Wrestling with the Realities �of Pharmaceutical �Tampering & Counterfeiting: Wrestling with the Realities of Pharmaceutical Tampering & Counterfeiting
Roger G. Johnston, Ph.D., CPP
Vulnerability Assessment Team
Los Alamos National Laboratory
505-667-7414 rogerj@lanl.gov
http://pearl1.lanl.gov/external/c-adi/seals/index.shtml LAUR-07-2828
Slide2: Physical Security
consulting
cargo security
tamper detection
training & curricula
nuclear safeguards
new tags, seals, & traps
vulnerability assessments
novel security approaches
security psychological issues The VAT has done detailed
vulnerability assessments on
hundreds of different security
devices, systems, & programs. LANL Vulnerability Assessment Team The greatest of faults, I should say,
is to be conscious of none.
-- Thomas Carlyle (1795-1881)
Slide3: Topics
High Technology ≠ High Security
Tamper-Evident Packaging
Cargo Tamper Detection
Anti-Counterfeiting Tags
Problems with Secret Tags & Taggants
RFIDs & Track-and-Trace
Call-In the Numeric Token (CNT)
Terminology: Terminology lock: a device to delay, complicate, and/or discourage unauthorized entry.
seal: a tamper-indicating device (TID) designed to leave non-erasable, unambig- uous evidence of unauthorized entry or tampering. Unlike locks, seals are not necessarily meant to resist access, just record that it took place. “Who are you and how did you get in here?”
‘I’m a locksmith and I’m a locksmith.’
-- Leslie Nielsen as Lt. Frank Drebin, Police Squad
Terminology: tag: an applied or intrinsic feature that uniquely identifies an object or container.
types of tags
inventory tag (no malicious adversary)
security tag (counterfeiting & lifting are issues)
buddy tag or token (only counterfeiting is an issue)
anti-counterfeiting (AC) tag (only counterfeiting is an issue)
lifting: removing a tag from one object or container and placing it on another, without being detected. Terminology
Tags & Seals: Applications
customs
cargo security
non-proliferation
treaty verification
counter-terrorism
counter-espionage
banking & couriers
drug accountability
records & ballot integrity
evidence chain of custody
weapons & ammo security
tamper-evident packaging
anti-product counterfeiting
protecting instrument calibration
protecting medical sterilization
waste management & hazardous materials accountability Some of the 5000+ commercial seals
Tags: Uniquely identify an object or container Tags & Seals Seals: Detect tampering or unauthorized access
Warning: High-Tech does �not guarantee High Security.��: Warning: High-Tech does not guarantee High Security. The badness of a movie is directly proportional to the number of helicopters in it. -- Dave Barry If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. -- Bruce Schneier
Why High-Tech Tags & Seals Are�Usually Vulnerable To Simple Attacks: Why High-Tech Tags & Seals Are Usually Vulnerable To Simple Attacks
Still must be physically coupled to the real world
Still depend on the loyalty & effectiveness of user’s personnel
The increased standoff distance decreases the user’s attention to detail
Technology is a 2-edged sword
Many more legs to attack
Why High-Tech Tags & Seals Are�Usually Vulnerable To Simple Attacks:
The high-tech features often fail to address the critical vulnerability issues
Users don’t understand the technology
Rohrbach’s Maxim (no security device or system will ever be used properly, i.e., the way it was designed, all the time)
& Rohrbach-Was-An-Optimist Maxim
Developers & users have the wrong expertise
and focus on the wrong issues
The “Titanic Effect”: high-tech arrogance Why High-Tech Tags & Seals Are Usually Vulnerable To Simple Attacks
Warning: Existing tamper-evident �packaging isn’t very effective, yet product tampering (by insiders or outsiders) is inevitable.: Warning: Existing tamper-evident packaging isn’t very effective, yet product tampering (by insiders or outsiders) is inevitable. Why do croutons come in airtight packages? It’s just stale bread to begin with.
-- George Carlin On a bag of Fritos: “You could be a winner! No purchase necessary. Details inside.”
Common Tamper-Evident Packaging: Common Tamper-Evident Packaging
pressurized containers
adhesively sealed packaging
blister pack
frangible plastic film
break-off lids
pop up buttons
foil seal under cap
I think the inventor of the piñata may
have had some unresolved donkey issues.
