Field of Invention

The present invention concerns improvements relating to identifier authentication, for example to systems, apparatus and methods for authenticating a product or service identifier such as a barcode or a two-dimensional quick response code (QR code). The invention also relates to composite information items arranged to enable identifier authentication and to elements of such composite elements. Background to Invention

Product or service identifiers, such as barcodes, have long been used as a convenient information item in a wide range of applications including POS product scanning and inventory management. More recently, two-dimensional barcodes such as QR codes have been used in advertising, social networking and other forms of information sharing, with codes made available on posters, flyers and websites for end-users to capture and use. QR codes and other two-dimensional codes provide can provide a large amount of information in a highly compact form that is readily extracted and processed by smartphones to provide an internet address for the browser of the phone for example which explains why they have become so widespread in recent years.

The open nature of these codes leads to a vulnerability to their being misused. QR and other codes can be developed to hijack the normal processing behaviour of a smartphone and take the user, via the smart phone browser, to a malicious website to elicit information or even funds from the user or his/her smartphone memory. For example, malicious QR codes can be placed as stickers over legitimate codes or printed on scam advertisements, or even provided in phishing emails or webpages. Since it is impossible to tell whether a code is legitimate just by looking at it, there is nothing to stop a user from capturing an image of the code - by which time it may be impossible to prevent the attack. Referring to Figure 1 , a basic prior art strategy is to use a malicious QR code 1 to deliver a link (website address) to a user device 2 that directs the user device browser to a malicious webpage 3. The webpage 3 can be designed to masquerade as a legitimate advertiser and to phish information such as social networking or mobile banking login details or credit card details from the user device memory. Typically, phishing webpages include a form with instructions for signing up for a service or purchasing goods which trick the user into entering sensitive data. Various forms of social engineering, including spearphishing which targets specific groups of individuals, can be used to launch small and large-scale attacks on personal and financial data. In another approach, malicious QR codes are arranged to pharm a user device browser to a malicious webpage arranged to install malware onto the user device. Attack vectors could vary from browser-based vectors such as Cross-Site-Scripting (XSS) to specific buffer- overflow and command injection.

Another strategy for taking funds from a user is to instruct the user device 2 to repeatedly send SMS messages to a premium (charging Short code) number thereby defrauding the user of funds. So far, attempts to address the problem of malicious information items have had limited success. Software is available for smartphones for displaying a webpage safety rating or a webpage preview to a user and requesting user approval before proceeding, but this does not prevent the user from visiting a malicious webpage. Antivirus software is available and can prevent some virus attacks but there is always a time delay between the latest viruses and availability of antidotes provided by the latest antivirus software.

There is presently a considerable amount of advice online to users to avoid capturing images of QR codes appearing in suspicious adverts and to check whether the code has been placed as a sticker over a legitimate code. This provides no real security and actually highlights the difficulty of the problem.

The present invention seeks to address some or all of the above issues.

Statements of Invention

According to a first aspect of the invention there is provided a portable telecommunications device for authenticating an information item such that the information item can be used in a subsequent process by the telecommunication device. The device comprises an image capture module for capturing an image of a composite information item which comprises an encoded pattern element representing data including a unique pattern element identifier, a label element having a verifiable relationship with label data encoded in the pattern element, and an encrypted extraction key element. The device also has a decoding module for obtaining the unique pattern element identifier from the captured image and sending the same to a keyholder server. The device also has a processing module arranged to receive a decryption key from the keyholder server associated with the unique pattern element identifier, to decrypt the extraction key element using the received key, and to use the decrypted extraction key element to extract the label data such that the label data can be compared with the label element to verify the relationship between them and thereby the information item can be authenticated. The first aspect of the invention may also be expressed as a method of authenticating an information item such that the information item can be used in a subsequent process by a telecommunication device. The method comprises capturing an image of a composite information item which comprises an encoded pattern element representing data including a unique pattern element identifier, a label element having a verifiable relationship with label data encoded in the pattern element, and an encrypted extraction key element. The method comprises obtaining the unique pattern element identifier from the captured image, sending the unique pattern element identifier to a keyholder server, and receiving a decryption key from the keyholder server associated with the unique pattern element identifier. The method includes decrypting the extraction key element using the received key, and using the decrypted extraction key element to extract the label data such that the label data can be compared with the label element to verify the relationship between them and thereby the information item can be authenticated. The first aspect of the invention may also be expressed as an authenticable composite information item for use in providing a process in a telecommunication device. The item comprises an encoded pattern element representing data for instructing the execution of the process on the device, in which the data includes a unique pattern element identifier. The item also comprises a label element having a verifiable relationship with label data encoded in the pattern element, and an encrypted extraction key element for use, when decrypted, in extracting the encoded label data from the pattern element.

