent an official deliverable formally approved by the European Commission.

This document:

This document presents application guidelines and implementation roadmap for the technical anti-counterfeiting measures developed in BRIDGE WP5. While various RFID implementation guidelines and checklists have been published, they do not cover the use of EPC/RFID in anti-counterfeiting. The purpose of this document is to help bridge this gap.

Disclaimer:

Copyright 2009 by (ETH Zurich, SAP) All rights reserved. The information in this document is proprietary to these BRIDGE consortium members This document contains preliminary information and is not subject to any license agreement or any other agreement as between with respect to the above referenced consortium members. This document contains only intended strategies, developments, and/or functionalities and is not intended to be binding on any of the above referenced consortium members (either jointly or severally) with respect to any particular course of business, product strategy, and/or development of the above referenced consortium members. To the maximum extent allowed under applicable law, the above referenced consortium members assume no responsibility for errors or omissions in this document. The above referenced consortium members do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, or non-infringement. No licence to any underlying IPR is granted or to be implied from any use or reliance on the information contained within or accessed through this document. The above referenced consortium members shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intentional or gross negligence. Because some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. The statutory liability for personal injury and defective products is not affected. The above referenced consortium members have no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

http://www.bridge-project.eu/�

BRIDGE – Building Radio frequency IDentification solutions for the Global Environment

Executive Summary This document presents application guidelines and implementation roadmap for the technical

anti-counterfeiting measures developed in BRIDGE WP5. While various RFID

implementation guidelines and checklists have been published, they do not cover the use of

EPC/RFID in anti-counterfeiting. The purpose of this document is to help bridge this gap.

The practical level of protection that a technical anti-counterfeiting system provides to a

supply chain depends on two aspects: on detecting counterfeit products when they are

checked (“intrinsic security”) and on checking the counterfeit products (“check rate”). The

implementation roadmap presents how a high level of intrinsic security can be achieved with

security measures available, now and in the future, for EPC-tagged products. Achieving a

high check rate is addressed by applying the checks in the right supply chain locations and

by integrating authenticity checks to processes where the products are anyhow identified.

The implementation roadmap presents the available security measures for EPC-tagged

products and provides guidance for selecting and updating security measures for an affected

product. The roadmap starts from the basic measure which is reading the EPC number and

verifying from a white list that such a product exists. The role of the security measures is to

secure this scheme from adversaries. Three dimensions of security are considered: 1)

prevention of tag cloning, 2) detection cloned tags, and 3) tag-product integrity.

In general, there are eight possible supply chain locations (“usage scenarios”) for authenticity

checks. These are analyzed in the report and they include: 1) distribution, 2) customs, 3)

incoming goods at retail, 4) goods on retail shelves, 5) point of sales, 6) consumer / end-

user, 7) after sales services and 8) reverse logistics. These cases are collected from existing

usage scenarios and they address different dimensions of the problem. In particular, only

checks in customs and checks of goods on retail shelves target the illicit supply chain. It is

also shown which security measures are conceptually feasible in these locations.

In addition to providing guidelines for the selection of security measures and check locations,

an anti-counterfeiting project life-cycle model is presented. It serves companies affected by

counterfeiting as a manual for deploying RFID and track-and-trace based anti-counterfeiting

solutions and includes detailed description of four project phases: 1) initiation, 2) planning, 3)

closing, and 4) operation and maintenance. Last, this life-cycle model is applied to an

anonymized real-world company Akron to illustrate its application with tangible examples.


Table of Contents Executive Summary ............................................................................................................. 3 Table of Contents ................................................................................................................. 4 Table of Figures .................................................................................................................... 6 Table of Tables ..................................................................................................................... 7 1 Introduction .................................................................................................................... 8

1.1 How Security Works ............................................................................................... 8 1.2 Organization of this Report ...................................................................................10

2 Implementation Roadmap ............................................................................................ 12 2.1 Basic Measure........................................................................................................13 2.2 Towards Strong Prevention of Tag Cloning.........................................................15 2.3 Towards Reliable Detection of Cloned Tags ........................................................17 2.4 Towards Strong Tag-Product Integrity .................................................................20

3 Supply Chain Locations for Product Authentication ................................................. 23 3.1 Different supply chain locations for product authentication ..............................23 3.2 Feasibility of different security measures ............................................................29

4 Anti-Counterfeiting Project Life Cycle ........................................................................ 31 4.1 Selection of a Project Life Cycle Model ................................................................31 4.2 Initiation phase ......................................................................................................32

44..22..11 Purpose of the Initiation phase ........................................................................32 44..22..22 Problem Analysis .............................................................................................32 44..22..33 Project Team ...................................................................................................34 44..22..44 Definition of Project Scope ..............................................................................36 44..22..55 Feasibility Study ..............................................................................................36 44..22..66 Cost-benefit analysis .......................................................................................38

4.3 Planning phase ......................................................................................................41 44..33..11 Purpose of the Planning Phase .......................................................................41 44..33..22 Organizational and Process Changes .............................................................41 44..33..33 Site Survey ......................................................................................................42 44..33..44 Selection of Hardware and Software ...............................................................43 44..33..55 Stakeholder Analysis .......................................................................................43

4.4 Implementation phase ...........................................................................................45 44..44..11 Purpose of the Implementation Phase .............................................................45 44..44..22 Pilot Study .......................................................................................................46 44..44..33 Administrative and Organizational Requirements and Changes ......................46 44..44..44 Technical Requirements and Changes ............................................................47

4.5 Closing phase ........................................................................................................47 4.6 Operation and Maintenance ..................................................................................47


5 Example Application .................................................................................................... 50 5.1 Introduction ............................................................................................................50 5.2 Akron Company Profile .........................................................................................50 5.3 Application .............................................................................................................51

55..33..11 Initiation phase ................................................................................................51 55..33..22 Planning phase ................................................................................................53 55..33..33 Implementation phase .....................................................................................55 55..33..44 Closing phase ..................................................................................................56 55..33..55 Operation and Maintenance ............................................................................56

References .......................................................................................................................... 57 Appendix A: Hardware calculations .................................................................................. 60 Appendix B: Akron’s Stakeholder map............................................................................. 61


Table of Figures Figure 1. The overall process of securing a supply chain from counterfeit products .............. 9

Figure 2. Direct effect of security ........................................................................................... 9

Figure 3. Indirect effect of security ........................................................................................10

Figure 4. Organization of this deliverable. .............................................................................11

Figure 5. Roadmap towards secure authentication of EPC-tagged products ........................12

Figure 6. Protocol of the basic measure (white list) ..............................................................14

Figure 7. Authentication based on ACCESS passwords .......................................................15

Figure 8. Authentication based on unique TID numbers .......................................................16

Figure 9. Authentication based on cryptographic tags / PUF ................................................17

Figure 10. Authentication based on track and trace checks ..................................................19

Figure 11. Authentication based on synchronized secrets protocol ......................................19

Figure 12. Example of a commercial security seal (www.tesa.com). .....................................20

Figure 13. Physical tag integration provides different possibilities depending on the product [34] .......................................................................................................................................21

Figure 14. Authentication based on object-specific features .................................................22

Figure 15. Possible supply chain locations for product authentication ..................................23

Figure 16: Project Life Cycle .................................................................................................31

Figure 17: Example for an RFID project team [6] ..................................................................34

Figure 18: Cost benefit model of investment in security ........................................................40

Figure 19: Exemplary RFID enabled Business Applications .................................................41

Figure 20: Site Survey Process [17] .....................................................................................42

Figure 21: Stakeholder groups [2] ........................................................................................44

Figure 22: Exemplary Stakeholder Matrix .............................................................................45

Figure 23: Akron's Supply Chain Network ............................................................................50

Figure 24: Akron's project team ............................................................................................52

Figure 25: Process manger and rule designer ......................................................................53

Figure 26: Factory layout ......................................................................................................54

Figure 27: Supplier matrix ....................................................................................................55


Table of Tables Table 1. Threat levels and needed countermeasures ...........................................................12

Table 2. Prerequisite for product authentication: the basic measure .....................................15

Table 3. Summary of preventive security measures on EPC tags ........................................17

Table 4. Summary of detective security measures ...............................................................20

Table 5. Summary of security measures for tag-product integrity .........................................22

Table 6. Conceptual feasibility of RFID-based product authentication measures in different supply chain locations (see Section 2 and BRIDGE D5.4 for technical details). ....................30

Table 7: Decision making tool for evaluating the overall risk of counterfeiting .......................33

Table 8: Required hardware and software ............................................................................43

Table 9: Exemplary Table of Stakeholders ...........................................................................44

Table 10: Calculation of hardware expenses ........................................................................60

Table 11: Akron's stakeholder map ......................................................................................61


1 Introduction Brand owners of various kinds of physical goods have an increasing need to protect their

supply chains against product counterfeiting. To support brand owners across industries,

BRIDGE WP5 has investigated and developed EPC/RFID-based countermeasures to

counter counterfeit trade. Based on this work, this document presents application guidelines

and an implementation roadmap for EPC/RFID based anti-counterfeiting measures.

These application guidelines cover deployment and usage of an anti-counterfeiting system

based on EPC technology. More precisely, the guidelines cover steering an anti-

counterfeiting system deployment project and selecting an effective and efficient way to use

the authenticity checks to counter counterfeit trade. While various general RFID

implementation guidelines and checklists are published by practitioners1,2

Different products need different amounts of protection. While simple verification of EPC

numbers might be secure enough for some inexpensive consumer goods, for instance,

authentication of luxury goods that are brought to after-sales service might require much

more security. To answer the varying needs of different products, EPC technology provides a

rich platform for different security measures. To assist brand owners in choosing right

security measures, the implementation roadmap presents the way from identification to

highly secure authentication of EPC-tagged products. This roadmap presents the possible

security measures and their requirements to guarantee secure authentication of EPC-tagged

products in a long term.

, these do not cover

the use of RFID in anti-counterfeiting. Therefore the major contribution of this document is to

provide the anti-counterfeiting-specific knowledge to the general guidelines.

The material benefits of a technical anti-counterfeiting system are hard to evaluate and

present in one dimension, with only one criterion, but overall they can be characterized by

security. Therefore the provided application guidelines are structured around concepts of

security.

1.1 How Security Works This subsection presents the conceptual framework of security in anti-counterfeiting that

structures the provided application guidelines.

In general terms, security refers to protecting assets against certain threats and it is provided

by a process of prevention, detection and response [36]. The overall process of securing a

supply chain against counterfeit products presents the different preventive, detective and

responsive countermeasures that companies can implement. Figure 1 illustrates this process

by showing what the counterfeiter attempts to do and what the affected company or 1 http://www.rfid-in-action.eu/public/results/guidelines/rfid-implementation-checklist 2 http://epsfiles.intermec.com/eps_files/eps_brochure/RFIDChecklist_brochure_web.pdf


companies can do to counter the counterfeiting. In particular, the illustration shows that

product authentication is only one element in this overall process of securing the supply

chain against counterfeits – but it is a particularly important one.

1. Obtain counterfeit products 2. Obtain RFID tags with valid, copied serial numbers

Detect§ Private

investigations

Prevent§ Do not disclose

blueprints§ Audit

manufacturers

Respond§ Confiscate illicit

products§ Prosecute

infringers§ End business

relationships

Detect§ Monitor

clandestine scanning

§ Detect use of copied IDs

Prevent§ Use random

IDs§ Upkeep list of

valid IDs§ Secure data

base of IDs§ Waste mngt.

Respond§ Discard copied

IDs

3. Sell counterfeit products to the licit supply chain

Detect§ Authenticate

products

Prevent§ Secure

legitimate inputs

Respond§ Confiscate illicit

products§ Prosecute

infringers§ End business

relationships§ Strict liabilities

Counterfeiter (illicit actors)

Brand owner (licit actors) Figure 1. The overall process of securing a supply chain from counterfeit products

The security provided by a technical product authentication system has two major effects on

the protected supply chain. First, the direct effect of security is that counterfeit products in

the secured channel are detected. This is illustrated in Figure 2. Detection of counterfeit

products depends on two factors: on verification of counterfeit products (check rate) and on

detecting counterfeit products that are verified (intrinsic level of security of the security

measure). The former is provided by the way the technology is used and the latter by the

technology itself. In other words, the achieved level of security in practice depends on the

security measure and how it is used. This is a simple finding but it is very helpful in

organizing the application guidelines: On the one hand the goal is to maximize the probability

that a counterfeit is verified, and on the other hand the goal is to maximize the probability that

a counterfeit is detected when checked.

