Computers in Industry 61 (2010) 624–635

Design and development of a mobile EPC-RFID-based self-validation system(MESS) for product authentication

S.K. Kwok *, Jacky S.L. Ting, Albert H.C. Tsang, W.B. Lee, Benny C.F. Cheung

Department of Industrial and Systems Engineering, The Hong Kong Polytechnic University, Hung Hom, Hong Kong, Hong Kong, China

A R T I C L E I N F O

Article history:

Received 12 August 2008

Received in revised form 18 January 2010

Accepted 1 February 2010

Available online 2 March 2010

Keywords:

Anti-counterfeit system

Counterfeiting

Electronic product code (EPC)

Product authentication

Radio frequency identification (RFID)

A B S T R A C T

The increase in the number of counterfeits penetrating into the open market has created the need for a

product authentication approach in tracing and tracking the product anytime, anywhere. Owing to the

vague concepts frequently represented in flow of products, this paper presents a self-valuation and

visualization system by integrating the RFID technology and EPC concept to protect products from

counterfeiting by the means of mobile platform. In this paper, a system architecture is proposed which is

capable of integrating mobile technology and EPC-RFID applications. The implementation roadmap of

such system architecture is examined and explained in the context of a case study. The aims of the

system are to provide greater visibility of the product logistic flow data and to improve the anti-

counterfeit process, from traditional physical identification to self-validated location-based authenti-

cation. The case study illustrates the capability, benefits and advantages of using the proposed system,

particularly its support of product authentication and supply chain activities in countering the global

counterfeit problems.

� 2010 Elsevier B.V. All rights reserved.

Contents lists available at ScienceDirect

Computers in Industry

journa l homepage: www.e lsevier .com/ locate /compind

1. Introduction

Counterfeiting has grown substantially over the past years tobecome the greatest threat to today’s global market [1–4].International Chamber of Commerce Commercial Crime Services[5] estimated that around 5% of all worldwide trade in 2006 was incounterfeit goods, with the counterfeit market being worthUS$250 each year. It is a global phenomenon affecting a widerange of products, spreading at an alarming rate to electricalequipment, cigarettes, and even medicines [6]. The boom incounterfeiting has triggered a dramatic increase in the number ofanti-counterfeit and product authentication technologies (such ashologram, security printing, security labels, and biometrics) in themarket [8]. However, there are doubts about the ease of self-validation that these technologies can provide in productauthentication. Since their verification principle relies on opticaldetection and identification of the security features (i.e. theyrequire human experts or machines to determine whether a givenproduct is genuine or counterfeit), it is a formidable challenge tocustomers in determining the product’s authenticity themselves.As a result, a self-validated product authentication solution ismuch needed as far as the customers are concerned.

* Corresponding author. Tel.: +852 2766 6578; fax: +852 2774 9038.

E-mail address: mfskkwok@inet.polyu.edu.hk (S.K. Kwok).

0166-3615/$ – see front matter � 2010 Elsevier B.V. All rights reserved.

doi:10.1016/j.compind.2010.02.001

This paper explores the feasibility and practicality of shiftingthe focus of product identification from traditional human-readable or kiosk-based solutions to customer self-authentication.With the popularity of mobile devices (e.g. smart phone), the basicprinciple of the proposed approach is to demonstrate to the usersthe full logistic track record of specific products for identifyinganomalies under the ubiquitous communication environmentwith automatic product identification technologies. The trackingand automated identification are based on the use of radiofrequency identification (RFID) technology [31].

RFID has emerged as a promising vehicle to combat counter-feiting by its characteristics of automatic verification of productauthenticity, non-static nature of security features, and crypto-graphic resistance against cloning [9]. With several standards havebeen developed for RFID, electronic product code (EPC) standard[7] (which is developed by Auto ID and sponsored by MIT andEPCglobal) has better compatibility and more recognized in themarket. With this standard, real-time RFID-related data can beshared over the Internet [10]. Each RFID-tagged item can betracked and traced via the complete descriptive informationshared under the umbrella of EPCglobal [1,3,7,9]. Thus, the conceptof supply chain visualization can be achieved. A number of EPC-RFID-based systems have been reported in the literatures[7,32,33], but most of them are standalone kiosk-based solutions.In contrast, with mobile technology that has become part of ourdaily life, integration of mobile devices and EPC-RFID-basedsystem can provide a more user-friendly self-validated product

Table 1Characteristics of two product authentication technologies.

Overt Covert

Visible to naked eye Yes No

Require specialized equipment to conduct

product authentication

No Yes

Possibility of replication by others Easy Hard

Cost Cheap Expensive

Durability Short Long

S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635 625

authentication solution. As such integration is still in an early stageof development, more attention should be paid to discuss theissues posed by developing and deploying such systems.

The purpose of this paper is to present the architectural designof a mobile EPC-RFID-based self-validation system (MESS) toenhance the product authentication measure by visualizingproduct transactions in a supply chain, enhancing the track andtrace capability in determining the product’s authenticity, andheightening the security level and self-validated product authen-tication process compared with the common anti-counterfeittechnologies. A case study will also be presented to illustrate thefeasibility and procedures of implementing the proposed system inan IT solution provider.