The first aspect of the invention may also be expressed as a method of generating an information item capable of QR code authentication. The method comprises the step of providing (i) a label, (ii) a barcode having a readable barcode ID and comprising data having a verifiable relationship with the label, and (iii) a local key for verifying the relationship between the label and the data of the barcode. The method also comprises the steps of encrypting the local key and providing an external key for decrypting the encrypted local key; storing the external key in a database, the external key being retrievable by searching on the basis of the QR code ID; and providing the label, the QR code and the encrypted local key as the information item.

According to a second aspect of the invention there is provided an information item comprising a pattern representing a code. The pattern comprises a plurality of lines, each line incorporating at least one interruption, in which the position of each interruption encodes information.

According to a third aspect of the invention there is provided an information item comprising a pattern representing a code. The pattern comprises a plurality of masks each based on a fixed standard mask. Each mask is either identical to the standard mask or varying from the standard mask in at least one of a set of predetermined ways. The variations from the standard mask enable information to be encoded in the pattern.

According to a fourth aspect of the invention there is provided a method of authenticating a product for sale at a retailer. The method comprises capturing an image of a security feature associated with packaging of the product; transmitting a request for at least one product parameter associated with the product, the request including data extracted from the captured image of the security feature; receiving a product parameter associated with the product; and checking that the received product parameter conforms with the circumstances of the product, sale or offer for sale.

According to a fifth aspect of the invention there is provided a method of authenticating a product arranged for multiple use and incorporating a unique security feature. The method comprises logging each use of the product by capturing an image of the security feature; analysing a record of logged uses of the product to establish whether the pattern of use falls within a normal range; and authenticating the product if the pattern of use falls within the normal range.

Brief Description of Drawings

Specific embodiments of the invention will now be described, by way of example, with reference to the accompanying drawings, of which:

Figure 1 is a block diagram showing elements of a prior art system vulnerable to an attack by a malicious QR code;

Figure 2 is a block diagram showing a system for authenticating a QR code according to an embodiment of the present invention;

Figure 3 is a schematic diagram showing further features of a composite information item shown in Figure 2;

Figure 4 is a block diagram showing further features of a user device of Figure 2;

Figure 5 is a block diagram showing further features of a keyholder of Figure 2;

Figure 6 is a flow chart showing a method of generating an information item capable of QR code authentication used according to an embodiment of the present invention;

Figure 7 is a flow chart showing a method of authenticating a QR code according to another embodiment of the present invention;

Figure 8 is a flow chart showing a method of enabling a user to authenticate a QR code according to another embodiment of the present invention;

Figure 9 is a schematic diagram showing an information item provided as broken concentric squares according to another embodiment of the present invention;

Figure 10 is a schematic diagram showing an information item provided as broken radii according to another embodiment of the present invention; Figure 11 is a schematic diagram showing an information item provided as an array of flags according to another embodiment of the present invention;

Figure 12 is a schematic diagram showing an information item provided as adapted centring points of a QR code according to another embodiment of the present invention;

Figure 13 is a schematic diagram showing a composite information item according to a further embodiment of the invention, the composite information item being provided as a pattern including a corner symbol for indicating an orientation of the pattern;

Figure 14 is a block diagram showing a system for verifying the authenticity of a keyholder used for authenticating a QR code in accordance with an embodiment of the invention;

Figure 15 is a flow chart showing a method of using the system of Figure 14 to verify the authenticity of a keyholder according to the embodiment referred to above in relation to

Figure 14;

Figure 16 is a block diagram showing how an attempt by a fraudster to replicate the system of Figure 14 will not succeed;

Figure 17 is a block diagram showing a system for enabling a customer to check whether a product for sale is authentic according to an embodiment of the invention;

Figure 18 is a flow chart showing a method of using the system of Figure 17 to enable a customer to check whether a product for sale is authentic according to the embodiment referred to above in relation to Figure 17;

Figure 19 is a block diagram showing a system for checking the authenticity of a multiple-use product such as a banknote according to an embodiment of the invention; and

Figure 20 is a flow chart showing a method of using the system of Figure 19 to enable the authenticity of a multiple-use product such as a banknote to be checked according to the embodiment referred to above in relation to Figure 19.