-- Dan Johnson
Slide12: 7th Security Seals Symposium
Santa Barbara, CA
February 28 - March 2, 2006 Tamper-Evident Packaging Test 71 tamper detection experts participated.
A VAT college student (Sonia Trujillo) did the product
tampering using only low-tech attacks.
30 different consumer food & drug products.
9 were tampered with.
Participants were to pick exactly 3 (out of 10) products they
thought had been tampered.
Notes: Notes
This was not a realistic or rigorous
test because…
The seal inspectors were tampering experts.
They were told the products were tampered with.
(Tamperers usually don’t announce their attacks.)
Visual inspection only. They didn’t get to open the packages, which can help spot tampering. (However, most consumers will use--at most--visual evidence.)
Many participants took MUCH longer than the 4 secs per package they were directed to use. The hard part about being a bartender is
figuring out who is drunk and who is just stupid.
-- Richard Braunstein
Slide14: statistically the same as random guessing! If tamper detection experts can’t
reliably detect product tampering,
what chance does the average
consumer have?
Problems with Consumer �Tamper-Evident Packaging: Problems with Consumer Tamper-Evident Packaging Mostly about Displacement, Due Diligence,
Compliance, & Reducing Jury Awards—not effective
Tamper Detection
No meaningful FDA Definitions, Standards, Guidelines,
or Tests
Consumers lack sufficient information to use properly
Poor labeling. If the seal is removed, the consumer
may not realize a seal originally existed.
“Do not eat if seal is missing.”
-- actual printing on the seal
Problems with Consumer �Tamper-Evident Packaging (con’t): Problems with Consumer Tamper-Evident Packaging (con’t)
What is the seal supposed to look like?
Euphemisms (e.g., “freshness seal”) and manufacturer
obscurations.
Relatively unimaginative, cost-driven designs
Few useful vulnerability assessments
Not proactive to the threat It had only one fault. It was kind of lousy.
-- James Thurber (1894-1961)
Poor TEP Labeling: Poor TEP Labeling The consumer may open the other
end, where there is no warning. Printed on the side, where
the consumer may not see it. Warning not highlighted:
buried in the text. The only warning is on the seal. Incorrectly claims the TE packing “resists tampering”!
Warning: Existing tamper-indicating seals (at least the way they are �typically used) aren’t very �effective for cargo security.: Warning: Existing tamper-indicating seals (at least the way they are typically used) aren’t very effective for cargo security. Now that the world is getting over the initial shock, and the war against terrorism has begun, what now for bridal retailers? -- Actual editorial in the trade magazine Bridal Buyer “The time has come,” the Walrus said,
“To talk of many things:
Of shoes--and ships--and sealing wax
Of cabbages--and kings.”
-- Lewis Carroll, Through the Looking Glass
Terminology: defeating a seal: opening a seal, then resealing (using the original seal or a counterfeit) without being detected.
attacking a seal: undertaking a sequence of actions designed to defeat it.
Defeating seals is mostly about fooling people, not beating hardware (unlike defeating locks, safes, or vaults)! Terminology
Seals Vulnerability Assessment: Seals Vulnerability Assessment We studied 244 different seals in detail:
• government & commercial
• mechanical & electronic
• low-tech through high-tech
• cost varies by a factor of 10,000
Over half are in use for critical applications,
and ~19% play a role in nuclear safeguards.
Percent of Seals That Can Be Defeated �in Less Than a Given Amount of Time �: Percent of Seals That Can Be Defeated in Less Than a Given Amount of Time
High Tech Isn’t Automatically Better!: High Tech Isn’t Automatically Better! Linear LS fit
r = 0.10
Slope = 270 msec/$ 393 attacks Linear LS fit
r = 0.19
Slope = 170 msec/tech level
The Good News: The Good News Simple countermeasures usually exist, but require:
understanding the seal vulnerabilities
looking for likely attacks
having seen examples Countermeasures 393 attacks
The Good News (con’t): But better seals are also possible!
conventional seals:
They must store the fact that tampering has been detected until the seal can be inspected. But this ‘alarm condition’ can be easily hidden or erased, or eliminated by making a fresh counterfeit seal.