2. Counterfeiting and current product authenticationtechnologies

Counterfeiting is an unauthorized copying or application of atrademark on items that do not originate from or with the approvalof the brand owner [2,3]. It is a knowing duplication with thepurposes of deceiving and defrauding [1]. Numerous researchersindicate that the phenomenon of counterfeiting is not new; butwhat has changed about counterfeiting today is that the scope andscale of the problem are growing at a rate previously unknown andlittle recognized by those most affected [11].

The entire society loses billions of dollars every year tocounterfeiters. The World Bank’s Global Economic Prospectsreport for 2002 concluded that there were ‘‘reasons to believethat enforcement of intellectual property rights has a positive netimpact on economic growth prospects’’ [3]. Counterfeit goodscause companies to suffer direct loss in sales when they have tocompete directly with counterfeiters. Government and manufac-turers spend huge amounts of money in combating counterfeiting.Since many counterfeit goods, especially those in the health andsafety categories, are of inferior quality, such products had beenthe cause of a number of major public health and safety incidents[12–14]. The World Health Organization estimated that 5–7% ofpharmaceutical products worldwide are counterfeit goods whichcomprise few active ingredients and lots of contaminants [15].Thus, counterfeiting is a global problem that produces financiallosses as well as public health and safety threats.

A range of product authentication tools are available to allowthe company to protect its brand and its customers, enforce itsrights and protect its distribution channels. The technologicalsolutions [8] that enable companies to authenticate and track theirproducts within the supply chain can be categorized into 2 groups,as presented in Table 1. Lehtonen et al. [16] claim that the optimalproduct authentication system should have an appropriate level ofsecurity and allow customers to authenticate products bythemselves. But in the current product authentication technolo-gies, it is observed that even the overt technology can provide aself-verification of products, it is easily reproduced by counter-

Table 2Current RFID adoption in product authentication.

Purpose Description

Unique identification 1. Write and catalog a unique serial n

2. Keep a secure list of valid product

Cryptographic tag authentication 1. Apply re-encryption to prevent sta

2. Propose a hash-lock approach to lo

3. Extend the randomized version of

4. Employ Gen 2 compliant cryptogra

5. Utilize lightweight cryptography an

Location-based authentication 1. Introduce a secure authentication t

2. Detect some of the cloned tags by

3. Detect irregularities by comparing

Product specific features 1. Combine the TID number and prod

feiters. Whereas the covert technology can present a high securitylevel, specialized reading devices are required (i.e. not customer-oriented).

In order to encounter the above limitations, numerousresearchers are recently promoting to introduce RFID technology(i.e. a kind of covert technology) to combat counterfeiting. Apartfrom the user-friendliness, RFID can support location-basedauthentication for detecting fraudulent transactions, providingbetter communication within the supply chain. Generally, RFID isemerging as a technology that is utilized for contactless automaticidentification of products in different logistics contexts [26,27].Compared with other product authentication technology, it offersextended data capacity and employs a numbering scheme calledEPC, which serves as a global standard to provide a unique ID forany item in the world [1,28]. EPC is a license-plate type of identifierthat enables near-real-time tracking information on a productwithin its supply chain [28]. Although there are other forms ofidentifiers like universal product code (UPC) and bar code, EPCallows item-level tracking by storing not just information on themanufacturer and product type, but also a unique serial number ofthe item [26]. This unique identification feature makes RFIDfeasible in product authentication and even anti-counterfeiting.Table 2 reviews the current RFID-based and EPC-RFID-basedproduct authentication technologies. So far, most product authen-tication systems are done under the manufacturers’ perspectives,for example, Kwok et al. [10] has proposed InRECS to deliveraccurate and global supply chain visibility with intelligentfeedback into inventory and materials transfer process formanufacturers. Therefore, this paper attempts to concentrate ondesigning an approach on the basis of customers’ aspects.

3. Infrastructure of mobile EPC-RFID-based self-validationsystem (MESS)

The architecture of the mobile EPC-RFID-based self-validationsystem (MESS) is illustrated in Fig. 1. It consists of three tiers:presentation tier, application tier, and information services tier.The 3-tier structure is designed to separate the major functions ofmobile product authentication applications into logical sectionsfor handling displays, processing logic, and data services. Displaysare managed by the presentation tier, processing logic by theapplication tier, and data services by the information services tier.

umber on each item [17]

ID numbers in a secure server [18]

tic identifiers and optical data of the banknotes [19]

ck the tag without storing access key [20]

Weis et al.’ hash-lock scheme [21]

phic features to encrypt the security level of tag-to-reader communication [22]

d Jigsaw encoding to encrypt the EPC code [23]

hrough the database-reader-tag environment [7]

searching for deviations from expected behavior [24]

the actual and pre-defined product flow [10]

uct specific features of the item to form a digital signature [25]

Fig. 1. System architecture of MESS.

S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635626

3.1. Presentation tier

The presentation tier has to be discussed first because thesystem needs to respond to users’ instructions and queries. Thereare five types of users – suppliers, manufacturers, distributors,retailers and customers – all of which employ RFID readerembedded mobile devices, like mobile phones or personal digitassistant (PDA), to track and trace information on productidentification and transactions in the entire supply chain or inthe product life-cycle. In other words, when a client queries theRFID-tagged product within the read range of a mobile RFID device,data (i.e. product information) are captured remotely from tags tothe RFID reader (see Fig. 2). Fig. 2A shows the data communicationthrough wireless network, while Fig. 2B illustrates the communi-cation through general packet radio service (GPRS). Once the queryhas been entered, the authentication logic and algorithm will be

processed in the application tier so that the captured data can besent to and displayed on the client’s mobile device [29].