Description of Specific Embodiments

With reference to Figure 2, a system embodying the present invention is now described. The system includes a composite information item 21 , a user device 22 arranged to capture an image of the information item 21 and to access the Internet using browsing functionality (an Internet browser) running on the user device 22, and a keyholder 23 accessible via the

Internet. The keyholder 23 may in the present embodiment be a server providing a keyholder service to requesting user devices 22. The user device 22 may be a smartphone or any other mobile computer device with an image capture capability for capturing an image of two- dimensional identifier and processing the captured image to extract processable information - or the device may be connected to a separate image capture device providing such functionality. In particular, the user device 22 is arranged to capture an information item comprising a QR code (typically using a camera of the device) and has processing capabilities and application software for analysing (extracting) the data provided in such an identifier. The user device 22 also has processing functionality specifically arranged for decoding the information provided by the various other features of the information item 21 - which will be described further below.

The information item 21 contains encoded instructions (including a website address) for a web browser of the user device 22 to follow a link to a website of interest. However, in the present embodiment, this link cannot be accessed until the information item 21 has been successfully authenticated by the user device 22. Authentication involves capturing an image of the information item 21 and extracting data encoded in it, transmitting a message to the keyholder 23 over the Internet using some of the decoded information, receiving a reply from the keyholder 23 and using the reply message to carry out an authentication procedure on the image of the information item 21 . If the authenticity of the information item 21 has been successfully verified, the browser of the user device 22 is permitted to follow the link to the target website. If the authenticity of the information item 21 cannot be verified, the browser of the user device 22 is prevented from following the link.

Referring to Figure 3, the information item 21 of the present embodiment includes a label (label element) 31 , a QR code (or pattern element) 32 and an encrypted local extraction key (or extraction key element) 33. The label 31 is a plain alphanumeric word, phrase or similar descriptor that a user can easily understand and associate with the company or organisation to whom the information item 21 is purported to belong - so the alphanumeric word 31 could include a company name, website or other contact details - or it can for example be date information relating to a date of manufacture, recommended sale or consumption date, publication, issuing or other relevant date that the user can check and ensure it conforms with their expectations. In other embodiments, the plain alphanumeric label 31 can be provided as a reference number - for example on a product or on packaging - or as a serial number on a banknote or other value document. The function of the label 31 is to provide an element of plain (un-encoded) text that an end user can easily read and check that it conforms to their expectations of what the QR code 32 is being used for or from whom the identifier is being provided.

As indicated above, the information item 21 includes a QR code 32. The QR code 32 includes various standard elements within it, such as QR code centring points 34 and encoded data represents a link to the target website of the company or manufacturer or other organisation using it. In addition to these features, the QR code 32 includes a label portion 31 a of data representing an encoded version of the label 31 . This portion of data is used in the authentication procedure: if the portion of encoded data 31 a can be decoded, and checked against the label 31 to ensure they are the same, the authenticity of the information item 21 can be verified to the user. However, the label portion 31 a of the QR code 32 which represents the label 31 is not discernible from the other information provided within the QR code 32 as all data in the QR code 32 is encoded. Also encoded within the QR code 32 is a QR code Identifier (QR Code ID) 35 which is described later.

An encrypted local extraction key 33 is provided with the information item 21 . This requires unlocking before it can be used, but once it is decrypted the resulting local extraction key can be used directly to decode the label portion 31 a of the encoded data in the QR code 32, thereby enabling the user to make a comparison with the un-encoded label 31 . When the information item 21 is captured by a user device 22, the user device 22 recognises the various elements, performs various processing steps to obtain an externally stored key in order to decrypt the encrypted local extraction key 33, and then directly uses the result to verify the relationship (in this case that they are identical) between the decrypted label portion 31 a and the label 31 itself. If the relationship between the decrypted label portion 31 a and the label 31 can be verified, the information item 21 can be successfully authenticated to the user. In this embodiment, the encoded local extraction key 33 is provided in an alphanumeric form.