Counterfeits are detected

(direct security)

Counterfeits are verified

(check rate)

Counterfeits are detected when

verified (intrinsic security)

Figure 2. Direct effect of security


When counterfeit products are detected in a supply chain with a sufficient success rate, the

expected profit of selling counterfeit products to the protected supply chain decrease to zero

and below. Thus the second, indirect effect of security is that injecting counterfeit products

to the licit supply chain no longer pays off for the illicit actors. Since counterfeiters are

primary financially motivated, we can assume that decreasing the expected profits has a

deterrent effect on counterfeiters. The technical factors that provide the deterrent effect of

security are illustrated in Figure 3. It is important to note in practice deterrence is not

provided the absolute magnitudes of prevention, detection and response, but how

counterfeiters perceive and value them. For instance, a convincing sticker of a surveillance

system alone can deter a burglar from breaking into a house if the burglar perceives that the

risk of alarm is too high, without the need of an actual surveillance system.

Punishment (response)

Detection rate (detection)

Deterrence(indirect security)

Detection rate (detection)

Deterrence(indirect security)

Cost to break (prevention)

Figure 3. Indirect effect of security

All of counterfeit products do not need to be detected in order to make injecting counterfeit

products to a licit supply chain unprofitable. This is due to two factors. First, also

counterfeiters have costs that need to be covered before they can break even, for instance

from production and logistics [37]. Second, the risk of getting caught and being punished –

though it may be small – needs to be offset by somewhat high returns; otherwise taking the

risk does not pay off in the long term. However, it must be noted that deterrence only means

that injecting counterfeits to the protected supply chain is not financially interesting in the

long term under certain assumptions, but it does not guarantee or prevent that it will not

happen.

1.2 Organization of this Report This report is organized as follows. First, section 2 presents an implementation roadmap

towards strong authentication of EPC-tagged products. Then, section 3 describes and

analyzes eight different supply chain locations for the authenticity checks and presents the

technical feasibility of different security measures in these locations. And last, section 4

provides an anti-counterfeiting project-life cycle model that is a manual to help affected


companies during different phases of the implementation project, and this life-cycle model is

illustrated with an example in section 5.

Section 1: Introduction

Content: Introduction to the deliverable, conceptual framework of security in anti-counterfeiting.

Findings: Supply chain is protected through high check rate and intrinsic security of the check.

Section 2: Implementation Roadmap

Content: Implementation roadmap towards secure authentication of EPC-tagged products.

Findings: EPC/RFID provides a platform of security features, suitable security features depend on the product.

Section 3: Supply Chain Locations for Product Authentication

Content: Analysis of possible supply locations for product authentication, feasibility of different techniques therein.

Findings: There are eight usage scenarios for product authentication in licit supply chains.

Section 4: Anti-Counterfeiting Project Life Cycle

Content: Description and analysis of issues during different phases of an anti-counterfeiting project.

Findings: Guidelines for initiation phase, planning phase, implementation phase, and closing phase.

Section 5: Example Application

Content: Example application of the rules-based approach to an anonymized real-world based company.

Findings: Illustration of the project life cycle model.

Figure 4. Organization of this deliverable.


2 Implementation Roadmap This section describes an implantation roadmap towards secure authentication of EPC-

tagged products. The roadmap includes three different dimensions of security, namely tag

cloning resistance, detection of cloned tags and tag-product integrity, and presents the

different security measures that are needed to move towards higher level of security. The

goal of choosing the security measures is to enable secure product authentication.

Table 1. Threat levels and needed countermeasures

Threat Countermeasure

I Counterfeit product without an RFID tag Basic measure

II Counterfeit product with an RFID tag with an invalid EPC Basic measure

III Counterfeit product with an RFID tag with a valid EPC Tag cloning resistance / detection of cloned tags

IV Counterfeit product with a genuine RFID tag Tag-product integrity

The implementation roadmap addresses different threat levels of counterfeit products

injected to the protected supply chain. We define these threat levels as follows: The first level

threat is a counterfeit product without an RFID tag. The second level threat is a counterfeit

product with an RFID tag with an invalid EPC number. The third level threat is a counterfeit

product with an RFID tag with a copied, valid, EPC number, and the fourth level threat is a

counterfeit product with a genuine RFID tag that is removed and reapplied from a genuine

product. The threat levels and needed countermeasures are summarized in Table 1.

Low levelof security

Tag-productintegrity

Detection ofcloned tags

Tag cloningresistance

weak

strong

strong

strong

ACCESSpasswords

Unique TIDnumbers

Cryptotags

Mark invalidEPC numbers

T&T checks

Synchronizedsecrets

Tag seals

Physical tag integration

Logical tag integration

Basicmeasure

High level of security

Figure 5. Roadmap towards secure authentication of EPC-tagged products

Reading a product’s EPC number and verifying that this number has been issued by the

brand owner (“white list”) represents the first level of a technical countermeasure (cf.


subsection 2.1). When the need for security increases, additional security measures are

needed against tag cloning attacks and tag-product integrity violations, i.e. removal and

reapplication of valid tags. These security measures are illustrated in Figure 5. For products

where the risk of counterfeiting is very low, such as some non-branded fast moving

consumer goods, the basic measure provides a good starting point. For products where the

risk of counterfeiting is higher, such as medicines and airplane spare parts, the need for

security is higher and the first technical countermeasure should already include some more

advanced security measures, such as track and trace checks or cryptographic tags.

In general, the need for security increases over time; counterfeiters can learn about the

countermeasures and implement ways to overcome or bypass them. When a need for an

increased level of protection is recognized, for example by discovering that counterfeiters

copy the EPC numbers of genuine products or that tags with fully programmable TID

memory have become commercially available, the brand-owner needs to move towards

stronger security measures. Since additional security measures have always costs involved,

only the necessary security measures should be implemented. This paradigm is called “good

enough security” [23] and it argues that practically and commercially successful security

systems have a level of security that is modest in the academic sense, but good enough to

work in practice.

2.1 Basic Measure This subsection formalizes the basic measure that is not yet secure authentication of

products, but the foundation for the secure authentication. We define authentication as

verification of the claimed identity and therefore identification is the prerequisite for

authentication. A product claims to have a certain identity through the EPC number written

on its RFID tag. The basic measure is to read the EPC number and verify that it is valid, i.e.

one that can be found on a genuine product. This kind of check is analogous to having a

doorman in front of a club to verify that only people who have their name on the list get in;

thus only the people on the list are authorized to enter.

Identification = A claim of identity

Authentication = Identification + Verification of the claimed identity

Valid EPC number = An EPC number that can be found on a genuine product


Back-end Reader EPC Tag

read EPC(2)

inventory(1)

establish secure connection(0)

EPC, <location>, <time>(4)

EPC(3)

result (y,n)(6)

Phase I: Initialization

Phase II: Identification

Phase III: Verificationif EPC is valid:result = y;

else: result = n

(5)

Figure 6. Protocol of the basic measure (white list)

The basic measure has three phases: 1) Initialization phase, where the reader establishes a

secure connection with the back-end system (mutual authentication), 2) Identification phase,

where the reader reads the tag’s EPC, and 3) Verification phase where the reader asks the

back-end whether the EPC is valid. The protocol of the basic measure is presented in Figure

6. This measure corresponds to the so called “white list” approach [24]. In stronger security

measures the verification phase is replaced by a more sophisticated way to ensure that the

product is not a counterfeit. The protocol is illustrated based on the following assumptions:

• The product authentication solution is an online solution and the credentials are

stored only in the back-end,

• Product authentication (including track & trace data analysis) is triggered by

identification,

• The protocol continues until the authenticity result is known by the reader (exception:

synchronized secrets), and

• Possible “early endings” of the protocols are not marked, i.e. cases where the

product’s counterfeit origins are revealed before the final verification (e.g. back-end

does have the TID stored for a certain EPC).

The basic measure identifies a product and checks if the identity is valid. The requirements

of this basic measure are listed in Table 2. This measure does not provide any protection

against cloning nor removal and reapplying of tags so, but it filters out untagged counterfeits

and counterfeits tagged with invalid IDs. In order to pass this check, a counterfeit product

simply needs to have a cloned RFID tag or an RFID tag removed from a genuine product.

The following three subsections describe how to address these threats.


Table 2. Prerequisite for product authentication: the basic measure

Security Measure Tag Requirements Back-End Requirements Other Requirements

Basic Measure (white list) EPC Verification of EPC Reader-to-back-end authentication

2.2 Towards Strong Prevention of Tag Cloning This subsection presents the existing and envisioned preventive security measures against

tag cloning attacks. They should be used when the basic measure is not considered secure

enough.

Two existing PIN-based commands of Gen-2 tags, KILL and ACCESS, can be used for ad-

hoc techniques for authenticating [25]. The KILL protocol bases on the fact that even though

the EPC of a tag can be maliciously scanned, the KILL-password remains secret. Cloned

tags can be found by testing, but without killing the tag due to low reader power, if a tag’s

KILL password matches the one stored in a database. Implementation of this technique is

feasible in deployed tags, but presents some delicate technical challenges [26]. We therefore

focus on the ACCESS password that can be tested on a tag in a similar way but without the

risk of killing the tag. This protocol is presented in Figure 7. In order to fool this check, the

adversary needs to obtain the ACCESS password of the genuine tag for example by

eavesdropping an authorized reader device that authenticates the targeted tag, or perform a

brute force attack against the 32-bit password (i.e. go through the possible passwords and

query the tag by repeating step 7 in the protocol). Overall, this security measure provides

some protection against tag cloning but it is somewhat clumsy and is vulnerable against

decisive attacks.


result (y,n)(8)

test the ACCESS password(7)


ACCESS password(6)

Phase III: Verification

Find ACCESS password

for this EPC

(5)

Figure 7. Authentication based on ACCESS passwords

In addition to the PIN commends, also the unique factory programmed read-only

Transponder ID (TID) numbers can increase the cloning resistance of EPC Class-1 Gen-2.

The reasoning behind the TID scheme is that a tag is authentic if it has a correct EPC & TID

pair, illustrated in Figure 8. TID is not cryptographically secure and it only represents a

practical hurdle against tag cloning. A detailed evaluation of the level of protection that the

TID scheme provides in practice is presented in BRIDGE D5.5. Though it does not seem to

be possible to buy Gen-2 tags with programmable TID numbers today, working prototypes of

semi-passive tags (e.g. in BRIDGE WP4) demonstrate that a tag impersonation device can

be built from less than ten euros worth of standard components to fool TID checks. As a


result, end-users should only make use of serialized TID numbers in applications where the

tagged items can be physically inspected as a temporal and complementary solution.

EPC, TID, <location>, <time>(6)

result (y,n)(8)

read TID(4)

TID(5)

Phase III: Verificationif EPC and TID

match: result = y; else: result = n

(7)

Figure 8. Authentication based on unique TID numbers

While cryptographic RFID tags are currently widely available in the HF band (e.g. Mifare

Desfire3

Another way to implement a secret key on the RFID transponder is to use a Physical

Unclonable Function (PUF). The PUF is a one way function that allows for the calculation of

unique responses using only some hundreds of logical gates without any costly

cryptographic primitives [33]. In order to make the use of eavesdropped responses

infeasible, several challenge-response pairs have to be stored in a database. PUF has been

successfully implemented on HF (13.56 MHz) tags [32] and it is currently becoming

commercially available.

), today there are no cryptographic tags commercially available in the UHF band.

However, the need for security products in the UHF market is emerging and the first

implementations exist [27, 28]. Tag-to-reader authentication can be based on cryptographic

primitives like bitwise operations and pseudo-random numbers [29], hash-functions [30],

symmetric-key encryption [27] or asymmetric encryption [31]. Asymmetric encryption is

currently very challenging on RFID tags but due to advances in Elliptic Curve Cryptography

(ECC) it is becoming feasible. These approaches cannot be employed without hardware

support from the chips and since the cryptographic calculations require additional power they

might decrease the tag performance in terms of reading time and range. Cryptographic UHF

tags are expected to become commercially available in the near future, provided that there is

a sufficient market pull for them.

The tag- high-level to-reader authentication protocol is similar for cryptographic tags and for

PUFs. This protocol is illustrated in Figure 9.

3 http://mifare.net/products/mifare_desfire.asp


Back-end Reader EPC TagEPC, <location>, <time>

(4)

challenge(5)

challenge(6)

response(7)

response(8)

result (y,n)(10)


if response is correct: result = y;

else: result = n

(9)

Figure 9. Authentication based on cryptographic tags / PUF

Different preventive security measures and their requirements are illustrated in Table 3.