3.2. Application tier

The application tier, which consists of an RFID intelligentmodule – product authentication system (PAS) – offers a standardformat of product information and visualizing model for the entirelife-cycle of the product. It can create and coordinate many sets ofdiversified data (i.e. information on product movement) within thesupply chain into a standardized and consistent body of usefulinformation. This enables customers to track their goods’ originand movements in the supply chain via wireless network andGPRS.

A unique EPC tag is assigned to each individual product that isused to provide the product authentication capabilities of the

Fig. 2. A logical view of data communication through the Internet.

S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635 627

solution. Once the tagged product is transferred in the supplychain, particular information (such as received date and time) isrecorded in the back-end database. Thus, customers can differen-tiate the genuineness of a product by instantly reading its RFID tag.Alerts are prompted to users when there are problems in thedistribution channel like one of the supply chain participants ismissing in the trail of transactions.

Fig. 3. Product authentic

As shown in Fig. 3, the PAS has two levels and one cryptographicapproach to protect the data stored in the RFID tag from maliciousaccess:

1. Level one: EPC generating.2. Level two: product authenticity check.3. Cryptography: encryption and decryption.

ation system (PAS).

Fig. 4. The structure of a 96-bit Class 1Gen 2 RFID tag.

S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635628

3.2.1. Level one: EPC generating

This module is designed to provide a numbering system forunique identification of individual units of products. In thisproposed work, RFID tag that features in EPCglobal Class-1Generation-2 (which is called Class 1Gen 2 for short in this paper)specification is adopted. One of the reasons of such standardselection is due to its growing adoption in item-level identificationin the globalized market [39]. Another reason is because ofstandardization issues. Owing to the diversity of differentstandards, recent researches focus on the interchange ability[34,35] and compatibility [36] (especially in two leading stan-dards—ISO and EPC) to encourage the interoperability of productidentification for the growing RFID market. In 2006, Class 1Gen 2has been approved as ISO 18000, being a part of ISO/IEC 18000-6standard [37]. RFID tags and readers compliant to such standardwill be compatible across companies and geographies. Such tag canstore various attributes of an item, such as its manufacturer,product type, and unique serial number. In particular, 96-bit EPCtags are the most commonly used in industry because their datacapacity is sufficient for most applications. About 80,000 trillionunique numbers can be generated, so about 268 million companiescan register with the EPC, with each company has up to 68 billionunique serial numbers for each product [27]. A data structure of96-bit Class 1Gen 2 is show in Fig. 4, in which it consists of fourbasic data elements: a header, an EPC manager, an object class, anda serial number. Each element represents particular information ofthe product, like the EPC manager means the identification code ofthe company and the object class implies the type code of theproduct. Thus, by registering information into these elements, eachproduct can have their own unique identification number.

Once the manufacturer assigns and generates an EPC to aproduct item, the entire logistics network traversed by the productcan be visualized by recording all the transactions in each supplychain party. The first three data elements are registered according

Fig. 5. Logic flow of the no

to the companies’ requirement whereas the last element (i.e. serialnumber) is automatically generated by a program installed in theRFID intelligent module and stored in the system database.

To protect the tag from malicious access, a hybrid cryptographicapproach, which will be further discussed later section, is used toencrypt the tag information. After the encrypted RFID tag (eRFIDtag) has been generated, the manufacturer will print out thestandard format eRFID tags to be attached to the products. Thus,only authenticated readers can access the contents of tags.

3.2.2. Level two: product authenticity check

To perform the product authenticity check function, the eRFIDtag is decrypted and the stored EPC data is normalized according toa standard format for globalized querying (Fig. 5). Normalization isthe process of maintaining the same RFID data format regardingthe Class 1Gen 2 standard on the scanned eRFID tags. It involvestwo components: EPC middleware and EPC information services(EPCIS). Given the wide range of readers, each with a differentinterface and communication protocol, are available in the marketaround the world, interoperability of systems are difficult toachieve. It is possible that an enterprise may use several types ofreaders from one or more vendors. In other words, different datastructure will be generated according to particular reader style.Thus, to function in a multi-vendor environment, EPC middlewareis used to filter and transform the scanned eRFID data intoconformable one.

On completion of the data normalization process, the EPCmiddleware will move on to the EPCIS to associate the EPC datawith business events and the related information. Business eventdata relate to dynamic tracking information of the product whenthe RFID-tagged product moves through a supply chain. Once thetagged product arrives at a supply chain party, its EPC informationwill be captured and registered into the company’s local database(i.e. EPCIS). This allows the aggregation of data collected from

rmalization approach.

Fig. 6. Example of abnormal flow in supply chain.

S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635 629

reader events for translation into information meaningful toapplications. In other words, the EPCIS defines a common interfacemodel for standardizing the EPC-related data in physical markuplanguage (PML) format, which is a standard technology based onextensible markup language (XML), for further application anddisplay on a web-based platform.

Through this product authenticity checking process, customerscan obtain the EPC of a scanned product by querying the remotelydistributed EPCIS. The EPCIS embeds the specified informationabout the tagged product. In addition, the product details andlocation record such as when and where the item was produced,when and where the item arrived at the distribution point, etc., canbe retrieved. When equipped with such data normalizationcapability, any type of RFID device (i.e. reader and middleware)can be used to display on a real-time basis, the product informationand the route through which the item had moved. This way,customers can be alerted instantly when anomalies are detected inthe flow of the item’s supply chain, like missing one of the supplychain participants—this could be a clue that the item is a fake (seeFig. 6).