A user device 22, according to the present embodiment, is shown in Figure 4. Functional components of the user device 22 include an image capture module (image sensor) 41 arranged to capture an image of the information item 21 and to provide this image for processing, a processor 42 with a range of processing modules providing various

functionalities, and a browser 43 arranged to connect to the Internet and to enable sending and receiving of messages via the Internet. The processor 42 comprises an image processing module 44 for analysing a captured image and extracting codes and other information from that image. A key request module 45 is also provided for generating a request message for obtaining an externally stored key. The key request module 45 cooperates with a communication module 46 for sending and receiving messages via the Internet. Finally, an authentication module 47 is provided for performing various processing steps related to the authentication process. The image processing module 44 is arranged to provide information extracted from a captured image to the key request module 45 in order to generate an external key request appropriate for that particular information item 21 . In this embodiment, the image processing module 44 is arranged to extract the QR code ID 35 from the captured image, and this ID is then incorporated into the request message. The key request module 45 cooperates with the communication module 46 so that request messages generated by the key request module 45 can be transmitted by the communication module 46. The communication module 46 is also in communication with the authentication module 47 so that any received messages which are relevant to the authentication process can be passed to the authentication module 47 for processing. One of the processing tasks carried out by the authentication module is to receive and use this to decrypt the encrypted local authentication key 33 to create a decrypted local extraction key 33a which is stored in the local data store 48. Transmitting and receiving of messages by the communication module 46 can be carried out in different ways available to the user device. However, the present embodiment makes use of the browser 43 for communication, either directly or via a suitable application (app) stored on the user device 22.

Referring to Figure 5, the keyholder 23 comprises a keyserver 51 having a communications module 52 and a searching module 53, and a database 54 which stores external keys 55. The communications module 52 is arranged to receive request messages via the Internet, from the user device 22, each request message including a QR code ID 35. The

communication module 52 is arranged to pass the QR code ID 35 of a received request message to the searching module 53, which then searches the database 54 to retrieve an external key 55 associated with the QR code ID 35. The retrieved external key 55 is then included in a reply message and sent by the communications module 52, via the internet, to the requesting user device 22. The keyholder 23 thus provides a centralised, searchable database 54 of external keys 55 that enables authentication of a captured QR code 32 with the appropriate ID 35.

A method 60 of verifying the authenticity of the information item 21 in accordance with another embodiment of the present invention is now described with reference to Figure 6. This method is also used to authenticate the information item 21 of the previously described embodiment.

Figure 6 shows the steps carried out by the user device 22 in the authentication process. As indicated above, the user device 22 captures an image of the information item 21 and carries out various processing steps in order to authenticate the QR code 32 of the information item 21 before the main instructions of the QR code 32, such as instructing a browser of a user device to follow a link to a target website, is implemented.

The user device 22 captures, in Step 61 , an image of the information item 21 which comprises the label 31 , the QR code 32 and the encrypted local extraction key 33. Data provided in the QR code 32 has a verifiable relationship with the label 31 , and the objective of the processing steps of the method 60 is to verify that relationship. In the present embodiment, the relationship provided is that the data in the QR code 32 (namely the label portion 31 a), once decrypted, should be identical to the label 31 . However in other embodiments other verifiable relationships can be used. Once the image of the information item 21 has been captured, the user device 22 analyses the captured image and recognises and reads the three different elements (label 31 , QR code 32, and encrypted local extraction key 33). The user device 22 tries to establish that the three elements belong together. In order to achieve this, the user device 22 extracts at Step 62, the QR code ID 35 from the QR code 32 and transmits, at Step 63, the QR code ID 35 to the keyserver 51 , in the form of a request message, to obtain the required external key 55. A reply message delivering the corresponding external key 55 is then received, at Step 64, and the user device uses this external key 55 to decrypt, at Step 65, the encrypted local extraction key 33 and create the decrypted local extraction key 33a. At this point, the user device 22 has the tools to verify the relationship between the data in the QR code 32 and the label 31 . The decrypted local extraction key 33a is used to decrypt the encrypted label portion stored in the QR code 32, and the decrypted data is then compared to the label 31 . If the decrypted data and the label

31 are identical, the relationship is verified, at Step 66, thereby establishing the authenticity of the QR code 32. Otherwise, if there is a difference, this indicates that the QR code may be a malicious QR Code. With reference to Figure 7, a method 70 of providing the external decryption key 55 as carried out by the keyholder 23 will now be described. The keyholder 23 first receives, at Step 71 , from the user device 22 a request message comprising the QR code ID. An external key 55 corresponding to that QR code ID must then be found. The keyholder 23 therefore conducts a search on the database 54 and retrieves, at Step 72, the external key 55 associated with the QR code ID. The keyholder 23 then transmits, at Step 73, this external key 55 to the user device 22 which requested it, thereby providing to the user device 22 the ability to verify the relationship between the encrypted label portion in the QR code 32 and the unencrypted label 31 , and enabling the user device 22 to authenticate the QR code 32. The keyholder 23 can store a large number of external keys 55 and always transmits a respective external key 55 retrieved from the database 54 to the specific user device 22 that requested it.