Table 3. Summary of preventive security measures on EPC tags


Access password ACCESS password Password verification (none)

Unique TID number Unique TID number TID verification (none)

Cryptographic tags Cryptographic processor Challenge-response protocol (none)

Physical unclonable function PUF Challenge-response protocol (none)

2.3 Towards Reliable Detection of Cloned Tags Tag cloning attacks can also be addressed by reliable detection of cloned tags. Different

detection-based security measures exist and they vary on their complexity and on the cases

when they can detect the cloned tags. They should be used when the basic measure is not

considered secure enough. A theoretically optimal detection-based measure would trigger an

alarm for 100% of cloned tags as soon as they enter the secured channel (detection rate)

and to 0% of genuine tags (false-alarm rate). In practice, however, some uncertainty is

always present in the system and there is a trade off between the detection rate and the

false-alarm rate. This means that the detection-based security measure triggers alarms for

suspected cloned tags and a manual verification is needed to ascertain the origins of the

product (based on other security features or the product’s natural features).

The aforementioned basic measure represents a white list of valid EPC numbers (“blacklist”).

The first detection-based measure is to mark those EPC numbers on this white list that are

known to be invalid, for example because the product has been sold, consumed, or delivered

to the end-user. One variant of this measure is allowing N first basic verifications to pass the

check, e.g. because it can be expected that the product is verified N times in the licit supply

chain, and after that marking the corresponding EPC as invalid. This variant is suitable for

static supply chains (N is constant) where the risk of counterfeiting is high. Overall, marking

invalid EPC numbers is a simple but effective measure since it limits the time span when

counterfeiters can use a copied EPC number to the time point when the EPC number

becomes invalid. The high-level protocol of this measure is same to that of the basic


measure (Figure 6). This measure can be used with a very small marginal cost if the trace

data already tells which EPC numbers are invalid.

The track and trace data can also be used to detect if a genuine tag and a cloned tag travel

simultaneously inside the supply chain. In other words, track and trace checks address

detection of cloned tags before the genuine product is known to have left the RFID system

and the EPC can be marked as invalid. These approaches should be used when the risk of

counterfeiting is high (cloned tags can enter the chain before the genuine tags are marked

invalid) or when marking invalid EPC numbers is not feasible due to lacking data (e.g. it is

not known when all tagged products are sold) or when there are dynamic changes in the

supply chain (the N-approach is not feasible). BRIDGE WP5 has developed two different

approaches for track and trace based checks, so called statistical approaches based on

machine-learning techniques and so called rules-based approach based on configurable

rules (see BRIDGE D5.4 for prototype description and D5.5 for thorough evaluation of these

approaches). Guidelines for choosing the right approach are provided below. Overall, cloned

tags can be detected in a reliable way from track and trace data that contains a chain of

shipped and received events, but some false alarms or missed events might be possible in

special cases such as missing reads. The advantage of track and trace checks is that no

additional interaction is needed between the reader and the tag.

• Statistical approach: Statistical track and trace analysis automates most of the

tasks needed to detect cloned tags from the track and trace data. The user’s main

task in statistical approaches is selecting a representative test data set (normal

traces) that captures the mechanisms of the underlying supply chain. The more

complex the supply chain and the more read errors there are, the more test data is

needed. In particular, the training data must not contain events generated by cloned

tags, which currently must be manually assured. In case there are changes in the

underlying supply chain, the system needs to be trained with a new set of training

data. Since statistical approaches can automatically detect majority of missing read

events (approximately 80% in a simulator study, cf. BRIDGE D5.5), they are also

suitable in cases where read errors can be a problem.

• Rules-based approach: The main advantage of the rule-based anti-counterfeiting

approach is the possibility of leveraging existing industry- and company-specific anti-

counterfeiting knowledge by defining anti-counterfeiting rules. It is suitable in cases

where the company wants to protect its specific supply chain by defining conditions

that, once broken, give indication of counterfeiting activities. The included decision

support system supports the user in limiting false positive cases, since read errors or

missing reads might make specific rules trigger an alert (see also BRIDGE D5.5). The

rule-based anti-counterfeiting framework empowers the user with the ability to define


and try out different rules and thus it resembles a data mining tool for track and trace

data. Moreover, the alert information can be statistically analyzed in order to detect

supply-chain specific patterns of counterfeiting injections, for example.


result (y,n)(6)

Phase III: Verificationif product passes

the trace check:result = y;

else: result = n

(5)


Figure 10. Authentication based on track and trace checks

If the tags have a small amount of rewritable user memory (e.g. 32-bits), it is also possible to

detect when two tags with the same EPC enter the RFID system. This can be done with so

called synchronized secrets method described in BRIDGE D5.4 and D5.5. This method

requires a centralized back-end server that knows which synchronized secret (denoted s in

Figure 11) is written on the tag. If a tag is cloned and the cloned tag is injected to the RFID

system, the back-end will notice an outdated synchronized secret on a tag as soon as both

the genuine tag and the cloned tag are scanned once again. As a result, a manual

verification is needed to ascertain the origins of the two pinpointed products with the same

EPC number. This approach is most suitable in cases where it is known when the products

leave the RFID system (similar to marking invalid EPC numbers), otherwise a cloned tag can

“hijack” the trace of a genuine tag that leaves the system and the system does not detect

this. A high scan rate provides a high level of security (reliable and early detection of tag

cloning attacks). If the scan rate is low, for example due to a high dwell time in a warehouse,

there might be a long delay until the alarm is triggered. Therefore the synchronized secrets

approach is not well suitable in cases where this delay is probable and not acceptable, such

as for life-saving drugs that are stored for long times in warehouses where the tags can be

copied.

read si

si

EPC, si

result, si+1

si+1

acknowledgement

acknowledgement

acknowledgement

if si is correct:result = y;

else: result = fsi+1 = RND32

(5)

(4)

(6)(7)

(8)

(9)(10)

(12)

(13)

(11)



replacesi with si+1

Figure 11. Authentication based on synchronized secrets protocol

The requirements of the different detective security measures are summarized in Table 4.


Table 4. Summary of detective security measures


Mark invalid EPC numbers (blacklist) (none) Verification of EPC POS data (or similar)

T&T data analysis (none) SSCM / Rules T&T data

Synchronized secrets 32-bit user memory Synchronized secrets protocol POS data (or similar)

2.4 Towards Strong Tag-Product Integrity Tag-product integrity counters tag removal and reapplying attacks. Guaranteeing tag-product

integrity means guaranteeing that a tag is attached to the right product, and not to a

counterfeit one. The respective attack is removal of a genuine tag from a genuine product or

its packaging and reapplication of this tag onto a counterfeit product. This attack can be easy

to execute if a tagged genuine product is available and tag-product integrity has not been

addressed. From the point of view of the adversary, however, this attack is somewhat

burdensome since it requires manual work, access to genuine tags, and needs to be

repeated for each counterfeit article. Therefore it does not seem viable for large numbers of

products and in the industrial scale that characterizes today’s problem of product

counterfeiting. Rather, tag removal and reapplying is likely to a problem with higher-price

products where already small quantities can be profitable for a counterfeiter. In particular, if

tag copying attack is addressed with very strong preventive measures that the counterfeiters

are aware of, such as cryptographic tags, attack against tag-product integrity can be the

cheapest and most attractive way for a counterfeiter to fool an authenticity check.

Sealing an RFID tag to a product’s packaging, or event to the product itself, is a

straightforward way to improve tag-product integrity. The idea is to place the seal over the

RFID label to reveal all attempts to remove or reapply a tag. A commercial security seal is

illustrated in Figure 12. When allowed by the product’s form factor and esthetic requirements,

an unbroken physical seal thus acts as a proof that the RFID label has been attached by the

brand owner. In addition, tag removal inside a secured channel is revealed by a broken seal,

which makes it possible to mark stolen tag ID numbers in a database. Tag sealing is

especially well suited for case and palled level tags in channels where the risk of tampering

is elevated.

Figure 12. Example of a commercial security seal (www.tesa.com).

http://www.tesa.com/�


In the case of item level tagging, physical integration of tags to products provides various

possibilities for guaranteeing tag-product integrity depending on the characteristics of the

product itself. Figure 13 illustrates tag integration to a leather good and to a metal watch. In

this example, the leather good tag is not securely integrated since it can be easily detected

and removed, where as the watch tag is secure integrated (i.e. it is hard for the adversary to

perform a removal and reapplying attack owing to the specific engineering challenges of tag

integration in this case). Regarding security, the goals of physical tag integration are to make

the tag 1) hard to find by the counterfeiter, 2) hard to remove without breaking the tag and/or

the product, and 3) hard to reapply to a counterfeit product in a seamless way. More

information about secure tag integration can be found from EU-SToP D4.3 [33].

Figure 13. Physical tag integration provides different possibilities depending on the product [34]

To address tag removal and reapplying attack (as well as tag cloning) with low-cost tags,

there exists a logical way to bind an RFID transponder to a particular product [35]. This

security measure is based on writing on the tag memory a digital signature that combines the

tag identifier and some product specific features of the genuine product. These features can

be physical or chemical properties that identify the product and that can be verified, such as

very precise weight. Figure 14 illustrates this approach. The chosen feature is measured as a

part of the check and if the feature used in the tag’s signature does not match the measured

feature, the transponder-product pair is not original. The proposed authentication needs a

public key stored on an online database. Also an offline authentication is proposed by storing

the public key on the tag, though this decreases the level of security. In practice, finding a

suitable feature might be very challenging – and if the tag has one that can be reliably

measured, then the product authentication can be done directly based on this feature without

using RFID. Another disadvantage of this approach is that each unit has to be physically

verified as a part of authentication.


EPC, featureValue, <location>, <time>(4)

result (y,n)(6)

Phase III: Verificationif featureValue is

correct: result = y; else: result = n

(5)


measure the featureValue of the tagged object (outside the RFID system)

Figure 14. Authentication based on object-specific features

The requirements of tag-product integrity measures are summarized in Table 5.

Table 5. Summary of security measures for tag-product integrity


Seal the tag (none) (none) (none)

Physical tag integration (none) (none) (none)

Logical tag integration (none) Verification of feature value Measurement of feature value


3 Supply Chain Locations for Product Authentication This section presents guidelines for selecting right supply chain locations for product

authentication. The goal in choosing these locations is to maximize the chances of

counterfeit products that enter the supply chain being verified. Selecting right supply chain

locations is crucial since it contributes directly to the achieved level of protection in practice

(cf. Figure 2, page 9).

A list of possible supply chain locations for product authentication is presented below. These

locations are illustrated on a generic supply chain map in Figure 15. (According to the object

event vocabulary of the EPCIS 1.0.1 specification they represent discrete business locations

within the supply chain, but throughout this document we will refer to them simply as supply

chain locations). The resulting list is achieved by gathering and clustering different usage

scenarios of technical anti-counterfeiting measures and it is meant for decision makers for

clarifying as well as identifying the need of a technical solution. When implementing an RFID-

based anti-counterfeiting system, the supply chain locations where products are to be

authenticated need to be identified before the technical can be specified. This is due to the

fact that all security measures cannot be deployed in all usage scenarios, mostly owing to

the limited coverage of the assumed EPC infrastructure.

Distribution

Retailer

Manufacturer

Retailer

Manufacturer

Consumer /End-User

Consumer /End-User

Licit Supply Chain Illicit Supply Chain

Distribution

Legend

Actors with lawful intent

Actors with illicit intent

Flow of goods

Potential entry of counterfeits

1

3

4

5

6

4’

Customs2

Customs2’

Use case

1

2

3

4

5

6

7

Inside distribution

Customs

Incoming goods

Goods on shelf

Point of sales

Consumer / End-user

After-sales services

7

8

8 Reverse logistics

Figure 15. Possible supply chain locations for product authentication

3.1 Different supply chain locations for product authentication This subsection lists the different supply chain locations where products can be used for

product authentication and discusses the pros and cons of the different usage scenarios.


1. Inside distribution: Counterfeit products can enter the licit supply chain in the

distribution level between manufacturing and retail. Counterfeits can appear either as

complete batches of faked goods or co-mingled with genuine goods. Authenticity

checks in the distribution level, e.g. in distribution centres, can help detecting these

counterfeits. Since logistic units (pallets, boxes, single goods) are identified using

Auto-ID inside the distribution level, the existing business processes provide an

opportunity to integrate authentication to processes where the products are currently

identified. In addition, since the products are handled usually in known lot sizes or

even one by one (e.g. luxury goods), the verified products do not need to be

separately counted to detect counterfeits that are not tagged. This is a major

advantage since this additional effort is thus not necessary. Another important

efficiency factor is the relatively small number of distributors, compared to the number

of retailers for instance; when all genuine products flow through a relatively small

amount of supply chain locations, screening the whole population can be done with a

much smaller number of check locations. Furthermore, authenticity checks inside

distribution can detect the counterfeit products as soon as they enter the licit supply

chain, close to the illicit actors. This increases the chances of detecting and

successfully prosecuting the infringers. Regarding effectiveness, however, the

distribution level is not the optimal location for authenticity checks since counterfeit

products can enter the supply chain also after this level. Also, when the brand owner

or manufacturer does not have its own distributors but it is done by other companies

(i.e. external supply chain), active collaboration with the distributors is required.