3.2.3. Cryptography: encryption and decryption

Although Class 1Gen 2 RFID tag is common to use in item-levelproduct authentication and trace-and-track, it is limited in its dataprotection [19,33,38,39]. As stated by Jeon and Cho [32], Class1Gen 2 RFID tag lacks the data protection of tags, and has fewmechanisms to manage the message interception over the airchannel and the eavesdropping within the interrogation zone ofthe RFID reader. Thus, to cope with the security threats, a hybridapproach to cryptography and authentication was adopted toprotect the information stored in the Class 1Gen 2 tags.

As shown in Fig. 7, the EPC is first encrypted by the Jigsawencoding scheme [23], transforming the 96-bit EPC into apseudoEPC that is difficult to decrypt. The key idea of using thisscheme to encrypt the EPC is because the Jigsaw encoding schemewill not change the standard of RFID readers and tags, keeping theRFID tag in the current ISO/EPC standardization. Then, a hashfunction [30] is used to lock the pseudoEPC for the purpose ofintegrity verification of the EPC, helping the user to detect whetherthe tag is cloned by attackers or not. The hash value employs a 32-

bit cyclical redundancy code (CRC) to form a ‘key’ and then writeinto the PIN value of RFID tag. Since the PIN lengths are in 32-bitlong, attackers are difficult to resolve it as there are 232 (i.e.4294967296) combinations.

A set of information (i.e. the pseudoEPC and the ‘key’ or hashvalue) is received when users interrogate the RFID-tagged productby an RFID device. For decrypting the pseudoEPC, an authorizeddevice is required to generate another ‘key’ for unlocking the hashvalue. If it succeeds in unlocking the hash value (i.e. the receivedhash value matches with the newly generated hash value), the taginformation is said to be trusted (i.e. the information has not beenaltered nor inadvertently changed). These locking and unlockingprocesses ensure the integrity of the product information as well asthe location record. With this design, supply chain parties will bealerted to which indicates that the tagged item is a counterfeitwhen they cannot unlock the hash value. Thus, all parties in thesupply chain can determine the authenticity of the receivedproduct and detect any unauthorized party.

3.3. Information services tier

The information services tier contains the system databasesthat maintain all the information of the MESS. Each record in thedatabase represents a registered product with its EPC and productdetails like product name, product description, country of origin(COO), expiry date, etc. Therefore, customers can easily retrieve theproduct information of tagged items by employing mobile RFIDdevices, and then match the information with the physical productto prevent a fake purchase. However, this only ensures theintegrity of product information, but not the integrity of the item’slife-cycle information. A self-developed EPC network is embeddedin the system database so as to check both types of integrity.

Since the EPC standard is still in an early adoption stage and notmany companies currently employ it, a self-developed network,which is based on the specification of EPCglobal Network [40], isused as a secure platform for recording the movement of theproduct within the supply chain. Once the EPC standard is widelyused, the proposed system can be plugged into the EPCglobal. Theself-developed EPC network provides a framework for dataexchange between parties in the supply chain. All the track and

Fig. 7. A hybrid approach to cryptography and authentication in tag protection.

S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635630

trace information – the location and time when the product movedfrom one supply chain participant to another – are stored in thesystem database. Once the product is produced, the manufacturerwill generate a 96-bit EPC and register it along with the genuineproduct information in the database. As the product goes toanother participant, say ABC Company, the EPC is registered inABC’s local EPCIS and then ABC Company will query the objectnaming service (ONS) to request access to the item’s EPC data. Atthe same time, the location and event information of thistransaction will be registered in the ONS to ensure continued

Fig. 8. Architecture of the self

updating of information in the product life-cycle. This dataregistration and updating process will repeat itself until theproduct is purchased by customers.

The architecture of the self-developed EPC network is depictedin Fig. 8. As shown in the figure, requesting product information is aroll-up process, which transforms the raw tag data into meaningfuland machine readable EPC data. The ONS serves like the domainname system (DNS) in the Internet world, it returns the location ofEPCIS where the product details can be found. To shorten theresponse time, each request will query the local ONS server first.

-developed EPC network.

Fig. 9. Implementation phases in developing the MESS.

S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635 631

When the requested information is not available there, the querywill be forwarded to the root ONS server for further resolution. Thisdesign enables real-time response to queries.

4. A case study on implementation of the proposed system

The proposed system was implemented in an IT solutionprovider in Hong Kong to assess feasibility of the proposedapproach. The solution provider is The Counterfake InternationalLimited. It specializes in developing solutions that integratedifferent technologies, such as RFID, interactive voice responsesystem (IVRS), short message system (SMS), and web portal, toaddress the counterfeit issue. In May 2005, the company incollaboration with The Hong Kong Polytechnic Universitylaunched a 2-year project on development of an RFID-enabledcounterfeit protection prototype with the financial support of agovernment funding scheme. It aims at exploring the possibility ofusing RFID technology to fight against the growing number ofcounterfeits. The system was developed in several phases as shownin Fig. 9. The significance and issues to be addressed in each phaseare explained as follows.

4.1. Phase 1: system accessories selection

In this case study, passive Class 1Gen 2 RFID tag and RFID readerembedded PDA were used to develop a mobile RFID environment.