With reference to Figure 8, a method 80 of generating an information item 21 capable of QR code authentication is now described. The method commences with providing at Step 81 , a plaintext label 31 (such as a company name, offer-ends date or reference number) which an end-user can easily read and check that it conforms to their expectations of what the QR code

32 is being used for. As has been mentioned before the information provides this label 31 in a user readable form. However, the label 31 is also encrypted at step 83 and then encoded so as to be incorporated into a QR code 32 as the label portion of the QR code. Accordingly, the encrypted label portion has a verifiable relationship with the user-readable label 31 of the information item 21 . In use, once the encrypted label portion has been read and decrypted (by use of the decrypted local key 33a), for an authentic information item 21 , the result (the decrypted label portion) will be identical (in this embodiment) to the user-readable label 31 . The QR code 32 is also arranged to include the QR code ID which can be read by the user device from its captured image without the need for any external decryption key. The local extraction key 33a is also provided for decrypting the encrypted label portion so that it can be compared with the label 31 for verification purposes. Once the label 31 , QR code 32 and local extraction key 33a have been provided, at Step 81 , the next stage is to encrypt, at Step 81 , the local extraction key 33a and to create the encrypted local extraction key 33. Also the complimentary external key 55 is provided, at Step 82, for reversing that process (decryption). The encrypted local extraction key 33 forms part of the information item 21 while the external key 55 is saved at Step 83 in the centralised key database 54 until it is requested by a requesting user device 22. Finally, the label 31 , the QR code 32 and the encrypted local extraction key 33 are formed, at Step 84, into an image which provides these discrete elements together as a composite information item 21 .

The information item described above can be provided in different forms in different embodiments. A range of different information items 91 , 101 , 1 1 1 , 121 according to different embodiments of the present invention will now be described. Each information item 91 , 101 , 1 1 1 , 121 comprises a two-dimensional pattern having various features that can be used to represent information including instructions and directions for an interpreting program on a user device to user to carry out some procedure (typically directing a browser to a specific website for additional information) As a result, the pattern provides an information item 91 , 101 , 1 1 1 , 121 in its own right, and can for example be used as an encrypted local extraction key 33 in combination with a QR code 32 and a label 31 to form a composite information item 21 as described in the previous embodiments. Four different embodiments of an information item 91 , 101 , 1 1 1 , 121 are now described as follows with reference to Figures 9 to 12. As shown in Figure 9, an information item 91 is provided as a series of thin line concentric squares. Information is encoded in the concentric square pattern by including a line break 92 in each square at a specific location - the relative dimensions of the lines and the locations of the gaps encodes information in a simple readily reproducible manner. This relative positioning (with respect to the ends of the lines) and size and number of the gaps provide this information and therefore the pattern which results effectively provides an encrypted code. When the information item 91 shown in Figure 9 is used as an encrypted local extraction key 33 in combination with a QR code 32 and a label 31 to form a composite information item 21 , the concentric squares can be positioned immediately around the QR code 32 in order to make efficient use of space and to avoid excessively extending the footprint of the QR code 32. In embodiments, an additional, thicker unbroken line is provided around the concentric squares in order to define an edge. This facilitates better image capture and helps to distinguish the information item 91 from other edges (for example a product) on which the information item may be provided. In another embodiment shown in Figure 10, a compact information item 101 is provided as a series of radii having white line breaks 102 in locations that are used to encode information. For example, distance from the centre is a possible way of using the position of a line break 102 to encode information. Here again the relative positioning of the line breaks along the lines and the angle of the line from a reference radius can be used for encoding information in a readily interpretable manner without using a large area for the information item. In another embodiment shown in Figure 11 , an information item 1 1 1 is provided as a set of standard masks 1 12, which repeat at regular intervals around the circumference of a circle. Some of the repetitions are an exact reproduction 1 12 of a fixed standard, while others 1 13 provide variations. There are fixed ways in which the standard mask 1 12 can be varied, and every deviation from the standard represents encrypted information which can be readily determined once the key, namely the schema used to create each mask is known. In this way, the array of masks provides an information code that can be decrypted to form an alphanumeric or other decrypted code. In the example shown in Figure 11 , the standard mask 1 12 is a flag with a blue background and a white cross. Possible deviations from this standard flag include changing the colour of one or more of the corners, and filling in the cross with a colour. Other approaches could also be used - instead of flags with a cross, triangles incorporating a letter or other symbol could be used. Again, changes in colour, position or other aspects made from a predefined set of possible changes are used to encode information. In each case the schema used to create the information item is used as the decoding key (external key 55).