anti-evidence seals:
At the start, when the seal is first installed, store information that tampering hasn’t yet been detected. Erase this ‘anti-evidence’ when tampering is detected. This leaves nothing for an adversary to hide, erase, or counterfeit! The Good News (con’t)
20+ New LANL “Anti-Evidence” Seals: 20+ New LANL “Anti-Evidence” Seals low cost
better security
no hasp required
no tools to install or remove seal
100% reusable, even if mechanical
the seal can go inside the container
can monitor volumes or areas, not just portals
can automatically verify the seal inspector actually checked the seal (“anti-gundecking”)
Warning: Practical & effective �AC Tags don’t currently exist. ��The Holy Grail: a practical, inexpensive AC tag that is small, light-weight, easy for anyone to verify (ideally by eye), but difficult & expensive to counterfeit.��Is this even possible? : Warning: Practical & effective AC Tags don’t currently exist. The Holy Grail: a practical, inexpensive AC tag that is small, light-weight, easy for anyone to verify (ideally by eye), but difficult & expensive to counterfeit. Is this even possible? The great film comedian, Charlie Chaplin, once entered a Charlie
Chaplin look-a-like contest for a laugh. To his surprise, he did not win. For every flamingo in the United States, there are 700 fake plastic ones.
Common Anti-Counterfeiting Tags: Common Anti-Counterfeiting Tags
RFIDs
contact memory buttons
holograms
color changing films
covert marks, inks, or micro-patterns (secret tags)
taggants
Everyone wants to be Cary Grant. Even I want to be Cary Grant.
-- Cary Grant (1904-1986)
Fake Counterfeits: Fake Counterfeits
Counterfeiting security devices is usually easier than developers, vendors, & manufacturers claim.
Often overlooked: The bad guys usually only needed to mimic the superficial appearance and maybe the apparent performance of the security device, not the device itself. Sincerity is everything. If you can fake that, you’ve got it made.
-- George Burns (1885-1996)
The Problems with Holograms: The Problems with Holograms
easy to counterfeit (See, for example,
http://www.nli-ltd.com/publications/hologram_counterfeiting.htm)
embossed (stamped) holograms are especially trivial
to duplicate
easy to fool consumers & harried pharmacy techs
with flashy colors
a number of companies will copy holograms for you,
few questions asked
do-it-yourself hologram turnkey systems are available
The Problems with Color Shifting Ink: The Problems with Color Shifting Ink
Manufacturers will usually sell the ink to almost
anybody (despite claims otherwise).
There are lots of cheap, readily available color-shifting
pigments, paints, cosmetics, & coatings that’ll fool
consumers & harried pharmacy technicians.
The Problems with Blister Packs: The Problems with Blister Packs
Packaging companies will blister pack for
anybody, few questions asked.
Blister pack supplies are readily available.
New & used blister pack machines are relatively
inexpensive (though aren’t really necessary).
If ignorance were bliss,
he’d be a blister.
-- Anonymous
Slide32: The Problems with Covert Marks, Inks, Micro-Patterns & Other Secret Tags Drug counterfeiters already pore over the packaging, so they will figure out the secret.
Secrets are hard to keep. Shannon’s Maxim: The bad guys know what you are doing (so “security by obscurity” won’t work).
Use it & lose it: The secret is compromised the first time you tell a customer or government authorities how to check authenticity. Everything secret degenerates … nothing is safe that
does not show how it can bear discussion and publicity.
-- attributed to Lord Acton (1834-1902)
Slide33:
Fooling the eye (and simple readers) with fake inks & patterns is easy.
The public has known about UV fluorescent dyes & black lights since the 1960s. The new IR dyes are also becoming known.
Can require high levels of quality control in the printing. The Problems with Covert Marks, Inks, Micro-Patterns, & Other Secret Tags (con’t) How do you know when you’ve run out of invisible ink? -- Steven Wright
Slide34:
Can’t be used by the consumer.
Repackagers, Consolidators, Commercial & Institution Pharmacies may dispense authentic drugs, then place fake drugs in the authentic
packaging & resell.
Suspicious products needs to be analyzed, anyway.
Printing on a Chinese medicine bottle:
“Expiration date: 2 years” The Problems with Covert Marks, Inks, Micro-Patterns, & Other Secret Tags (con’t)
Slide35:
Requires reformulating the drug.
Many of the same problems as with secret tags. The Problems with Taggants "Warning: do not use if you have prostate problems."
-- On a box of Midol PMS relief tablets
Slide36:
Why not analyze the drug instead? That’s the best possible taggant, and the only important issue, anyway!