Getting the required contribution from external distributors can be very challenging

since the distributor does not get any clear business benefits from the authenticity

checks. This can be especially problematic for small brand owners. As a partial

solution, past management research proposes that manufacturers can engender

cooperativeness of distributors by nurturing satisfaction and dependence in

manufacturer-dealer relationships [20]. In particular, senior management’s

commitment to supply chain security is needed in order to gain distributors’

assistance in fighting counterfeit trade [20].

2. Customs: Customs is responsible of most counterfeit seizures in the world and it is a

key stakeholder in any anti-counterfeiting strategy. Anti-counterfeiting and verification

of products is one of the key tasks of national customs organizations, though it is

usually not as important as collection of taxes and duties, national security, and

enforcement of free trade. Furthermore, customs is considered the best locations to

interfere also the illicit supply chain (Figure 15). This means that supporting customs

in anti-counterfeiting not only protects the licit supply chain from counterfeit products,

but it also affects the illicit supply chain having a broader effect on counterfeiters’


business. Due to the complexity and size of the task, however, supporting customs

with a technical anti-counterfeiting solution is not straight forward. It is not feasible for

customs to adopt multiple devices to authenticate different kinds of products. Rather,

a standard solution that can handle different kinds of products is strongly preferred.

Such a standard, platform solution does not exist today and currently hundreds of

different product authentication solutions are being used, but integration of

authentication to Auto-ID technologies such as EPC/RFID has the potential to change

this. Since authentication of goods in customs is not coupled with processes where

the goods are identified but they are sporadic and done in an ad hoc mode to

suspicious samples, a system that is able to authenticate one good at a time is

sufficient. In addition, customs need mobile or handheld RFID readers since

inspections are conducted not only in customs warehouses, but also on highways, in

company’s warehouses etc. Sporadic checks of single samples helps customs

identify counterfeit consignments faster and easier, but they are not the most effective

way to detect small quantities of counterfeits that are co-mingled among genuine

products. Last, a hundred percent confidence level to the result of the check is not

mandatory since customs can hold back the suspicious goods and ask the brand

owner do additional checks since the brand owner has the final responsibility of

showing that seized goods are counterfeits.

3. Incoming goods: Authentication of incoming goods in the retail level is potentially a

very effective way to secure the licit supply chain. In general, retailers are in a critical

position to engage in countermeasures against product counterfeiting [19]. In our

generic supply chain model, the retail level comprises typical consumer good retailers

and other end-points such as pharmacies, hospitals, and small boutiques and

garages. These authenticity checks can be integrated to the process where incoming

goods are scanned in to the inventory before placing them to the back room or shop-

floor. If the incoming goods are subject to verifications in the existing process already,

such as expiry data verifications and order completeness verifications, the overhead

of integrating an authenticity check to the existing process can potentially be done

with a minimum overhead. A minimum overhead is also a requirement since the

process of scanning in incoming goods can be time-critical. Furthermore, since the lot

sizes of incoming goods are generally known, also detection of untagged counterfeit

products can be automated. In theory, the best and most secure final check point in a

supply chain is just before the goods reach the end-user or consumer (making

injection of fakes impossible after the last check point), but in practice incoming

goods in the retail level can be the last location where all goods can be easily

authenticated. If the integrity of inventory in the retail level can be guaranteed,

however, product authentication at incoming goods also guarantees the authenticity


of goods also at the point of sale or point of consumption. A critical factor regarding

the integrity of inventory is addressing internal threats by employees, for example the

possibility of replacing a genuine product by a counterfeit one. A downside with

authenticity checks in the retail level is that the counterfeit products are detected in a

relative late point in the supply chain, which makes tracing the source of counterfeit

goods harder. Another downside is that more check points are needed than in the

upstream locations; supply chains branch as they go downstream and the number of

retailers is typically order of magnitude higher than the number of distribution centers,

for instance. According to management research, the perceived seriousness of the

problem and internal acceptance of responsibility are the most important factors that

influence how willingly channel members assist manufacturers in anti-counterfeiting

[19]. Furthermore, management practices that induce higher satisfaction and

dependence, but lower conflict and control, will enhance a manufacturer’s ability to

gain the help of retailers [20].

4. Goods on shelf: Authenticity checks can secure the retail level also through

verification of goods on shelves, i.e. on the shop-floor. This can be done either with

the consent of the retailer, as an audit by the brand owner, or without the consent of

the retailer, as a mystery shopper. In theory, also normal consumers could perform

these checks if they were empowered with the needed technology and had the

incentive to use it. A prerequisite for these checks is that the verified products are

openly displayed, which restricts application of this scenario mostly to consumer

goods (one way to overcome this restriction, as well as the need of mystery

shoppers, is to do test purchases and authenticate the samples afterwards). Checks

of goods on shelves are sporadic and can be targeted to suspicious or high-risk

targets to increase their effectiveness. It is not likely that these checks can be done

as a part of other processes where the goods are verified or identified, and therefore

they represent additional effort and overhead. But this effort needs to be seriously

considered since, together with checks in customs, verification of goods on shelves is

the only way to interfere with the illicit supply chain (perhaps excluding infiltration of

private investigators among the illicit upstream actors). An RFID-based solution with a

large read range and a bulk reading mode suits this usage scenario especially well

since it enables quick and imperceptible verifications. In order to detect untagged

counterfeit items, however, the number of verified items needs to be counted

manually. In addition, since this check is conducted at a late state of the supply chain,

tracking down the sources of detected counterfeit goods can be hard. The last

downside of this usage scenario is the big number of retail stores that need to be

covered.


5. Point of sales: Authenticating products at the point of sales or at the point of

consumption (e.g. a drug that is consumed in a hospital) secures the last link of the

licit supply chain. At this step products are already handled one by one and identified

with Auto-ID (e.g. to find out the price, or to verify the expiration date for

pharmaceuticals). These conditions can make the introduction of an additional

authenticity check very lean and minimize the overhead and additional effort of

product authentication. In the same time, introducing systematic authenticity checks

in the point of sales level is very challenging. Foremost, authenticating products in

front of the consumer, patient or end-user interferes with the customer relationship.

For example in the pharmaceutical industry this can cause trust problems between

the doctor or pharmacist and the patient, and in the luxury goods industry it can mean

breaking the romance of the buying experience. Therefore retailers in general do not

want to deal with product counterfeiting issues in front of their customers since it can

generate negative associations for customers who usually have not considered

previously that counterfeit products could appear in the retail level. The dilemma is

that these associations are perceived negative, even though the authenticity checks

are conducted for the customers’s own good. There are also other factors that make

authenticity checks challenging in the point of sales level. They take place in a time-

critical process where additional delays are not welcome and they take place far from

the sources of counterfeits. Last, the vast number of possible point of sales locations

makes diffusion of the technology and process changes burdensome and probably

possible only with standards, mandates and/or regulations.

6. Consumer / End-user: In the long term technology vision also normal consumers

can interact with RFID-tagged smart products. As a result, they can also have the

possibility to authenticate tagged products. Technically this could by possible for

example by solving the interoperability problems between NFC and EPC technologies

[22] but also by using mobile phone cameras to read bar codes on the products to

give an access to the RFID trace data. This would also require a gateway though

which anonymous or authorized consumers could access the product authentication

back-end application. Overcoming these challenges would potentially empower

masses of consumers with the ability to authenticate products in locations where

brand owner cannot access otherwise, including secondary markets (e.g. flea

markets, C2C sales) and new geographic areas. Such community-based

authentication applications have already been proposed for mobile applications [21].

While consumers can refuse buying the counterfeits they detect and inform their

communities about the fakes, they lack the law enforcement lever to launch

responses against the infringers and thus should be supported by the brand owner. In

addition, in some cases consumers buy counterfeits intentionally, which limits this


scenario to those product categories where consumers have real incentives not to

buy a fake. The second part of this usage scenario is authentication of products that

are being used by the end-users. A prominent example of this scenario is

authentication of spare parts in the aerospace industry where counterfeiting does not

really affect the licit supply chain through which the genuine spare parts are

delivered, but the network of repair, maintenance and overhaul depots where the

spare parts are used. In this case the authenticity checks can be integrated to

existing processes where the spare parts are already identified with Auto-ID. In

general, missing tracing infrastructure or lack of data sharing limits the use of

detection-based authentication in this usage scenario, so prevention-based measures

might be preferred.

7. After-sales services: In some cases counterfeit goods can enter the licit supply

chain in after sales services when customers return goods that are already bought.

This can be a relevant scenario for example in the luxury goods industry where

products are used during long periods of times and sometimes they need to be

returned for repair, polishing or refurbishment. Even though authentication of

products in after-sales services does not prevent the harm from happening in the first

place – i.e. the consumer from getting a counterfeit product – it enables easy

detection of counterfeits in an early phase of the service. From the process point of

view authentication of these products is relatively easy since these products are

handled one by one and in small quantities, in the premises of the retailer or brand

owner (e.g. a luxury goods boutique). Owing to the interference with customer

relationship discussed in the point of sales scenario above, it might be preferable not

to authenticate these products in front of the customer but in the back room or service

level. This is also a preferable practice in those cases where the customers knowingly

bring counterfeit goods to after-sales services with the hope of getting them replaced

by genuine goods, since a face-to-face conflict with these fraudulent customers is

avoided. From the technical point of view, this usage scenario is made challenging by

the lack of complete trace data and by the fact that the process needs to handle also

non-tagged products, including those product categories that are not tagged as well

as older products that were not yet tagged. In addition, tracing the source of the

counterfeit products detected in this usage scenario can be very hard.

8. Reverse logistics: Similar to the after-sales services scenario, counterfeit products

can enter the licit supply chain also through reverse logistics of products that are

returned to the manufacturer under warranty. This can be a relevant scenario for

example in the This is particularly an issue with electronics, batteries, computer chips

and mechanical components or accessories, where manufacturers are seeing an

increase in counterfeit parts being returned to manufacturers under warranty and


claiming replacement. Many manufacturers are therefore having a problem

authenticating these items and, without appropriate technology and processes, have

found that they are forced to replace a fake item with a genuine item. In this case an

authenticity check can be integrated in the service process on the manufacturer’s

side. Compared to checks in the lowest levels of the supply chains, only a very small

number checking locations is needed to secure this link. The downside of this usage

scenario is that it is very far from the source of counterfeits and the benefits are

limited to elimination of losses due to replaced or fixed counterfeit products.

3.2 Feasibility of different security measures Since all RFID-based product authentication methods cannot be applied in a secure way in

all supply chain locations, selection of the wanted usage scenarios has an effect on the

possible security measures. Table 2 presents the conceptual limitations of the considered

product authentication approaches in the listed usage scenarios. Foremost, the detection-

based approaches have limitations or cannot be securely applied after the genuine products

leave the supply chain and are no longer traced.


Table 6. Conceptual feasibility of RFID-based product authentication measures in different supply chain locations (see Section 2 and BRIDGE D5.4 for technical details).

Supply Chain Location Basic Blacklist T&T Sync. Sec. Password, TID, Crypto, PUF

1 Inside distribution OK OK OK OK OK

2 Customs OK OK OK OK OK

3 Incoming goods OK OK OK OK OK

4 Goods on shelf OK OK OK OK OK

5 Point of sales OK OK OK OK OK

6 Consumer / End-user OK

Limited* Limited** No***

OK****

7 After-sales services OK OK

8 Reverse logistics OK OK

* Limited: in addition to copied tags, also the genuine tag will raise an alarm after the ID number is in the blacklist ** Limited: cloned tags cannot be reliably detected once the product is no longer traced *** No: products that have left the distribution channel must be marked in order to avoid identity hijacking **** Password approach can be made available only to trustworthy parties since the verifier learns the secret


4 Anti-Counterfeiting Project Life Cycle This section focuses on the development of a generic project life cycle model for the

adoption of RFID-based anti-counterfeiting solutions. It shall serve companies, which are

affected by counterfeiting, as a manual for deploying deploy RFID and track-and-trace based

anti-counterfeiting solutions. This section will not focus on all aspects of project

management, but on RFID- and anti-counterfeiting-specific aspects. Thereby, this deliverable

assumes that the company has not yet implemented RFID, but that it has made first

experiences with the technology by conducting laboratory trials and trainings.

4.1 Selection of a Project Life Cycle Model Numerous approaches towards the project life cycle can be found in literature. For projects of

different sizes and purposes, there exist multiple models to fit to the very different

requirements. In order to create comprehensive application guidelines, this deliverable

focuses on a generic approach rather than on a specific phase model. This generic model is

developed based on de facto project management standards like the Project Management

Body of Knowledge (PMBOK), the IPMA Competences Baseline (ICB) [7], and Projects in

Controlled Environments (PRINCE2) [5]. In concordance with these standards, the following

four generic phases are used for the project life cycle.