With reference to Figure 12, a further embodiment of an information item 121 is provided. In this embodiment, each of the three centring points of a QR code 32 is used to accommodate a standard mask 122. Relative and geometric deviations 123 from the standard mask represent information which can be interpreted by a processor from a captured image of the QR code. This embodiment can be used with a label 31 to form a composite information item 21 in which the information item 121 advantageously provides an encrypted local extraction key 33 that does not extend the QR code footprint. The standard mask can include shapes and patterns with a predetermined set of associated deviations. Alternatively, in other embodiments, the deviation could simply be provided by choice of a plain colour for the centring point. In other related embodiments - a colour reference number (such as a pantone number) can also be provided to ensure correct colour transmission to the image sensor. In this case, deviations could be changes in colour.

The information items 91 , 101 , 1 1 1 , 121 can be used either alone or in combination with each other. As part of a composite information item 21 , a QR code could be surrounded by concentric squares as well as having colour providing information in its centring points. Standard and variation masks could be provided in the buffering zones of a QR code.

Standard masks that include lines can also include line breaks to represent information. The information encoded by the information item 91 , 101 , 1 1 1 , 121 can be used as a checksum against another code - such as code in alphanumeric form, QR code, one dimensional barcode or other information code. With reference to Figure 13, a suitable encoded pattern 130 for use with the present invention has a corner symbol 132 indicating a correct orientation of the pattern 130. The corner symbol 132 comprises an arrow and a capital 'N' in a similar manner to a traditional north pointer of a compass. The corner symbol 132 thereby provides directional information that can assist a scanner in orienting a sensed image of the pattern 130 in order to facilitate efficient extraction of the information encoded by the pattern 130. Variations of this approach are envisaged that use alternative corner symbols 132 having a directional component. For example, according to one variation, a happy face symbol '©' may be used because a vector from the centre of the mouth through the centre of the eyes provides directional information.

With reference to Figure 14, a further embodiment of the invention provides an additional layer of security. In this embodiment, an authentic composite information item 140 is scannable by a user device 142 such as a mobile phone. (The terms 'scanable', 'scan', and 'scanning' as used throughout this description are intended to be broadly construed as electronic reading of the information item and they are intended to cover image capture as is carried out by a camera as well as conventional linear scanning techniques such as carried out by a barcode scanner.) The user device 142 is connected to the Internet 144 and may access an authentic keyholder 146 as has been described in previous embodiments. The authentic composite information item 140 of the present embodiment has the same features as the composite information item 21 described above, namely a label, a QR code including a label portion and a QR code ID, and an encrypted local key. The authentic keyholder website 146 holds a database 148 of authentic keys for decrypting the encrypted local key and has sanctioned software 150 the function of which will be described below. Finally, a mobile phone service provider 152 which provides a cellular network service to the user device 142 includes a database 154 of privileged (personal) data such as full names, dates of birth and postcodes relating to the users (i.e. customers) of the cellular network. If the customer has a pay-as-you-go mobile phone arrangement, the privileged data relates to the pay-as-you-go card: for example, when and/or where the card was purchased, how much credit remains on the card, and so on. There is a relationship of trust indicated by the arrow 156 between the authentic keyholder 146 and the mobile phone service provider 152 and as such the sanctioned software 150 of the authentic keyholder 146 is sanctioned by the mobile phone service provider 152.