+ New (fast/cheap/small) field analytical devices
are becoming available: GC/MS/FTIR/LIBS/other spectroscopies
+ Other physical/mechanical properties are fast, cheap, & easy to measure, but tricky for counterfeiters to duplicate. Examples: density, gloss, hardness, porosity, viscosity, water content, melting point, dielectric constant, optical activity, thermal conductivity, vapor pressure, colorimetry. The Problems with Taggants (con’t) Nothing is like it seems, but everything is exactly like it is. -- Yogi Berra
Slide37: Potential High-Tech Tag Technologies (though little R&D is underway) thin films
ferrofluids
ultrasonics
liquid crystals
biological materials
micro- & nano-particles
novel glasses/ceramics
electrostatics & magnetics
transport & diffusion phenomena
advanced polymers & composites
exotic organics & macromolecules
nonlinear optical & electrooptic materials Technology: No place for wimps!
-- Scott Adams
Slide38: The Problems with FDA RFID Track & Trace mandatory
several years off
complicated & expensive
consumers & small retailers are left out yet worldwide,
most counterfeits are introduced at those levels
no easy way to deal with consolidators & repackagers
FDA misses the point: the RFID is not the security!
Hope is not a strategy.
-- Michael Henos
RFIDs:�Radiofrequency Identification Devices (Tags): RFIDs: Radiofrequency Identification Devices (Tags)
RFID transponders transmit serial numbers using radio waves.
Most RFIDs do not use batteries (passive), but some do (active). Some are even “semi-passive.”
Passive RFIDs draw power from a rf pulse generated by the reader.
Common frequencies: low (~125 KHz), high (~13.56 MHz), ultra-high (433 & ~900 MHz), & microwave (2.45 & 5.8 GHz).
RuBees: < 450kHz.
There is a huge danger to customers using this (RFID) technology, if they don't think about security.
-- Lukas Grunwald (creator of RFDump)
RFIDs: fine for inventory, problematic for security: RFIDs: fine for inventory, problematic for security Easy to lift.
Easy to block or jam signals.
Easy to counterfeit. All needed information, software, & parts are readily available.
Easy to eavesdrop on a RFID and record its signal. Free software and information are on the Internet.
Easy to spoof the reader from a distance, tamper with it, or swap it out for a counterfeit. No access to the RFID itself is needed.
RFIDs: easy to defeat: RFIDs: easy to defeat We’ve counterfeited a number of different RFIDs,
and otherwise spoofed a variety of readers.
Our first attempt at attacking RFIDs a few years ago:
Starting with zero knowledge, it took 2 weeks, and
< $20 in parts to demonstrate 5 different defeats.
“You’ve done a nice job decorating the White House!”
-- Pop Star Jessica Simpson to Interior Secretary
Gale Norton during her VIP tour of the White House
RFIDs: easy to defeat: RFIDs: easy to defeat Lots of other people (including hobbyists) know how to defeat RFIDs and readers, too. See, for example:
http://cq.cx/vchdiy.pl
http://www.rfdump.org/
http://www.gluelogix.com/OneDollarWirelessInterface.shtml
http://www.theregister.co.uk/2006/08/04/cloning_epassports/
http://www.cl.cam.ac.uk/~gh275/relay.pdf
https://events.ccc.de/congress/2006/Fahrplan/events/1597.en.html
http://news.zdnet.com/2100-1009_22-5287912.html
http://www.wired.com/wired/archive/14.05/chips.html
http://www.wired.com/wired/archive/14.05/rfid_pr.html
http://hackingrfid.pbwiki.com/FrontPage
http://www.forbes.com/home/commerce/2004/07/29/cx_ah_0729rfid.html
http://www.silicon.com/research/specialreports/ecrime/0,3800011283,39158120,00.htm
http://www.iaik.tugraz.at/research/vlsi/02_products/05_rfid_demotag/index.php
https://events.ccc.de/congress/2005/wiki/RFID-Zapper(EN)
http://www.examiner.com/a-234701~Digital_dog_tag_already_cloned.html
http://video.google.com/videoplay?docid=-
4157924840842457233&q=RFID+Vulnerabilities+in+RFID+Credit+Cards
RFID Counterfeiting Devices: RFID Counterfeiting Devices Hobbyist: RFID Skimmer, Sniffer, Spoofer, Cloner. Commercial: Used for “faking RFID tags”, “reader development.” Commercial: $20 retail, Cloner.