Purpose of the Implementation Phase

Pilot Study

Administrative and Organizational Requirements and Changes

Technical Requirements and Changes

Closing of the Project Purpose of the Initiation Phase

Problem Analysis

Project Team

Definition of Project Scope

Feasibility Study

Cost-benefit Analysis

Purpose of the Planning Phase

Organizational and Process Changes

Site Survey

Selection of Hardware and Software

Stakeholder Analysis

Initiation Phase Planning PhaseImplementation Phase

Closing Phase

Figure 16: Project Life Cycle

Companies adopting the prototype can map the activities of these phases to their own model

in order to adapt the application guidelines to their special needs. Furthermore, this

deliverable will have a special focus on the ongoing activities, which include operation,

maintenance, and countermeasures against new counterfeiting methods. These influence

RFID within the four process steps, including the closing, operations and maintenance

phase, which will be described in the following sub-sections.


4.2 Initiation phase

4.2.1 Purpose of the Initiation phase The initiation phase is the first step in the project life-cycle. The goal of this phase is the

definition and authorization of the project. Thereby, a project team analyses the underlying

problems, the goals, the feasibility, the requirements, and the costs and benefits of the

project. This phase is concluded by a preliminary go or no-go decision.

4.2.2 Problem Analysis One of the first things to do when starting an anti-counterfeiting project is to analyze the

underlying problem. Different aspects of the problem need to be regarded: besides monetary

aspects, there are security and image aspects. While the direct monetary damage of

counterfeiting is huge for one company, this monetary damage is rather minor for others.

Though, these companies may want to start anti-counterfeiting, because a bad impact on

their image caused by counterfeits can result in a major loss of potential customers. Also

companies of branches with high requirements towards security may not want to fight

counterfeiting because of monetary reasons only. An aviation company, for example, can

significantly lose customers’ trust, if one of its airplanes crashes due to a counterfeit spare

part used to repair the plane. Therefore, monetary analysis/reasons are good instruments,

but not always suitable for deciding whether to engage in anti-counterfeiting or not.

Furthermore, it is very difficult to calculate the monetary damage of counterfeits. On the one

hand, gathering the correct information is almost impossible and on the other hand many,

assumptions must be drawn. For example, would someone who buys a 20 € counterfeit also

buy the genuine product for 500 € instead? In Addition, it is very difficult to calculate the

share of counterfeits sold with genuine products [12]. Therefore, also other indicators for

analyzing the problem of counterfeiting must be found. As described in the EU-SToP4

• Products with high sales volumes are more interesting for counterfeiters due to the

fact that these products are widespread. This means that on the one hand

counterfeiters know these products better than less known products, and that there

are more potential customers for buying the counterfeits on the other hand.

D1.4,

the following list provides an overview of important indicators [13]:

• Profitability for counterfeiters is an important prerequisite. Due to the fact that

counterfeiters save the research, development, design, and marketing costs the

counterfeiter’s margin can be calculated as the difference between a product’s gross

profit margin (which does not include indirect expenditures like marketing and R&D),

and the operating profit margin. The higher this margin is, the more attractive is the

product to the counterfeiter.

4 Stop Tampering of Products


• The easier it is to imitate a product’s visual quality, the cheaper it is for the

counterfeiter to duplicate the product. Therefore, the ease of duplication

characterizes the counterfeiters estimated investment in production facilities and

represents an entry barrier for the illicit business. However, also complex products

can be targeted by counterfeiters.

• The demand for fakes is another important driver for counterfeiters. The higher the

demand for fakes is, the easier it is to sell counterfeits, because there is no need to

fool the buyers. The demand for counterfeits can exist when the genuine product is

not available due to delivery problems, regulations, or higher prices.

• If a product already has a counterfeiting history, it is very likely that it will also be

counterfeited in the future. In order to estimate the extent, different illicit channels,

such as the Internet or flea markets can be checked upon suspicious products.

Cooperation with customs organization can also be very helpful to gain knowledge,

such as about the number of seized goods.

Moreover, the problem analysis includes the following counterfeiting characteristics:

• Is there deceptive counterfeiting? If yes, a technical solution can be in case the

authenticity of the product shall be checked. Deceptive counterfeits are sold at prices

close to those of genuine products. Hence, the risk of deceptive counterfeiting is high

and companies should address the problem of counterfeiting (see also BRIDGE D5.2

Requirements Analysis Report).

• Are counterfeit products imported to the European Union? If yes, a technical

solution can be valuable, for example, customs authorities can also check the

authenticity of the products (see also BRIDGE D5.2 Requirements Analysis Report).

• Are there counterfeit products in the licit supply chain, mixed with genuine products? If yes, a technical solution can be valuable in order to detect these

shipments with mixed merchandise.

The following table can be used in order to quantify the problem. The different indicators

described above are weighted and quantified for each product. Therewith, it is possible to

estimate the extent of the problem and to compare the different products.

Table 7: Decision making tool for evaluating the overall risk of counterfeiting

Weight Product X Product Y Product Z Counterfeiting and grey market history 15% 5 … … Sales volume of the genuine product 20% 6 Risk to consumers due to counterfeiting 15% 9 Direct loss of future sales due to counterfeiting 10% 4 Demand for counterfeits 10% 3 Profitability for counterfeiters 20% 6


Ease of duplication 10% 6 Overall risk of counterfeiting 100% 5.80 6.10 4.20

In order to protect the licit supply chain from counterfeit injections, Section 3 lists

recommended locations where to check the products within the supply chain. Besides the

counterfeiting aspects mentioned in the lists above, a company-internal analysis of the

counterfeiting situation in the licit supply chain will support the brand owner to define where

to check within the supply chain and to opt for an adequate anti-counterfeiting solution, e.g.

an technical solution based on RFID and track-and-trace technology. With choosing the

“right” locations, the brand owner can maximize the chances to check counterfeit products

that enter the licit supply chain. As stated in Section 3, selecting the right supply chain

locations is crucial since it contributes directly to the achieved level of protection in practice

(cf. Figure 2 and Figure 15).

As a start of the process and as one part of the problem analysis, the above introduced

decision making tool (Table 7) can be applied. If the problem analysis indicates that there is

a need for action, adequate methods need to be chosen to proceed against counterfeiting.

Since BRIDGE WP5 focuses on the RFID technology, the following subsections will only deal

with the adoption of EPC/RFID based approaches.

4.2.3 Project Team The project team is one important success factor for an RFID-project. Due to the high

integration of many different fields, multidisciplinary expertise is needed. Therefore, the skill

set of the project team should reflect a mixture of these different fields including

manufacturing, logistics, operations, engineering, warehouse management, business

process reengineering, and information technology [1]. If this knowledge is not available

within the company, training sessions and/or external consultants are needed.

Figure 17: Example for an RFID project team [6]


Usually, the project team is divided into a core and an extended team. Figure 17 shows an

exemplary core project team. While the core team consists of full time employees, the

extended team includes personnel, which are interconnected to the RFID-project. It is also

possible to integrate external experts, partners, and technology providers into the extended

team. Their expertise, however, should only be consulted if necessary. Typically, the

members of the extended team are experienced in the fields of quality management, IT,

organization, sales, marketing, HR, law and R&D. In contrast to the core team, the extended

team bears no responsibility for the success of the project. The following project roles should

be considered within the core team:

• Project Leader: The project leader needs to unite technical expertise as well as

process knowledge, in order to communicate in a competent manner with technical

and business experts. Furthermore, experiences in management of large-scale

projects are desirable.

• Change manager: The change manager should have good communication skills and

experience in process reengineering and optimization. His tasks are to anticipate,

document, and monitor the upcoming organizational changes in order to avoid

undesired side-effects.

• RFID manager: An RFID manager needs to have knowledge about the RFID

hardware. Furthermore, he should know which hardware to choose and how to

implement this hardware. He is responsible for the site survey and the

implementation of the hardware.

• Application lead: The application lead needs to have a broad IT knowledge.

Furthermore, he needs experience with the required software application and

underlying data. He will lead the integration of the RFID solution into the current IT

infrastructure.

• Process manager: The process manager is an expert in supply chain management.

He should know and understand the processes within the company well. He is

responsible for the adoption of the business processes. Furthermore, he is the central

expert for anti-counterfeiting.

Anti-counterfeiting is only one of numerous business applications being enabled by an

extended RFID and track-and-trace platform. According to industry interviews, companies

would invest into an RFID and track-and-trace infrastructure (especially on item-level) for

multiple beneficial applications, inter alia anti-counterfeiting. Hence, besides the process

manager, who is the responsible expert for the anti-counterfeiting application, other experts

or teams of experts, responsible for other business applications, are needed. This fact has

an additional influence on the RFID project team.


4.2.4 Definition of Project Scope Defining the project scope is very important for RFID projects due to the fact that a clear

scope can have various positive effects on the success of a project [38, p. 455]. On the one

hand, clear goals can reduce unrealistic expectations towards the RFID-technology, and on

the other hand they can increase the acceptance amongst stakeholders. By stressing the

importance of the project within the project scope, users, employees, customers, and

partners can easily understand the purpose and the meaning of the project. During the

project, the focus must be kept on the scope in order to stick to clear budgets and

timeframes [7]. Due to the fact that the RFID-technology offers innumerable application

possibilities, an RFID-project bears the risk of losing focus by covering too many different

topics. Therefore, it is very important to set and stick to SMART (specific, measurable,

achievable, relevant and time bound) goals [10]. As a next step, a feasibility study needs to

be conducted in order to check the achievability.

4.2.5 Feasibility Study The feasibility study needs to clarify if the project can be realized or not. Therefore, it has to

answer major key questions which are inter-connected with the success of the project. With

the answers at hand, the study has to analyze if the goals can still be met. If not, the project

either needs to be stopped or the scope needs to be redefined. In the following, a list is

provided with RFID-specific aspects which need to be regarded in the study. This list should

not be seen as a complete list, but rather as a list of important points. For each project and

each company, there can be additional question which are not regarded here:

Product

• Which products need to be tagged? This is a strategic decision about the scope of

the project, and it should be done based on the problem analysis (cf. subsection

4.2.2).

• Can the chosen products be tagged with EPC tags and on item-level? All possible

problems with metals, liquids, digital goods and raw materials like chemicals, or

tagging possibilities have to be clarified.

• Where and how can the tags be attached to the products? Can the requirements of a

secure integration be fulfilled? Are the manufacturing and packaging process

changes feasible?

• If not all products can be tagged, is it feasible to run several systems parallel in order

to handle untagged items? Are the company and its supply chain partners able to

handle the increased complexity of multiple systems?

Suppliers and Partners


• Which suppliers, distributors, retailers, and other supply chain partners need to be

involved in the RFID roll-out?

• Are the supply chain partners willing to adopt the RFID system? How can they be

convinced?

• Are the supply chain partners willing to share the needed data?

• Are there any suppliers or partners who already use RFID? Can knowledge be

transferred to the company or can the company benefit in other ways from it?

Technical

• What is the needed reader network?

• What is the expected data volume and required infrastructure to handle it?

• To what extent is the company able to equip its sites with the technical infrastructure

or are there technical restrictions (e.g. no broadband Internet connection on site,

machines which are affected by radio waves of the readers)?

• Can the reader device provide reliable read rates or will external circumstances

prevent the company from getting reliable reads?

• Does the company have enough knowledge to realize the project and to maintain the

infrastructure afterwards, or does the company need to pay external experts?

Anti-counterfeiting measures

• Which security measures are feasible?

• What is the required level of protection? How much money and effort can be

allocated to protect one product?

• Which anti-counterfeiting solution suits best for the company? E.g., is trace data

available? Are the traces complete? How good is the read accuracy? Is the trace data

timely or does it come with delays? Table 5 provides a conceptual feasibility of RFID-

based product authentication measures in different supply chain locations (see

Section 2 and BRIDGE D5.4 for technical details).

Legal

• Are there any legal restrictions towards hardware, software or private concerns in the

operating countries?

Financial


• Is there a budget for the planned expenditures (starting investment and operating

costs)?

By giving answers to these questions, the feasibility study highlights positive and negative

aspects, as well as alternative options and possibilities. Furthermore, it has to summarize

possible risks and critical steps in order to increase the probability of success [9]. If the

project is supposed to be feasible also the monetary aspect need to be reviewed.

4.2.6 Cost-benefit analysis A cost-benefit analysis is a good instrument for evaluating the project’s potential beforehand.

As described in the BRIDGE D5.3 deliverable, costs need to be distinguished into one-time

set-up, and variable costs [11]. While one-time set-up costs cover software, hardware,

consulting, planning and other project related costs, the variable costs comprise all operation

and maintenance cost, such as costs for inspections, RFID tags and costs for reaction

measures towards findings of counterfeit goods. The latter must be regarded very carefully

since the technical solution will increase the number of revealed counterfeits and therewith

the costs for these reaction measures. In order to get a clear and correct picture, it is

important to include all related costs and benefits in a correct manner. This subsection

presents a list of cost and benefit factors which need to be regarded in a project.