Fig. 10. User inter

In addition, a computer was employed to function as the systemserver that allows high speed access and provides large storagecapacity so that it can deal with many accesses and manipulate thehuge database at the same time. Preferably, basic network servicesfor Internet access (e.g. wireless LAN facilities) should also beimplemented to allow end-users to access the system remotely. AnRFID Label Printer was used to print the EPC tag of each product.Apart from hardware items, it was also necessary to select softwarepackages for implementation of the proposed system. Theseinclude a database management system (DBMS) for datamanipulation, and a .NET framework from Microsoft for develop-ment of application programs.

4.2. Phase 2: content selection

Obviously, users expect to retrieve a lot of information fromthe system for users for browsing. To support productauthentication, the contents maintained in the system weredetermined by answering questions such as (a) How can theproduct information be presented effectively? (b) What type ofproduct information is useful to users? (c) Are there privacyissues to be addressed?

To present the product information clearly, aesthetic appear-ance and navigational methods are the salient considerations incontent selection (Fig. 10). By following the proven guidelines inuser interface design, each page displayed by the system should

face of MESS.

S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635632

have a consistent look-and-feel, and the areas for systemnavigation are tailor-made for different types of display device.

4.3. Phase 3: security selection

Security is an important issue in the proposed productauthentication system. In MESS, the information retrieved fromthe RFID tag demonstrates a crucial event in detecting thecounterfeit. Although the s RFID system is more secure than otherproduct authentication technologies, a weakness of EPC tags asdevices in a security system us that they are vulnerable to cloningattacks as well as password disclosure and information leakage[38]. Concerning information must be securely exchanged amongthe authorized supply chain parties, data encryption andprotection is important to support the EPC-RFID-based anti-counterfeit mechanism (i.e. presenting the product movement tothe users).

The security measures selected for protecting the tag informa-tion requires heavily on the expertise of system developers. Theyneed to consider various technologies that can provide a secureand sound platform for users to interact with the system, takinginto account their constraints and likely enhancements of thesetechnologies.

4.4. Phase 4: data integration

Before distributing its products, the manufacturer has toprovide the MESS with clean and detailed information on theseproducts. At the same time, a structured and unique identificationcode is generated for each piece of product tracked by the self-developed EPC network. Typically, the manufacturer provides adata warehouse to store the product information, and another datawarehouse to keep records of product movements in the supplychain for visualization of the logistics network. Availability ofinformation on authenticated products and their life-cycletransactions are essential to provide a sound and secure platformfor protect against counterfeiting, real-time tracking of productsnecessitates data synchronization between databases. With theadvent of EPC, records in multiple databases can link with eachother by the key field (i.e. EPC) in order to perform data exchange inhigh-volume batch updates and in executing real-time incremen-tal changes.

4.5. Phase 5: system establishment and piloting improvement

In the final phase, the system was field-tested in an operationalenvironment at dispersed sites of multiple supply chain partici-pants. Prior to this pilot run, the application programs had to bedesigned to meet all the actual situations. Meeting and workingwith the system users ensured that the application programs werecustomized to suite operational requirements. Continuous feed-back and progress meetings were the foundations for system

Table 3Comparison between the current product authentication mechanism and MESS.

Current product authentication mechanism

Principle Each product depends on the high-print technology to

create a barrier to imitation

Identification Experts and machines are required to examine the print lab

Verification Customers are difficult to verify the product’s authenticity

Imitation Labels can be duplicated by counterfeiters

Value-added

Functions

Not available

refinement. Bugs detected during the evaluation period were fixedby the project team to enable the release of ‘error-free’ applicationprograms. With these user feedbacks, the project team canunderstand the user requirements more thoroughly, enablingthem to develop application programs that are more user-friendly.Obviously, this phase involved a lot of analytical and programmingefforts (for refining the system) so as to develop a successfulsystem for counterfeit prevention.

5. Performance evaluation

The case study reported in this paper sheds light on theeffectiveness of using an RFID-enabled infrastructure as a countermeasure to combat the global counterfeiting problem. Results ofthe field trials indicate that MESS out-performs the current productauthentication techniques in counterfeit prevention. Apart fromself-validated services, MESS also provides stakeholders with otherbenefits, such as higher level of public safety, better informationsharing and brand name protection. These benefits are elucidatedas follows.

5.1. More effective product authentication solution

Table 3 compares the current product authentication mecha-nism adopted by the IT solution provider with the MESS. The ITsolution provider reported improvements in product authentica-tion effectiveness and utilization of resources after piloting theproposed system. Previously, it had to handle many calls fromcustomers to check the authenticity of products, an extremelylabor intensive activity. Furthermore, the company had to changethe product’s print labels at least twice a year because counter-feiters can imitate the labels of genuine products in due course.This makes the use of label-print technology expensive as aproduct authentication approach. With the adoption of the MESS,customers can authenticate the products themselves. The highdegree of data security assures integrity of the data in the tag andprevents cloning of tags.

Several trials had been conducted to measure the improvementin verifying the authenticity of a product after adoption of MESS.Table 4 compares the trial results of the current operation (i.e.label-print technology) with those of the proposed solution(MESS). The total time of the entire process was reduced by atleast 87% which was achieved by drastically simplifying theproduct authentication process from 7 steps to 2 steps. Withoutthe MESS, customers often need to wait for more than 2 min to getsomeone to answer the call because several calls may be waitingfor their turns to be serviced at any one time. As a result,availability of the customer service hotline suffered. With the useof MESS, the entire authentication process is handled over wirelessnetworks or GPRS. The high speed broadband communicationenables customers to authenticate RFID-tagged products anytime,anywhere, in real time.