What about cryptographic RFIDs?: What about cryptographic RFIDs?
Expensive & usually require a battery.
Typically weak or non-existent physical tamper detection capabilities.
People have defeated them various ways:
http://www.enterprise-security-today.com/story.xhtml?story_title=RFID-Vulnerability- Exposed&story_id=30105
http://www.cioinsight.com/print_article2/0,2533,a=148335,00.asp
http://www.examiner.com/a-234701~Digital_dog_tag_already_cloned.html
http://www.wired.com/wired/archive/14.05/rfid.html
http://www.eetimes.com/news/latest/showArticle.jhtml;jsessionid=E4UP4JUJB3I4UQ
SNDBESKHA?articleID=180201688 Of all the radio stations in Chicago…we’re one of them.
-- Slogan of FM 105.9, the classic rock radio station in Chicago
Slide45:
Intended for public communication
between two secure points (in space or time).
Provides reliable security if and only if
the sender and the receiver are physically secure. (Usually not the case!) Warning: Data Encryption/Authentication The security of a cipher lies less with the cleverness
of the inventor than with the stupidity of the men
who are using it. -- Waldemar Werther
What encourages RFID attacks?: What encourages RFID attacks? 1. High-Tech Security Maxim: The amount of careful, critical security
thinking that has gone into a given security device, system, or program
is inversely proportional to the amount of high-technology it uses.
2. Low-Tech Security Maxim: It’s easy to defeat most security devices
and features (including high-tech ones) with low-tech attacks.
3. Familiarity Security Maxim: Any technology becomes more
vulnerable to attacks when it becomes more widely used, and when
it has been used for a longer period of time.
4. Payoff Security Maxim: The more money that can be made from
defeating a technology, the more attacks & attackers will appear.
There are two kinds of fools: One says, “This is old, therefore it is good.” The other one says, “This is new, therefore it is better.”
-- William R. Inge (1860-1954)
What encourages RFID attacks?: What encourages RFID attacks? 5. Vehement Opposition: RFIDs face a lot of opposition, for both
legitimate & wacky reasons:
• rf interference
• failure-to-read rates
• anti-technology attitudes
• desire to shoot down the hype
• privacy & “Big Brother” concerns
• international standards problems
• cost, delays & hassles to implement
• paranoia (health risks, fear of alien abductions, etc.)
• increasing recognition that they are not security devices
6. RFIDs and rf technology has been around for decades & are
now widely used in many applications, including by home hobbyists
for robotics and home automation.
7. Counterfeits don’t have to work very well because rf is flakey anyway.
What encourages RFID attacks?: What encourages RFID attacks?
8. Passive short-range RFIDs aren’t really rf devices.
9. RFIDs and Readers are inexpensive & readily available
for cannibalizing. (High-tech cuts both ways).
10. RFID manufacturers are eager to provide technical support, free
samples, and cheap evaluation kits, thus revealing vulnerabilities.
11. RFID manufacturers are not security companies.
12. The Internet & patents are full of RFID design & attack information.
13. Programmable Read/Write RFIDs can often be made to look
like Read-Only RFIDs (because they are often the same product). Never buy beauty products from a hardware store. -- Miss Piggy
What encourages RFID attacks?: What encourages RFID attacks? Radio frequency signals are invisible and not very directional.
15. Security does not happen by accident. RFIDs are not
security devices, & it’s difficult enough to have good security
even when security is designed in from the start.
16. Rohrbach’s Maxim.
Blink your eyelids periodically to lubricate your eyes.
-- Hewlett-Packard’s Environmental, Health, and
Safety Handbook for Employees
Bar Codes & RFIDs: essentially the same thing: Bar Codes & RFIDs: essentially the same thing RFID is basically a bar code that barks.
-- Robin Koh, MIT Auto-ID Lab visible operation + highly directional (good for security) invisible to user + not highly directional (bad for security)
Bar Codes offer poor security, but RFIDs may be worse!� � (Score each attack 0-10, with 0=trivial, 10=very difficult.): Bar Codes offer poor security, but RFIDs may be worse! (Score each attack 0-10, with 0=trivial, 10=very difficult.) average attack difficulty: 3.3 1.7
Which pharma counterfeiters will be hampered?: Which pharma counterfeiters will be hampered? RFID + Track & Trace RFID Only RFID readers widely
used by small
retailers & consumers
RFID readers not widely
used by small
retailers & consumers Types of counterfeiters:
1 - High-volume, who introduce counterfeits at the wholesale or large retail level.