One-Time Costs

• Consulting and planning costs occur when third parties are engaged in the

adoption project. Especially when the company lacks know-how, third party

knowledge needs to be purchased.

• Hardware expenses include all costs for RFID-readers, work stations, servers,

RFID-printers and network infrastructure.

• Software expenses include all licenses needed for work stations, servers and RFID-

middleware.

• System integration costs are costs for the installation and configuration of hard-

and software including reader installation, EPCIS and EPCDS server installation as

well as the integration of the system into the current IT infrastructure.

• Production line changes might be necessary to enable product tagging in the

manufacturing site.

• Costs for the internal project team cover all expenses for internal personnel within

the adoption project.

• The initial EPCglobal subscription fee needs to be paid at the beginning of the

subscription. The amount depends on the company’s turnover and the operating

country.


Variable Costs

• Costs for RFID-tags are a major cost driver, due to the fact that every item needs to

be tagged. Depending on which kind of tag is used, these costs can vary from a few

cents to multiple Euros. The average price of a low cost RFID inlay is less than 10

cents. Prices are expected to drop further.

• Costs for tag integration comprise the costs for integration of tags into the product

including variable material and labor costs.

• Maintenance costs (reader, server, etc) refer to costs for maintaining the

infrastructure including soft- and hardware. These maintenance costs are estimated

about 10-15% of the initial investment [14].

• EPCglobal annual fee has to be paid by EPCglobal subscribers each year. The

amount depends on the company’s turnover and operating country.

• The Inspection team consists of employees monitoring the supply chain. The

maintenance of the prototype (including the creation of new rules) and the

investigation of suspicious products are their major tasks.

• Training is needed to teach on-site personnel how to handle suspicious products and

how to interact with the reaction team. It is also needed to give an understanding of

the new system to the employees.

• Travel expenses occur when the inspection team has to travel to different locations

in order to perform investigations.

• Test purchases are needed to locate counterfeits and illegal distribution channels in

the market.

• Reaction costs are caused by counterfeits found in the supply chain. In order to

prevent counterfeits from entering the supply chain in the future, law cases must be

opened and possible entries for counterfeits must be closed.

Other categories

• The up-front investment costs contain setup costs for hardware, software and

service expenditures. These costs must be depreciated over the complete

investment’s live time.

• In order to calculate the present value of the investment, the discount rate for future

cash flows needs to be anticipated. Thereby, the discount rate represents the

company’s costs of capital. For small and growing companies, this rate is most likely

to be higher than for large and mature company’s.

A more detailed description can be found in the BRIDGE D5.3 Business Case deliverable.


Quantifying the financial benefits of an anti-counterfeiting solution is very difficult due to the

fact that the outcomes of such a solution are characterized by a complex chain of effects

(see Figure 18). Investing money into an ACF system will increase the level of security (1)

towards the threat of counterfeiting (2). By increasing this level the counterfeiters will be

faced with the threat of detection. Furthermore, their profit will decrease (3) forcing some of

them to withdraw from the market. As a result, the number of counterfeit injections will be

reduced (5), while the detection rate will increase (4). This leads, to a lowered number of

successful injections which will then result in possible financial benefits subsisting of lesser

losses of sales, an increased goodwill and brand value and an increased customer safety.

Putting a price to these factors beforehand is very difficult. Therefore, estimating the benefit

of different ACF solutions can optimally be done by comparing their level of security,

because a higher level of security will lead to more financial benefits. A guide on how to

estimate the level of security for a certain solution can be found in the BRIDGE D5.3.

Cost

Technology ($) Level ofsecurity (S)

Adversary (A)

Non realizedthreats (B)

Financialbenefits ($)

Benefit

1

23

4 6

5

Figure 18: Cost benefit model of investment in security

Besides the business application of anti-counterfeiting, RFID enables a variety of additional

business applications. Figure 19 illustrates the work package structure of the BRIDGE

project and the business applications researched within BRIDGE (framed). Anti-

counterfeiting is only one of numerous business applications of an extended RFID and track-

and-trace network. Hence, while the costs arise only once, the benefits are abundant.


WP4: Security

WP3: Serial-Level Supply Chain Control

WP2: Serial-Level Lookup Service

WP1: Hardware Development

WP12: Training Platform, Courseware & Certification

WP13: Dissemination & Adoption Tools

TechnicalDevelopmentClusters

BusinessDevelopmentClusters

HorizontalActivities

Figure 19: Exemplary RFID enabled Business Applications

These application guidelines are written for the purpose of anti-counterfeiting, however, most

of the non-anti-counterfeiting aspects hold true also for other business applications.

4.3 Planning phase

4.3.1 Purpose of the Planning Phase The planning phase is the second phase in the project life cycle. The goal of the planning

phase is to create a plan for the execution phase and to analyze the company’s requirements

towards the RFID-system. The main activities in this phase are the anticipation and

documentation of upcoming changes, the stakeholder analysis, the selection of hardware

and software and the development of an RFID system design by conduction a site survey.

4.3.2 Organizational and Process Changes In order to adopt RFID and an anti-counterfeiting solution, it is crucial to know the existing

environment including organizational and technical infrastructure [3]. This knowledge saves

time and prevents interruptions in the implementation phase. On the one hand this includes a

site survey which is discussed in subsection 4.3.3 and on the other hand this includes the

anticipation of organizational and process changes in order to enable a successful change

management. An RFID-project comes along with a lot of side-effects which need to be

investigated beforehand. If these changes are desirable, people have to be trained and

informed accordingly in order to enable them to cope with the changed environment. If these

changes are not desirable, countermeasures have to be implemented. Thereby, it is

essential to understand that RFID is not only an IT issue, but an issue which has a strong

impact on all divisions and therefore on the existing organizational structure and processes.

Thus, it is important that managers understand the current environment before planning the

required changes. An RFID-adoption which is not planned thoroughly can have a negative


impact on the business [8]. Therefore, the organizational structure and the processes as well

as the changes and their impact on employees and the organizational structure have to be

described carefully.

4.3.3 Site Survey The goal of the site survey is to develop an RFID-system design [17]. This includes the

assessment of possible hardware and software, a plan how to integrate the system into the

current infrastructure, and a plan where to set up the different readers and servers. In order

to create this system design, an on-site investigation is indispensable. Thereby, the physical

infrastructure and the radio frequency environment are the most important aspects. In order

to successfully execute such a site survey a standardized procedure can be helpful (see

Figure 20).

Visualize the site infrastructure by creating a blueprintPlan Blueprints

Inspect the Site Inspect the site and make observations for the physical

and electrical analysis

Perform analysis and determine the reader location

Document the results within the blueprints

DetermineReader

Location

DocumentResults

Figure 20: Site Survey Process [17]

Before conducting a site survey, it is advisable to create a blueprint of the site. A blueprint is

a plan which visualizes the architecture and the engineering design. On the basis of this

blueprint, the site can be inspected in order to identify possible issues, such as metals or

machines interfering with the radio waves. As a next step, physical and electrical analyses

need to be performed in order to find appropriate locations for the readers and antennas. The

importance of these locations should not be underestimated, because only a good system

design can prevent counterfeiters from injecting counterfeits into the supply chain. In order to

avoid these injections, a high granularity and a good read rate are needed. Granularity,

hereby, means that there are not only readers at the entrance and exit of the site, but also

between different production steps. As a result, products can be checked more often and in

earlier stages of the supply chain. On the one hand this lead to a faster detection of

counterfeits, and on the other hand injections can be retraced easier and more exact. In


addition to the granularity, a good read accuracy is needed to increase the quality of the

data. The read accuracy can be assured by conducting an electrical analysis. The aim of this

analysis is to find a reader location where no ambient electromagnetic noise is interfering

with the reader and antennas [18]. The better the read accuracy, the less is the effort to

manually scan items which were not recognized by the reader. Furthermore, a good read

accuracy will result in a complete product trace, which will increase the efficiency of the

different prototypes and decrease the false alarms due to incorrect data. Concluding the

analyses, the identified locations are marked in the blueprint, and the results are documented

for later use.

4.3.4 Selection of Hardware and Software Selecting proper hardware and software is an important task in the RFID adoption process.

Before buying the equipment, basic knowledge about the different systems and vendors has

to be obtained. A good way of doing so is to study available articles and papers including

lists of major RFID-vendors.5

Table 8

Especially important is the use of standards, due to the fact that

interoperability needs to be ensured along the whole supply chain. Without data interchange

with other organizations, it will not be possible to gather a complete trace for the solution.

Since this deliverable is created within the BRIDGE project, EPCglobal standards are used to

ensure the required interoperability. Though, the use of standards should be discussed with

all supply chain partners beforehand. shows the required hardware and software for

an RFID-implementation.

Table 8: Required hardware and software

Hardware Software Tags RFID-Reader RFID-Printer Servers and workstations Network: Servers Routers Cables

EPCglobal middleware EPCIS EPCDS Anti-counterfeiting software

4.3.5 Stakeholder Analysis Stakeholders are of special importance within an RFID-project, because they can have a

critical influence on the success of the project. Therefore, all stakeholders have to be listed

and described carefully in their expectations, conflict potential, function, information needs,

and bargaining power/influence [15]. Stakeholders can be individuals or organizations who

are either involved in the project or whose interest is positively or negatively inter-connected

with the project’s execution [2].

5 A comprehensive and actual list of vendors can be found on www.rfidjournal.com


Table 9: Exemplary Table of Stakeholders

Stakeholder Expectation Function Information need

Conflict potential

Influence

Employee 1 To be kept informed about the project

CIO High Low High

Project Team

High Low High

End Users To be kept informed about project activities that will affect them

Users High Medium Low

Supplier A Increase ROI Minor Supplier

High Low Low

Supplier B Reduction of Impact for Supplier B

Main Supplier

High High High

NGO 1 Publish which kind of customer data is gathered

Consumer Protection Organization

Low High Low

Consumer Not to be affected negatively by the project. Reduction of counterfeits in the market

Customer Medium Low Low

Table 9 shows an exemplary list of stakeholders with all the information mentioned above.

According to the PMBOK, following stakeholder groups should be investigated in order to

identify all possible stakeholders:

Figure 21: Stakeholder groups [2]

As Figure 21 illustrates, stakeholders can be divided into key and additional stakeholders.

While the four key stakeholders exist in every project, additional stakeholders may vary from

project to project. Therefore, the stakeholder analysis must be performed very carefully. In


contrast to the PMBOK’s classification, suppliers and other supply chain partners must be

seen as key stakeholders in this special anti-counterfeiting project. In order to run the

prototypes with maximum efficiency, the entire trace data must be available. This can only be

achieved if the supply chain partners are willing to share this data. Thus, good relationships

and good stakeholder management for these stakeholders are indispensable. Due to very

different objectives of each stakeholder, managing the expectations is the most challenging

part. In case of conflicts among stakeholders, a solution which is in favor of the customer

should be chosen. A matrix can help to visualize and identify potential supporters and

opponents. Figure 22 shows such an exemplary matrix with six different stakeholders (A to

F).

Figure 22: Exemplary Stakeholder Matrix

While the two axes show the trading volume and the willingness to share data, the bubble

size indicates the need of information. The bigger the bubble, the more information is

required by the stakeholders. Different colors are used to distinguish between key and

additional stakeholders. While the stakeholders in the lower left corner are mostly negligible,

the stakeholders in the upper right corner are the most critical ones. Very close observation

and reaction measures need to be conducted for them.

4.4 Implementation phase

4.4.1 Purpose of the Implementation Phase The Implementation phase is the third step in the project life cycle. The activities of this

phase are the deployment of the system, and the implementation of the organizational

changes planned in the phases before. In order to avoid confusion of the daily business it is

recommended to run a Pilot system before conducting the full-scale implementation. The

goal of the implementation phase is to create a properly tested and working system for which

training material and documentations are available.


4.4.2 Pilot Study In many cases it is recommended to conduct a pilot study. The goal of this study is to get

experience with the system in a real production environment and to verify the findings of the

initiation and planning phase [4]. The first thing to do when conducting such a study is to

choose a site where to implement the pilot. A smaller location should be chosen where the

implementation or even a failure of the project would not lead to a major disturbance of the

daily business. Depending on the size of the implementation project, a pilot study is carried

out in about 2-6 months. The most important activities in the pilot phase are to attain the

desired read accuracy and to verify the correct reader locations in combination with the

corresponding business processes. Furthermore, it is important to check the system’s ability

to work properly under full load operation. By testing different reader-configurations, the read

rate and the scanning and tagging speed can be increased. While running the tests, the

hardware infrastructure and especially the network should be carefully monitored in order to

identify possible bottlenecks. In the course of time, the employees will become more familiar

with the system, which will lead to a significant increase in efficiency. When the system is

running suitably, the detection rate of the chosen anti-counterfeiting solution can be

measured by injecting suspicious products into the supply chain. Afterwards, the planning

documents can be adjusted according to the findings of the pilot study, concluded by a

company-wide full scale implementation.