MESS

Each product can be identified with a unique EPC code,

enabling customers to verify the item’s authenticity

over the Internet

els No human-readable label is required for identification

It is easy for customers to ascertain the product’s authenticity

Imitation is close to impossible because the chance of successful

decryption of the EPC is one to hundred billions

The life-cycle transactions of products can be made visible to

supply chain participants to support decision making and

strategic planning

Table 4Estimated time of product authentication process between (a) the current product authentication technology and (b) the proposed solution (MESS).

(a) Current product authentication technology 1st trial (min) 2nd trial (min) 3rd trial (min)

Customer side

Step 1 Read the high-print label 1.38 2.33 1.33

Step 2 Call customer service hotline for assistance 1.00 1.00 1.00

Step 3 Wait for response to the call 3.50 2.33 3.50

Company side

Step 1 Receive the call 0.50 0.66 0.48

Step 2 Input the product details into the system 1.40 1.66 1.33

Step 3 Wait for the system to retrieve information 1.84 1.74 1.62

Step 4 Interpret the retrieved information and inform the caller accordingly 1.12 1.44 1.51

Total time (min) 10.74 11.16 10.77

(b) MESS 1st time (min) 2nd time (min) 3rd time (min)

Customer side

Step 1 Scan RFID-tagged product by mobile device 0.33 0.45 0.24

Company side

Step 1 Retrieve information from the system and display it on the customer’s

mobile device

1.00 1.00 1.00

Total time (min) 1.33 1.45 1.24

Time reduction (%) 87.61% 87.01% 88.49%

Remarks: This table only demonstrates a proof of concept of adopting the MESS. The performance results summarized will vary with the volume of service requests. Once there

is a volume of service requested, further optimization model will be studied and investigated.

S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635 633

In general, the proposed solution will utilize resources moreefficiently in supply chain participants’ communication, track andtrace services, product authentication, as well as product life-cycle visualization. Furthermore, the product information visual-ization capability of MESS makes the system so easy to use thatusers can start to use it to authenticate products within minimaltraining.

5.2. Uninterrupted and secure tracking network

The tracking capability of MESS provides customers with ameans to ascertain the authenticity of an RFID-tagged product bysimply scanning it under a reader. With the common broadbandconnectivity to the Internet, the tracking network has nogeographic limitation for ‘uninterrupted object tracking’. As aresult, users can gain access to the network anytime, anywhere forreal-time product authentication.

5.3. Enhanced communication and information sharing

The self-developed EPC network supports more effectivecommunication amongst the supply chain participants, enablingvisualization of hidden supply chain information. Through theadoption of RFID technology and the EPC standard, companies canview the life-cycle transactions of products on a user-friendlyinterface. All such information is stored in the centralizeddatabases, closing the decision making gaps between supply chainparticipants.

5.4. Enhanced public safety

Product recalls and product counterfeiting are public safetyissues. With improved visibility of supply chain information,companies can respond to public safety incidents more promptlyand efficiently in identifying the products that need to be recalledand tracking the counterfeits. Take the pharmaceutical industry asan example, drug counterfeiting and drug recalls are serious publichealth problems in recent years. The proposed system effectivelytracks products throughout the global supply networks, sharingproduct data for detection of counterfeited drugs in the supplychain.

5.5. Brand name protection

With the exception of the counterfeiters, all stakeholders in thesupply chain win by implementing the proposed system. Throughdeployment of the RFID intelligent engine, manufacturers andretailers are protected against fake, thereby enhancing theircorporate image and customers’ confidence in the products theysupply. In addition, the self-developed EPC network provides thesupply chain participants with a standard for communication andinformation sharing to facilitate decision making and planning.

In summary, the proposed system offers an effective solution toaddress the product authentication and anti-counterfeiting issues.Results of the case study validate feasibility of adopting theproposed approach. The highly effective detection of fakes willdeter counterfeiting to a significant extent.

6. Conclusion

Counterfeit prevention is a complicated and important issue, aswell as a major challenge to enterprises. The proposed system,employing mobile devices with RFID technology and EPC standard,provides an efficient and effective approach to self-validatedproduct authentication. As of late, studies on integrating thesetechnologies to combat counterfeiting are rare. In addition, thisresearch provides a feasible solution to both system structure andimplementation roadmap. The issues of standardization andsecurity between tag-and-reader are also considered.

Furthermore, the generic infrastructure of MESS offers flexibili-ty in deterring product counterfeiting and protecting RFID data.When compared with the current product authentication technol-ogies, MESS provides customers with a more effective and ease-to-use approach to verifying an item’s authenticity via an Internet-enabled mobile device. With such feature, users can track and tracethe product anywhere and anytime in a timely manner. It shouldbe noted that the system is not limited to depicting product supplychain information to authorized parties; it can also integrate suchinformation with other applications to support decision makingand communication.

While findings of the case study indicate that encouragingresults can be achieved after implementation of the proposedsystem, a number of hurdles and challenges are yet to be

S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635634

addressed. For example, the readability of RFID tags is greatlyaffected by the environment and the reader’s orientation. Thus,identification and resolution of roadblocks to RFID adoption wouldbe an interesting topic for future research.