2 - High-volume, who introduce counterfeits at the small retail or consumer level.
3 - Unsophisticated small-volume, who introduce at the small retail or consumer level.
In the absence of effective AC Tags, this is one method to impede & detect product counterfeiting.: In the absence of effective AC Tags, this is one method to impede & detect product counterfeiting. The pursuit of perfection often impedes improvement.
-- George Will “Call-In the Numeric Token” (CNT) Technique virtual numeric token
imperfect, but inexpensive & painless
a societal/statistical approach to counterfeiting
participants help others & themselves
Slide54:
Lot: 4ZB1026
Exp: 04/06
Bottle ID: MPD709
unique
unpredictable
random, non-sequential
at least 1000 times more
possible ‘Bottle’ IDs per Lot
than actual bottles CNT (“Bottle” can really mean bottle, tube, box, container, pallet, truck-load, etc.) Bottle ID
Slide55: CNT Technique (con’t) Print “Bottle” ID on bottles, or other packaging at the factory, or attach printed adhesive labels later.
Keep secure computer list (database) of valid Bottle IDs for each Lot.
>1.5 billion containers per DVD.
CNT handles Case 1 (all fakes have same ID),
Case 2 (all fakes have different IDs), or Case 3
(some combination).
Slide56: CNT Technique (con’t) “Calling-in”: Customers log into a web site, or call an automated phone line to quickly check if their Bottle ID is valid for the given Lot number. (Yes/No response.)
Works at the consumer level—unlike FDA’s RFID
track & trace
Callers may or may not remain anonymous. (Pros & Cons).
Useful even if only a very small fraction of
customers participate.
Slide57:
Invalid Bottle IDs that are called-in will be immediately recognized as counterfeits.
Any duplicate valid Bottle IDs that are called-in will be flagged as counterfeits with fairly high reliability.
Wholesalers, re-packagers, and other handlers of large quantities can spot counterfeits even without calling-in by finding duplicate Bottle IDs in their own database of past and present stock. (“Self-checking”.)
Counterfeits are spotted by…
Slide58: Counterfeiters
The bad guys are hampered by these
problems:
Guessing valid ID numbers isn’t practical.
Getting large numbers of valid IDs is challenging, and they change with each new Lot.
Making counterfeit products with duplicate IDs may be detected via call-ins or self-checking.
Counterfeiting the packaging, bar code, or RFID
gains them nothing.
Slide59: Notes
Putting the Bottle ID inside the tamper-evident packaging will make it more difficult for counterfeiters to covertly obtain valid IDs.
Bar code (or RFID) the Lot & Bottle ID numbers so wholesalers, re-packagers, and high-volume customers can automate the process.
Provide free readers & automated call-in software to major customers.
Handle the resale of drugs multiple ways, including raising the minimum threshold for declaring counter-
feiting when duplicate Bottle IDs are called in.
Slide60: Percentage of callers reporting the same (valid) Bottle ID who will be notified their drugs are counterfeit vs. the number of callers reporting that Bottle ID For 4 values of
the threshold, T
Slide61: Repackagers & Pharmacies
If consolidating:
Re-use some of the original Bottle IDs & destroy the rest (perhaps reporting this to the manufacturer).
If subdividing, do one or more of the following:
Set threshold T > 2.
Notify manufacturer so corrections can be applied to the database.
Obtain new Bottle IDs from manufacturer.
If trusted, generate own new Bottle IDs & report them to manufacturer.
Manufacturer packs multiple (unique) IDs inside the original tamper-evident packaging, about one per new “bottle” to be created.
Slide62: What We Tell Call-Ins
Any caller with an invalid Bottle ID: “You have a fake with 100% certainty.”
1st caller through caller T-1 for a given valid Bottle ID, where T is the counterfeiting threshold: “Thanks for contributing to everybody’s safety! We have no information at this time that there is a problem with your drugs but you can optionally:
(1) check back later, but be sure to tell us you are rechecking,
or
(2) give us your contact info & we’ll get back to you if new information becomes available.”