4.4.3 Administrative and Organizational Requirements and Changes While implementing the RFID-based anti-counterfeiting solution, different administrative and

organizational changes will occur within the company. It is important to carefully monitor

these alterations in the implementation phase in order to prevent undesired side-effects,

such as a change in the power structure. Most of these changes should already be

documented in the planning phase. However, some of them can still be unforeseen and

therefore a pro-active change management is indispensable.

The biggest change in the organizational structure is the establishment of an anti-

counterfeiting taskforce. This taskforce is a cross-functional team which continuously deals

with anti-counterfeiting. Its tasks are to maintain and utilize the ACF solution and to initiate

adequate measures against seized counterfeits. The team, therefore, needs to be integrated

into the organizational structure. Its existence and its competences must be communicated

clearly to the employees at the different sites and departments in order to avoid confusions.

While the RFID implementation is in progress, the team members have to create a procedure

strategy towards seized goods. Furthermore, communication channels to internal and

external parties must be established. In order to get an overall picture of the counterfeiting

situation within the company, it is important to talk to the different departments. Hereby, the

cooperation with the legal department is of special importance, since this department will


take legal actions based on the investigation of the anti-counterfeiting team. A close

cooperation with external parties, such as the government, customs and supply chain

partners can also be very helpful.

The goal in the implementation phase for the anti-counterfeiting team is to gain the required

knowledge. The aim can be achieved by conducting training sessions on the one hand and

by getting familiar with the systems and applications, and by discussing counterfeit issues

with the different departments on the other hand. The skill set of the team should, therefore,

comprise technical expertise as well as business knowledge.

4.4.4 Technical Requirements and Changes An RFID-project will have major implications on the technical infrastructure including the

installation of RFID-readers, the setup of new servers and workstations, and the adaption of

the network infrastructure. Usually, an upgrade of the network is coercively necessary due to

a higher data volume. For instance, when Metro introduced its RFID system, they concluded

that 25 gigabytes of data will be generated every minute by their RFID-readers, assuming 10

kilobyte per scanning event and 40000 events per second [16]. This huge amount of data

needs to be transferred via the network to different servers and applications. Therefore, the

network should be adapted and carefully monitored, in order to prevent a slowdown of other

data transfers.

Each plant or warehouse location needs to be equipped with RFID-reader and printer

devices. This is necessary for exchanging broken tags and for tagging products from

manufacturers and retailers delivering their goods without RFID-tags.

Furthermore, each site hast to be either equipped or connected with an EPCIS to store the

captured observation events. The chosen system then accesses the EPCISs via a central

Discovery Service which also runs on a distinct server. In order to integrate the infrastructure

into the current IT-environment, several interfaces need to be implemented.

4.5 Closing phase The closing phase is the last step in the project life cycle. The goal of this phase is to formally

close the project [2]. The tasks in this phase are to complete the system documentation,

transfer open tasks to other staff, and break up the project team. Furthermore, the lessons

learned should be reviewed and analyzed carefully in order to learn for future projects. As a

last step, the computer systems, the prototype, and the documentations will be handed over

to the maintenance team, which will be responsible for further activities.

4.6 Operation and Maintenance The operation and maintenance phase is not part of the adoption project because it is an

ongoing activity which does not have a defined end. In this phase, the anti-counterfeiting


team has the responsibility for the prototype and the reaction measures towards seized

counterfeits. Mistakenly stopped genuine products (false positives) and counterfeit products

that are not detected in a check (false negatives) raise the need to handle liability issues

during the operation and maintenance phase. Regarding liability, it is crucial that the end

users understand the difference between hard-to-copy prevention-based features (cf.

subsection 2.2) and detection-based security measures (cf. subsection 2.3). Unlike a hard-to-

copy feature, a check based on a detection-based measure needs to deal with uncertainty (in

visibility) and it can thus generate both false positives and negatives. Therefore the

detection-based systems should be regarded as an additional level of protection that is able

to detect many of the materialized threats, very much like a surveillance camera. In

particular, this difference is already explicit in the pharmaceutical industry jargon where

checking is defined as “authentication” for prevention-based security measures and

“verification” for detection-based security measures.

This brings fort a possible issue regarding borderline cases, that is, weak alarms that are

possible in some detection-based measures. These cases indicate a weak reason (i.e. a

small probability) to be suspicious about the origins of a product but the evidence is not

strong enough to raise a full alarm. Thus the affected companies are reluctant to manually

control all the borderline cases since it would mean a considerable increase in the number of

manual interventions needed. However, if such a weak alarm is triggered by a counterfeit

product but no further actions are taken by the responsible company, a customer who buys

the counterfeit product could potentially sue the company for not taking the necessary

actions to protect him or her from counterfeits. This illustrates the rigid reliability requirements

of detection-based security measures in real-world applications and a possible liability problem: if the risk of liability claims due to not reacting in borderline cases is too high for the

affected company, it might be better for the affected company not to deploy the detection-

based security measure at all. In other words, it can be cheaper not to analyze the track and

trace data for counterfeit products at all, than to do it and face the risk of increased liability

due to borderline cases, or to do it and react in all borderline cases, which means stopping

and manually verifying numerous shipments of genuine products every day.

In order to quantify the success and the extent of the problem, the team needs to create

statistics about all cases and the development over time. The operation phase will be

characterized by the so called “war of escalation”. With the new system, counterfeiters will

have difficulties to inject their goods into the supply chain. But as time evolves, smart

counterfeiters might find ways to circumvent the system. Therefore, a technical solution

should not be seen as a silver bullet against counterfeiting. The process of anti-counterfeiting

will be an ongoing activity where the steps of counterfeiters need to be anticipated. In order

to efficiently retaliate against the counterfeiters, anti-counterfeiters will have to anticipate the

next moves (e.g., create new rules in case of the rule-based anti-counterfeiting prototype).


One very important activity, hereby, is the protection of the server infrastructure. If

adversaries can manipulated the data within the EPCIS servers all the advantages of the

different prototypes will turn into disadvantages, because unsuspicious goods will be handled

with much less care than goods which can possibly be a counterfeit.

Besides the protection of the licit supply chain, also illicit channels can be monitored by

making test purchases at online market places or flea markets. Over the course of time, anti-

counterfeiting technology will evolve and become more sophisticated. Therefore, the anti-

counterfeiting team will have to watch the technological trends and adopt them if necessary.


5 Example Application

5.1 Introduction In this chapter, the SAP RFID rule-based anti-counterfeiting prototype will be implemented to

a virtual company using the project life cycle model from Section 4. Since WP5 does not

have a real-world industry partner to implement the anti-counterfeiting prototype, we decided

to implement the prototype for the virtual SAP company “Akron”. Although Akron does not

exist in reality, it has its model (including supply chain, suppliers, number of plants, products,

employees, etc.) adapted from a real-world company.

5.2 Akron Company Profile Akron is a so-called model company which was originally set-up by SAP for the development

and testing of Business By Design. Akron is only a virtual company. However, its model was

adapted from an anonymized real-world company. The company’s profile was slightly

adapted though, in order to fit to the requirements of this report. Since its foundation in 1965,

Akron (headquartered in Berlin) is operating in the automotive industry producing spare

parts. With its 900 employees (600 in production), the company runs 3 plants in Berlin

(Germany), Toronto (Canada) and Paris (France), generating an annual revenue of 350

Million Euros. The company runs two distribution centers (DC) in Frankfurt (Germany) and

Shanghai (China), and five subsidiaries in Budapest (Hungary), London (England), Osaka

(Japan), and Peking (China). Figure 23 illustrates the supply chain network of Akron:

Manufacturer

Akron

Supplier Customer

Miller & Son

Mobita

Others

Toronto

ABC Contract Manufacturer China

Berlin

Paris

DC Frankfurt

DC Frankfurt

DC Shanghai

EMEA

APJ

Figure 23: Akron's Supply Chain Network

Mobita and Miller & Son are Akron’s main suppliers. While Mobita and various smaller

suppliers deliver to the distribution center in Frankfurt, Miller & Son delivers to the plant in


Toronto. The parts produced in Toronto and Paris, and parts from third party vendors

(delivered from Frankfurt) are assembled in Berlin. From Berlin the finished goods are sent

to the DC in Frankfurt for the European market, and to the DC in Shanghai for the region

Asia Pacific and Japan (APJ). Furthermore, the company has a contract manufacturer in

China in order to balance demand fluctuations and bottleneck situations. Approximately 17%

(154) of the employees refer to Sales, Service & Marketing. The other employees are linked

to general administration including IT and HR, procurement and R&D. With a limited annual

IT budget of approximately € 7 million, the company demands for effective IT-services

focusing on key pain-points and addressing them in time-, resource- and cost-effective way.

In recent years Akron observed a growing percentage of counterfeits within the market.

Studies and appraisals calculated this percentage to be about 10% of all parts. This number

is located at the upper end of the range of 5-10 percent which is common for the automotive

industry [12]. Thus, Akron is concerned about the loss of its sales and the deterioration of its

image. Furthermore, Akron fears the increased number of car accidents caused by low

quality counterfeit parts bearing their trademark. Therefore, Catherine Kennedy-Wood (CEO)

decided to take countermeasures against counterfeits.

Akron already conducted some laboratory trials with RFID and assessed the findings as

beneficial for the company. Therefore, Akron decided to go for an RFID solution. When

analyzing the market for anti-counterfeiting solutions, Akron discovered the BRIDGE rule-

based anti-counterfeiting prototype which fits perfectly to the needs of the company.

5.3 Application

5.3.1 Initiation phase Due to recently conducted studies and analyses, Akron is well informed about its

counterfeiting situation. So far, Akron didn’t take any measures against counterfeiting.

Compared to other competitors, the percentage of counterfeits is very high. Hence the

company suffers competitive disadvantages. Therefore, Akron wants to combat

counterfeiting activities and secure its licit supply chain. Ideally, Akron can achieve a number

less than 5% of counterfeit products, which in consequence will lead to a competitive

advantage for the company, higher sales, and a better reputation and image. Therefore, the

three plants and two warehouses are to be equipped with RFID hardware.6

Figure 24

In order to create

a scope document including a feasibility study and a cost-benefit analysis, Joerg Hamburger,

the IT Services Director, was entrusted to setup a project team. illustrates the core

project team according to Joerg Hamburger’s proposal and based on Section 4.2.3 and

adapted for the rule-based track and trace prototype.

6 A detailed plan of the needed hardware can be found in the hardware cost calculation in Appendix A.


Figure 24: Akron's project team

In this special project the process manager Bernhard Benedict is of special importance. As

illustrated in Figure 25, he is the link between the counterfeit experts within the different

departments and the rule designer. He is, therefore, the business expert for counterfeiting,

while the rule designer is the technical expert. The rule designer is capable of creating rules

for the prototype based on requirements given to him by the process manager. The process

manager is, thereby, the central expert for counterfeiting combining the experience of the

experts from different departments, such as:

• Marketing expert’s view: In which distribution channels do counterfeit goods

appear?

• Production expert’s view: How to distinguish between the genuine product and

counterfeit?

• Logistic expert’s view: How are counterfeits injected into the supply chain?


Figure 25: Process manger and rule designer

As a first step, the project team conducted a detailed feasibility study which proved that the

project can be beneficial. However, the study also pointed out some risks which have to be

carefully monitored. Gathering the trace information for the prototype will be hard, because

suppliers are difficult to convince to share data. Therefore, the stakeholder analysis and

communication will be of special importance. Furthermore, the budget frame is very tight;

hence a good financial planning is necessary. For more details please refer to BRIDGE D5.3

Business Case Report [11].

5.3.2 Planning phase In order to create an RFID-system design, the RFID-manager Connie Cook and the RFID-

engineer Michael Davis conducted a site survey which was executed in cooperation with the

Akron warehouse and plant administration. Three plants and two distribution centers were

investigated. As a first step a factory layout was created. Based on this blueprint the physical

and electrical analyses were conducted in order to find the locations for the readers. Figure

26 shows the blueprint for the factory in Toronto, where 8 reader and 3 printer locations were

marked. With the blueprint at hand, the project team can now estimate the exact hardware

requirements. In addition, the blueprint can be used as a plan for the implementation phase.

The process manger can now analyze and document the needed changes in production

processes and the rule designer can use the factory layout to create first anti-counterfeiting

rules. Thereby, possible design flaws can be found and corrected before the actual

implementation.