Acknowledgements

The authors would like to express their sincere thanks to theResearch Committee of The Hong Kong Polytechnic University forfinancial support of the research work (Project Code: G-YE31) andThe Counterfake International Limited for providing the RFIDhardware needed in the proof of concept study.

References

[1] P. Lei, F. Claret-Tournier, C. Chatwin, R. Young, A secure mobile track and tracesystem for anti-counterfeiting, in: Proceedings of the 2005 IEEE InternationalConference on e-Technology, e-Commerce and e-Service, Hong Kong, March 29–April 1, (2005), pp. 686–689.

[2] ICC Counterfeiting Intelligence Bureau, ICC Handbook, ICC Commercial CrimeServices, 2005.

[3] D. Hopkins, L.T. Kontnik, M.T. Turnage, Counterfeiting Exposed: Protecting yourBrand and Customers, Wiley, Hoboken, NJ, 2003.

[4] S. Bastia, Next generation technologies to combat counterfeiting of electroniccomponents, IEEE Transactions on Components and Packaging Technologies 25(1) (2002) 175–176.

[5] International Chamber of Commerce Commercial Crime Services, InternationalGuide to IP Rights Enforcement First Edition 2006, International Chamber ofCommerce Counterfeiting Intelligence Bureau, 2006.

[6] ICC Counterfeiting Intelligence Bureau, The International Anti-counterfeitingDirectory, ICC Commercial Crime Services, 2008.

[7] T. Staake, F. Thiesse, E. Fleisch, Extending the EPC network—the potential of RFIDin anti-counterfeiting, in: Proceedings of the ACM Symposium on Applied Com-puting, Santa Fe, New Mexico, 2005.

[8] ICC Counterfeiting Intelligence Bureau, Anti-Counterfeiting Technology Guide,ICC Commercial Crime Services, 2005.

[9] United States Food and Drug Administration, COMBATING COUNTERFEITDRUGS—A Report of the Food and Drug Administration, U.S. Food and DrugAdministration, Rockville, MD, 2004.

[10] S.K. Kwok, A.H.C. Tsang, J.S.L. Ting, W.B. Lee, B.C.F. Cheung, An intelligentRFID-based electronic anti-counterfeit system (InRECS) for the manufacturingindustry, in: Proceedings of the 17th International Federation of AutomaticControl (IFAC) World Congress 2008, Seoul, Korea, July 6–11, (2008), pp.5482–5487.

[11] J. Kim, H. Kim, A wireless service for product authentication in mobile RFIDenvironment, in: Proceedings of the 1st International Symposium on WirelessPervasive Computing, Phuket, Thailand, January 16–18, (2006), p. 5.

[12] Reconnaissance International, Pharmaceutical counterfeiting: fears into facts,Authentication News 8 (7) (2002) 1.

[13] FDA (Food and Drug Administration) U.S., Counterfeit Drug Task Force InterimReport, 2003.

[14] U.S. Department of Health and Human Services, Combating Counterfeit Drugs,Food and Administration, 2004.

[15] Imitating property is theft, The Economist (May) (2003) 52–54.[16] M. Lehtonen, T. Staake, F. Michahelles, E. Fleisch, From identification to authenti-

cation—a review of RFID product authentication techniques, in: Proceedings ofthe Workshop on RFID Security—RFIDSec 06, July, 2006.

[17] A. Juels, RFID security and privacy: a research survey, Journal of Selected Areas inCommunication (J-SAC) 24 (2) (2006) 381–395.

[18] R. Koh, E. Schuster, I. Chackrabarti, A. Bellman, Securing the pharmaceuticalsupply chain, in: White Paper, Auto-ID Labs, Massachusetts Institute of Technol-ogy, 2003.

[19] A. Juels, R. Pappu, Squealing Euros: privacy protection in RFID-enabled banknotes,in: Proceedings of Financial Cryptography–FC’’03, Le Gosier, Guadeloupe, French,West Indies, (2003), pp. 103–121.

[20] S. Weis, S. Sarma, R. Rivest, D. Engels, Security and privacy aspects of low-costradio frequency identification systems, in: Proceedings of the InternationalConference on Security in Pervasive Computing—SPC 2003, Berlin/Heidelberg/New York, (2003), pp. 454–469.

[21] D. Henrici, P. Muller, Hash-based enhancement of location privacy for radio-frequency identification devices using varying identifiers, in: Proceedings of theSecond IEEE Annual Conference on Pervasive Computing and CommunicationsWorkshops (PERCOMW’04), March 14–17, (2004), pp. 149–153.

[22] D.N. Duc, J. Park, H. Lee, K. Kim, Enhancing security of EPCglobal Gen-2 RFIDtag against traceability and cloning, in: Proceedings of the 2006 Symposiumon Cryptography and Information Security, Hiroshima, Japan, January 17–20,2006.

[23] K.H.M. Wong, P.C.L. Hui, A.C.K. Chan, Cryptography and authentication onRFID passive tags for apparel products, Computers in Industry 57 (4) (2006)342–349.

[24] L.T. Mirowski, Detecting clone radio frequency identification tags, Bachelor’sThesis, School of Computing, University of Tasmania, November, 2006.

[25] Z. Nochta, T. Staake, E. Fleisch, Product specific security features based on RFIDtechnology, in: Proceedings of the International Symposium on Applications andthe Internet Workshops (SAINTW’’06), January 23–27, (2006), pp. 72–75.