Slide63:
Tth caller and all subsequent callers for a given valid Bottle ID: “There is a high probability you have a fake.”
What We Tell Call-Ins (con’t) Drug: A chemical compound which, when
injected into a rat, produces a scientific report.
-- Anon
Slide64:
Invisible to customers who don’t care.
Fewer consumer privacy/paranoia issues than with RFIDs.
Getting consumers to take responsibility for checking the authenticity of their own medicines may have multiple benefits.
Enhanced by sense of civic duty.
CNT Impact Is it ignorance or apathy? Hey, I don’t know and I don’t care!
-- Jimmy Buffett
Notes: Notes People who inadvertently call-in the same bottle
more than once hurt mostly only themselves.
Scratch- or Tear-Off Bottle IDs can reduce
inadvertent duplicate call-ins.
The call-in phone number and URL must not
be printed on the product!
If the Phone Doesn’t Ring, It’s Me.
-- Song title by Jimmy Buffett
Slide66: Question: Will Consumers & Customers Participate?
One possible answer: Who cares? The extent of participation will tend to be automatically commensurate with the public level of concern!
…and CNT will be automatically available should a
counterfeiting panic break out—with CNT demonstrating
good faith on the part of pharmaceutical manufacturers.
…and Self-Checking may work even if nobody calls-in. (Counterfeits tend to cluster in time and space.)
If people don’t want to come to the ballpark,
how are you going to stop them? --Yogi Berra
Slide67: 0-0-1 Case 1 or 2:
number of valid
bottles incorrectly
called fake ~ 0 Assume Weak Call-In Participation (Only 1% call-in rate at 1 level) Case 1 or 2
Slide68:
Assume N0=1 million valid bottles in this lot.
Assume N1=100,000 counterfeit (“fake”) bottles for this lot (9%).
Assume 3 levels of participation (wholesaler/pharmacy/consumer).
Case 1: All fakes have the same valid bottle ID Case 2: All fakes have different, randomly guessed IDs. What about stronger call-in participation?
Slide69: Case 1 or Case 2 - Fakes Detected
Slide70: Case 2 -- Fakes Missed Case 1:
fakes missed = 1
Slide71: Case 2 - Valid Bottles Incorrectly Identified as Fake Case 1: 0-1
Slide72:
Without calling-in:
An invalid Bottle ID indicates a fake with 100% certainty (if they are given a list of valid Bottle IDs).
They know with high probability that two or more duplicate Bottle IDs in current stock are both fakes, and know with 100% certainty that at least one of them is a fake.
They know with high probability that two or more duplicate Bottle IDs in current and past stock are both fakes. Self-Checking Volume Customers
Slide73:
But if there is no calling-in, and self-checkers have no information on valid bottle IDs or syntax information…
then counterfeiters can defeat self-checking by making every bottle have a different randomly guessed ID (Case 2). Self-Checking Volume Customers
Slide74: CNT Self Checking
Assume N1 counterfeit (“fake”) bottles in existence for this lot.
Assume the fraction of the lot held by the volume customer is 0
Slide75: Sampling for Fakes 1. Counterfeits tend to strongly cluster in time & space.
Thus:
Counterfeit detection in the field is not a standard quality
control problem based on stochastic occurrences.
The statistics are not well studied.
Occasional sampling can be powerful in spotting counterfeits.
Intuition will be useful.
2. Currently, counterfeit drugs are most commonly
inserted (worldwide) at the retail level—calling into
question the potential efficacy of the FDA’s Track & Trace.
You can observe a lot by just watching.
--Yogi Berra
Slide76: CNT Costs: Low to Moderate
Real-time printing of bottles or labels: inexpensive
Maintain ‘database’: inexpensive (single PC)
Software web site for callers: inexpensive (just a big LUT)
Automated, voice recognition phone line: moderate
Publicity & education to encourage participation & effective usage: moderate
Run as a third party service?
Slide77: CNT Possible Legal Issues Sometimes, partial measures to a security risk
can represent a legal hazard. This can be mitigated by:
• Making CNT an “experiment”
• Involving the government or other manufacturers
• Making CNT an industry best practice.
• Being open about the limitations. (Don’t let the PR Dept.
over promise!) Actual courtroom testimony
Lawyer: All your responses must be oral, OK?
What school did you go to?
Witness: Oral.