Figure 26: Factory layout

Based on the factory layout and laboratory trials Akron decided to introduce ultra high

frequency passive tags. Furthermore, several price proposals were obtained in order to

decide for reader and printer vendors. Thereby, the read accuracy and the price were the

most important factors for the decision.

The stakeholder map and the resulting communication plan are of special importance for

Akron. The feasibility study revealed that some suppliers and partners are not very keen on

exchanging supply chain related data. But for anti-counterfeiting and especially for the track

and trace prototype, this data is inevitable to work reliable. Therefore, Akron entrusted Arthur

Major to handle all external communications. Arthur created a stakeholder map which can be

found in Appendix B. In order to visualize the relationships to the different suppliers and to

figure out possible conflicts, he also created a matrix (see Figure 27). The matrix will help to

identify critical suppliers and the resulting need for action.


Figure 27: Supplier matrix

The X-Axis symbolizes the willingness of supply chain partners to share EPC event data with

Akron. The higher this value is, the better it is for Akron. The Y-Axis symbolizes the trading

volume of the supply chain partner. The higher the trading volume is, the more influence has

the supply chain partner and the more important it is for Akron to gather the EPCIS data.

Generally, the suppliers can be divided in those who are willing to share data (supporters)

and in those who are not willing to share data (opponents). The opponents need to be

handled with special care. Therefore, negotiation meetings were conducted with Mobita and

the Fisher Steel Group. In the end, Akron was able to convince the two opponents to

cooperate by highlighting the benefits of the new solution for both sides in the combat

against counterfeiting.

5.3.3 Implementation phase In order to avoid major confusions when implementing the system, Akron planned a pilot

study at the site in Toronto for a period of three month. As a first step the servers were set up

including the middleware server, a local EPCIS, the central EPC Discovery Service, and a

server the prototype is running on. As a next step, the RFID-hardware was deployed

according to the plan created in the site survey. Several interfaces were implemented in

order to connect the hardware and the middleware with the ERP system. The pilot study

validated the correctness of the factory layout and investigated the infrastructure. It also

showed that there is no need of upgrading the network. With about 1.000.000 million

products produced yearly and 50 RFID-reader, only 58 Mb of data will be generated every

hour (1.000.000*50/365/24*10 kb/1000), assuming 10 kilobytes per event.

While implementing the prototype, Akron started to set up the anti-counterfeiting team which

takes reaction measures against counterfeits. In order to guarantee a good knowledge

transfer, the rule designer from the project team was also transferred to it. Furthermore, two

other persons were recruited. Within the three month of the pilot study the team started to


work with the system and established communication channels to customs, supply chain

partners, and to the different departments within the company.

5.3.4 Closing phase The closing phase went very smoothly. By handing over the prototype and the

documentation to the maintenance team, the project was closed. The team members were

transferred to other projects and the anti-counterfeiting team took over the remaining tasks

and started to take first measures against counterfeiters.

5.3.5 Operation and Maintenance By involving the anti-counterfeiting team in the pilot study, the team was able to work

productively from the first day on. The first months showed that the rate of counterfeits was

even higher than expected. By offering an authentication service to customers and customs

organization, the team found out that most of the counterfeit parts bearing the Akron brand

came into the market through illicit channels, for instance, through third party garages using

these parts as spare parts. In only a few month Akron was able to see first results by slowly

reducing the measured counterfeits. Legal step were already initiated against a supplier

delivering considerable amounts of counterfeits.


References [1] Deal, J. V. (2004): “The Role of the consultant Engineer in the Application of RFID

and RF Item Tracking Technologies”, Alta Consulting, Palo Alto.

[2] Duncan, William R. (2008): “A Guide to the Project Management Body of knowledge”, PMI, Newtown Square.

[3] Frey, T.: “Organizational and IT-Changes necessitated by the integration of EPC/RFID-data into existing processes and It-Infrastructure”, Darmstadt, TU.

[4] Gilmore, D. (2005): “Anatomy of an RFID pilot”, Supply Chain Digest, Springboro.

[5] Great Britain Office of Government Commerce (2005): “Managing Successful Projects with PRINCE2”, The Stationery Office, Norwich, St Crispins.

[6] Gross, S., Lo, J. S. (2003): “Change Readiness Guide: Project Management Edition”, Auto-ID Center, St.Gallen.

[7] International Project Management Association (2006): “IPMA Competences Baseline”, IPMA, Njikerk.

[8] Irrgang, Reinhard (2005): “Wege zum Einsatzreifen RFID-Konzept”, FM Das Logistikmagazin, Edition 10/2005.

[9] Kramer, S., Hackmann, E. (2007): “Machbarkeitsstudien – fundiert Entscheidungen treffen”, Tipps & Trends, PriceWaterhouseCoopers.

[10] Lahiri, S. (2009): “Chapter 9 - Designing and Implementing an RFID Solution”, RFID Sourcebook, IBM Press, Indianapolis.

[11] Lehtonen, M., Al-Kassab, J. (2007): “EU-Bridge deliverable D5.3: Anti-counterfeiting Business Case Report”, ETH Zürich, Zürich.

[12] Lehtonen, M., Al-Kassab, J. (2006): “EU-Bridge deliverable D5.1: Problem-Analysis Report on Counterfeiting and Illicit Trade”, ETH Zürich, Zürich.

[13] Lehtonen, M., Staake, T., Kločič, Z. (2008): “SToP deliverable D1.4: Analysis of the weakest points within licit supply chains and the properties of products most susceptible to tampering and counterfeiting”, ETH Zürich, Zürich.

[14] Leung, Y., Cheng, F., Lee, Y., Hennessy, J. (2006): “A Business Value Modeling Tool Set for Exploring the Value of RFID in a Supply Chain”, IBM Research Report.

[15] Pigni, F., Astuti, S., Noè, C., Buonanno, G., Bandera, S., Ferrari, P., Mazzola, G., Da Bove, M. (2006): “A guideline to RFID application in supply chains”, Camera di Comercio di Varese, May 2006, Varese.

[16] Plattner, H. (2008): “Trends and Concepts in the software industry”, Hasso-Plattner-Institut, Potsdam.

[17] Snaghery, P., et al. (2007): “Deploying and Securing RFID”, Syngress, St. Louis.

[18] Sweeney II, P. J., Zeisel, E. (2007): “CompTIA RFID+ Study Guide (Exam RF0-101)”, Sybex, Köln.


[19] Olsen, J., Granzin, K. (1992): “Gaining retailers’ assistance in fighting counterfeiting: Conceptualization and empirical test for a helping model”, Journal of Retailing, 68(1):90–109.

[20] Olsen, J., Granzin, K. (1993): “Using channels constructs to explain dealers’ willingness to help manufacturers combat counterfeiting”, Journal of Business Research, 27(2):147–170.

[21] von Reischach, F., Michahelles, F., Fleisch, E. (2007): “Anti-Counterfeiting 2.0 - A Consumer-Driven Approach towards Product Authentication”, Late Breaking Results at the 9th International Conference on Ubiquitous Computing (UbiComp 2007), Austria.

[22] Wiechert, T., Thiesse, F., Michahelles, F., Schmitt, P., and Fleisch, E. (2007): “Connecting mobile phones to the internet of things: A discussion of compatibility issues between epc and nfc”, In Americas Conference on Information Systems, AMCIS.

[23] Sandhu, R. (2003): “Good-enough security: Toward a pragmatic business-driven discipline”, IEEE Internet Computing, 7(1):66–68.

[24] Koh, R., Schuster, E., Chackrabarti, I., and Bellman, A. (2003): “Securing the pharmaceutical supply chain”, Auto-ID Labs White Paper, Massachusetts Institute of Technology.

[25] Juels, A. (2005): “Strengthening EPC Tags Against Cloning”, In M. Jakobsson and R. Poovendran, eds., ACM Workshop on Wireless Security (WiSe), 67–76.

[26] Koscher, K., Juels, A., Kohno, T., Brajkovic, V. (2008): “EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond”, Manuscript, RSA Laboratories.

[27] Feldhofer, M., Aigner, M., Dominikus, S. (2005): “An Application of RFID Tags using Secure Symmetric Authentication”, In: 1st International Workshop on Privacy and Trust in Pervasive and Ubiquitous Computing, pp. 43-49.

[28] Plos, T., Hutter, M., Feldhofer, M. (2008): “Evaluation of Side-Channel Preprocessing Techniques on Cryptographic-Enabled HF and UHF RFID-Tag Prototypes”, In: Workshop on RFID Security 2008, Budapest.

[29] Juels, A. (2004): “Minimalist cryptography for low-cost RFID tag”, In: Blundo, C., Cimato, S. (eds.) International Conference on Security in Communication Networks SCN 2004. LNCS, Vol. 3352, 149–164, Springer, Heidelberg.

[30] Avoine, G., Oechslin, P. (2005): “A scalable and provably secure hash based RFID protocol”, In: IEEE International Workshop on Pervasive Computing and Communication Security, 110–114.

[31] Hein, D., Wolkerstorfer, J., Felber, N. (2008): “ECC is Ready for RFID – A Proof in Silicon”, In Workshop on RFID Security (RFIDSec’08), Hungary, Budapest.


[32] Devadas, S., Suh, E., Paral, S., Sowell, R., Ziola, T., Khandelwal, V. (2008): “Design and Implementation of PUF-Based ”Unclonable” RFID ICs for Anti-Counterfeiting and Security Applications”, In: IEEE International Conference on RFID 2008, 58–64.

[33] Ranasinghe, D., Engels, D., and Cole, P. (2004): “Security and Privacy: Modest Proposals for Low-Cost RFID Systems”, In Auto-ID Labs Research Workshop, Zurich, Switzerland.

[34] Cook, C., Vogt, H., Muller, J., Dada, A, Pfletschinger, M., Ortel, N., Molan, M., Naraks, A., Gourmanel, F. (2008): “Report on Integration of Smart/Intelligent Tags in Products”, Deliverable D4.3 of the SToP project.

[35] Nochta, Z., Staake, T., and Fleisch, E. (2006): “Product Specific Security Features Based on RFID Technology”, In Saint-Workshop, International Symposium on Applications and the Internet Workshops (SAINTW'06), 72-75

[36] Schneier, B. (2003): “Beyond Fear. Thinking Sensibly about Security in an Uncertain World“, Copernicus Books, Springer-Verlag New York Inc.

[37] Staake, T. (2007): “Counterfeit Trade - Economics and Countermeasures”, PhD thesis, University of St. Gallen. Dissertation no. 3362.


Appendix A: Hardware calculations

Table 10: Calculation of hardware expenses7

Cost of 1 reader

Factor Cost Alien 9800 EPC Gen 2 RFID Reader 1 1,247 € Alien 915 MHz Linear Antenna 4 117 € Omron 10m Antenna Cable 4 90 € Mounting Brackets 1 16 € SUM (EUR) 2,093 € Cost of 1 work station HP xw9400 Workstation 1 2,202 € Cost of 1 RFID printer Zebra R110xi RFID Printer 1 3,253 € Cost of 1 server HP ProLiant DL380 G5 1 2,424 € Cost of 1 networking infrastructure Routers 1 300 € Cables 1 50 € Sum (EUR) 350 € Hardware Expenses Cost of reader equipment 50 104,650 € Cost of work station 45 99,090 € Cost of RFID printer 10 32,532 € Cost of server 3 7,273 € Cost networking infrastructure 10 3,500 € SUM(EUR) 247,046 €

7 Price sources: http://www.rfidsupplychain.com/; http://www.hp.com/; http://www.nextag.com/rfid-printer/


Appendix B: Akron’s Stakeholder map

Table 11: Akron's stakeholder map

Stakeholder Expectation Function Information

need Conflict potential

Influence

Catherine Kennedy-Wood

Reduction of counterfeits bearing our trademark, Sponsor

CEO High Low High

Joerg Hamburger

Successful Project. Support from the CEO

Project leader High Low High

Al Gillmore Reduction of production costs by increasing efficiency with RFID

SVP Manufacturing High Low Medium

Jonathan Frazier No cost overrun SVP Finance and HR Medium Medium Medium

Project Team High Low High Anti-Counterfeiting team

Training sessions and introductions to the prototype

Users High Low Low

Other Employees

To be kept informed about the project. Promise that no jobs will be reduced due to RFID-technology.

Employees

Medium Medium Low

Miller & Son Technical support when introducing RFID

Main Supplier High Medium High

Mobita Not willing to introduce RFID

Main Supplier High High High

Motor Construction Inc.

Already introduced RFID. Reduced afford through replacement of Barcode systems

Supplier

High Low medium

Other suppliers To less market power to influence the project

Minor Suppliers

Medium Low Low

Customers Reduction of counterfeits. Less afford to control products

Customers Low Low Low

application guidelines and implementation roadmap · 2012-01-25 · the implementation roadmap...

Documents