[26] H. Bhatt, B. Glover, RFID Essentials, 1st ed., O’Reilly, Sebastopol, CA, 2006.[27] S. Lahiri, RFID Sourcebook, Pearson plc, Upper Saddle River, NJ, 2006.[28] EPCglobal, Inc., RFID Implementation Cookbook, 2006 Available at: http://

www.epcglobalinc.org/what/cookbook.[29] G. Elliott, N. Phillips, Mobile Commerce and Wireless Computing Systems,

Pearson/Addison Wesley, Harlow, 2004.[30] C. Cid, Recent developments in cryptographic hash functions: security implica-

tions and future directions, Information Security Technical Report 11 (2) (2006)100–107.

[31] J. Holmstrom, R. Kajosaari, K. Framling, E. Langius, Roadmap to tracking basedbusiness and intelligent products, Computers in Industry 60 (3) (2009) 229–233.

[32] K.Y. Jeon, S.H. Cho, A RFID EPC C1 Gen2 system with channel coding capability inAWGN noise environments, IEICE Transactions on Communications E92-B (2)(2009) 608–611.

[33] H.Y. Chien, C.H. Chen, Mutual authentication protocol for RFID conforming to EPCClass 1 Generation 2 standards, Computer Standards and Interfaces 29 (2) (2007)254–259.

[34] E.W.T. Ngai, K.K.L. Moon, F.J. Riggins, C.Y. Yi, RFID research: an academic literaturereview (1995–2005) and future research directions, International Journal ofProduction Economics 112 (2) (2008) 510–520.

[35] P. King, Hex Is Not the Standard, 2009 available at: http://www.rfidjournal.com/article/print/4912.

[36] R. Weinstein, RFID: a technical overview and its application to the enterprise, ITProfessional 7 (3) (2005) 27–33.

[37] M.C. O’Connor, Gen 2 EPC Protocol Approved as ISO 18000-6C, 2006 Available at:http://www.rfidjournal.com/article/articleview/2481/1/1/.

[38] E.Y. Choi, D.H. Lee, J.I. Lim, Anti-cloning protocol suitable to EPCglobal Class-1Generation-2 RFID systems, Computer Standards and Interfaces 31 (6) (2009)1124–1130.

[39] D.N. Due, J. Park, H. Lee, K. Kim, Enhancing security of EPCglobal GEN-2 RFID tagagainst traceability and cloning, in: Proceedings of the 2006 Symposium onCryptography and Information Security, 2006.

[40] EPCglobal, Inc., EPCglobal Standards Overview, 2009 Available at: http://www.epcglobalinc.org/standards.

S.K. Kwok is a lecturer in the department of industrial

and systems engineering of The Hong Kong Polytechnic

University. His research areas are in artificial intelli-

gence, industrial and systems engineering, information

and communication technologies (ICT), logistics en-

abling technologies and mobile commerce. He partici-

pates in several industry-based research projects,

which include web-enabled collaborative working

platform development, customer relationship manage-

ment, mobile devices application in vendor manage-

ment inventory, RF-tag order tracking system, etc. For

all the mentioned projects, latest ICT are applied to

streamline information flow and enhance the knowl-

edge management (KM) among modern business units. The research outcomes are

presented in several international conferences and published in various interna-

tional journals.

Jacky S.L. Ting is a PhD candidate at the department of

industrial and systems engineering of The Hong Kong

Polytechnic University. He received his BSc degree in

enterprise engineering and e-business at the same

university. His research interests include knowledge

engineering, computer modeling of medical knowl-

edge, medical informatics and decision support sys-

tems.

Albert H.C. Tsang is principal lecturer in the depart-

ment of industrial and systems engineering at The Hong

Kong Polytechnic University. He provided consultancy

and advisory services to enterprises and industry

support organizations in manufacturing, logistics,

public utilities, healthcare and government sectors on

matters related to quality, reliability, maintenance,

performance management and assessment of perfor-

mance excellence, and engineering asset manage-

ment—these are also areas of his research interest.

He is the author of ‘WeibullSoft’, a computer-aided self-

learning package on Weibull analysis. Apart from

publishing papers in various international refereed journals, he is also the

author/co-author of three books on various aspects of engineering asset

management, and two books on industrial applications of RFID.

S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635 635

W.B. Lee is the chair professor of the department of

industrial and systems engineering of The Hong Kong

Polytechnic University and the director of The Hong

Kong Polytechnic University Microsoft Enterprise

Systems Centre (MESC). He is also the president of

the Hong Kong Advancement of the Association of

Science and Technology, and the past chairman of the

Institution of Electrical Engineers, Hong Kong. His

research interests include manufacturing science,

dispersed network manufacturing systems, knowledge

management and logistics engineering.

Benny C.F. Cheung is an associate professor and an

associate director in the Advanced Optics Manufacturing

Centre (AOMC) and Knowledge Management Research

Centre (KMRC) in the department of industrial and

systems engineering at The Hong Kong Polytechnic

University. His research work emphases on industrial

applications and applied research. His research interests

include precision engineering, knowledge and technolo-

gy management, artificial intelligence, and logistics

systems. He has authored and co-authored five research

books, five book chapters and more than 200 research

papers in various refereed journals and international

conferences in which more than 120 of them were refereed journal papers.