Slide78: CNT differences from existing product ID reporting Societal/statistical/probabilistic approach, not absolutist statements or implications about the guaranteed authenticity of individual products
2. Threshold not rigidly set to 2
3. No assumption that the 1st caller of a valid product ID has an authentic product
4. Use of information about multiply called-in product IDs
Recognition that information on how to check the product authenticity should not be included with the product
6. Phone & DTMF calls-ins
Slide79: 7. Can handle volume customers & individual consumers
Encourages the use of self-checking by volume customers; they might even be given full or partial product ID format information.
Options & strategies for dealing with repackaging and
resale
10. The token (product ID) does not need to be co-located with the product
Options & strategies for inadvertent re-calling in, and for dealing with a caller who reports many invalid product IDs
CNT differences from existing product ID reporting
Slide80:
12. Can exploit counterfeit clustering & information on the order of call-ins
13. Strategies for dealing with mistyping, check-back, & registration
14. No need to identify the manufacturer, or to mix unrelated products & manufacturers
15. Can work with bar codes or RFIDs
16. Use of existing lot numbers allows relatively short product IDs
CNT differences from existing product ID reporting
Slide81:
17. Strategies for dealing with legal liabilities
18. No encryption or hashes, which do not contribute to
security in this context.
19. The random number generator must be chosen with great care! Computer & mathematical Pseudo Random Number Generators (PRNGs) are dangerous. The order of product IDs must be scrambled (not serialized), and the lot #, date, time, product, location, or manufacturer cannot be an input to the PRNG. Physical generation is much safer.
Anyone who attempts to generate random numbers by
deterministic means is, of course, living in a state of sin.
-- John von Neumann (1903-1957) CNT differences from existing product ID reporting
Slide82: Summary
Tamper-evident packaging & cargo seals aren’t very good, but could be a lot better.
Effective anti-counterfeiting tags don’t currently exist.
This includes RFIDs (though they are fine for inventory).
Covert marks, inks, micro-patterns, & taggants won’t be very effective either.
Why not just quickly analyze the drug itself?
Track & Trace might work, but has many problems (cost, complexity, mandatory, excludes consumers)
CNT is imperfect, but may be worth a try. (Just do it correctly!)
Slide83: The following are additional handout materials
not part of the formal presentation…
Slide84: LANL Time Trap: detects counterfeiting & tampering
The product’s “serial number” changes unpredictably in time.
Microprocessor-based with 5-year battery
A tag & an anti-evidence seal: allows the product authenticity to be checked, and also detects tampering with either the tag or the product.
Cost: < $2 in quantity and reusable
Final volume: ~ 1 cc
When I was in high school, I got in trouble with my girlfriend’s Dad. He said, “I want my daughter back by 8:15.” I said, “The middle of August? Cool!” -- Steven Wright
Slide85: (Yanking a seal off a container is not defeating it, because it will be noted at the time of inspection that the seal is damaged or missing.) A Seal is Not a Lock!
Results for 244 Different Seal Designs: Results for 244 Different Seal Designs
Vulnerability Assessment (VA):
Discovering and demonstrating ways to defeat a security device, system, or program. Should include suggesting counter-measures and security improvements.
Vulnerability Assessment (VA) He that wrestles with us strengthens our skill. Our antagonist is our helper.
-- Edmund Burke (1729-1797)
Effective Vulnerability Assessments:
Perform a mental coordinate transformation and pretend to be the bad guys. (This is much harder than you might think.)
Be much more creative than your adversaries. They need only stumble upon 1 vulnerability, you have to worry about all of them.
Gleefully look for trouble, rather than seeking to reassure yourself that everything is fine. It is sometimes expedient to forget who we are.
-- Publilius Syrus (~42 BC) Effective Vulnerability Assessments It’s really kinda cool to just be really creative and create something really cool. -- Britney Spears On a laser printer cartridge: “Warning. Do not eat toner.”
We need to be more like fault finders. They find problems because they want to find problems:: We need to be more like fault finders. They find problems because they want to find problems:
bad guys
therapists
movie critics
computer hackers
scientific peer reviewers
mothers-in-law
“Two mothers-in-law.”
-- Lord John Russell (1832-1900), on being asked what
he would consider proper punishment for bigamy. I told my psychiatrist that everyone hates me. He said I was being ridiculous--everyone hasn’t met me yet.
-- Rodney Dangerfield (1921-1997)