The purpose of this relationship of trust arrangement is to provide a check that the keyholder is in fact authentic. This provides an extra layer of security because an elaborate fraudster could try to provide a malicious composite information item together with a malicious keyholder holding keys that match the malicious composite information item and take the user device to a malicious website. The arrangement achieves this extra level of security by providing the authentic keyholder 146 with special access to privileged data relating to the user which can then be displayed to the user to prove that the keyholder is authentic. Only the authentic keyholder 146 has this special access. This special access is provided by way of the sanctioned software 150 which enables the authentic keyholder to select (or be provided with) privileged data relating to the user from the mobile phone service provider 152. The provision of this privileged data proves the authenticity of the keyholder to the user. The mobile phone service provider 152 provides the authentic keyholder 146 with the sanctioned software 150 for this purpose as a result of the relationship of trust 156 between those parties. There is no such relationship of trust between the mobile phone service provider and a malicious keyholder, so by displaying privileged data to the user it can be proven to the user that the keyholder is authentic.

With reference to Figure 15, a method will now be described of demonstrating the authenticity an information item including verifying the authenticity of a keyholder.

To start, the user device 142 scans at step 160 the authentic composite information item 140. By following instructions encoded in the composite information item 140, the user device 142 requests (browses to) at step 162 a website of the authentic keyholder 146 which then responds by requesting at step 164 phone ID (phone identifier - such as a IMSI of the mobile phone) from the user device 142. The user device provides this phone ID by transmitting it at step 166 to the keyholder website. The authentic keyholder 146 can then use the phone ID to gain special access to privileged data relating to the user. Using the sanctioned software 150, the authentic keyholder 146 requests at step 168 the privileged data from the mobile phone service provider 152 using the Phone ID to identify the specific user account at the mobile phone service provider 152. The mobile phone service provider 152 recognises the request for privileged data as having been constructed using the sanctioned software 150, and consequently as originating with the authentic keyholder which is a trusted party. As a result, the mobile phone service provider 152 uses the phone ID to look up the privileged (personal) data of the user and transmits at step 170 the requested privileged data to the authentic keyholder 146. The authentic keyholder 146 in turn transmits at step 172 a personalised message containing the requested privileged data, such as the user's date of birth, to the user device 142. Finally, upon viewing the privileged data the user can appreciate that the authentic keyholder 146 has a proven relationship of trust 156 with the mobile phone service provider 152, and accordingly the user inputs at step 174 a user- confirmation that the user device may follow further instructions from the composite information item. In this embodiment, these further instructions relate to obtaining a key from the authentic keyholder 146 for decrypting the encrypted local key of the authentic composite information item 140 such that the user's device can then brose to an authenticated (non- malicious) website. With reference to Figure 16, if the user device 142 scans a malicious composite information item 180 associated with a malicious keyholder 182 created by a fraudster, the lack of authenticity of the composite information item 180 and keyholder 182 can be detected. This is because, as indicated by arrow 184, there is no relationship of trust between the malicious keyholder 182 and the mobile phone service provider 152. As a result, the malicious keyholder 182 lacks software sanctioned by the mobile phone service provider 152, and cannot make a successful request for privileged data from the mobile phone service provider. Consequently, privileged data cannot be displayed to the user and the attempt to verify the authenticity of the composite information item 180 would be exposed to the user and so would fail.

In a variant of this embodiment, the arrangement of Figure 14 can be used not only to demonstrate the legitimacy of the keyholder to the user, but also to demonstrate the legitimacy of the user to a party such as a merchant. This can be useful, for example, in know-your-customer (KYC) checks. In this variant, the user must enter requested personal data in response to a security challenge and the accuracy of the entered data is checked by the authentic keyholder 146 by referring to privileged data obtained from the mobile phone service provider 152. Security challenges may, for example, involve requesting the user's postcode, or asking the user to verify which of several statements presented to the user relating to their privileged (personal) data are correct.

A further embodiment of the invention will now be described with reference to Figures 17 and 18. A system for providing a check as to whether a product is authentic is shown in Figure 17. The system enables a customer to access details relating to the product, and if these details match the product or the circumstances in which the product is being offered for sale, this gives the customer confidence that the product is authentic. If some of the details do not seem correct, this acts as a warning that the product may be counterfeit or may not be being sold legitimately.

Product details for checking against the product or circumstances may include various parameters such as the geographic location (e.g. country) in which the product is to be sold, the retailer through which the product is to be sold, a use-by date of the product, a manufactured date of the product, a name of the product, a batch number of the product, and so on. For example, if a customer in the UK can establish that a product should have been sold France, this warns the customer that the product may not be on sale legitimately.

Similarly, if a customer can gain access to a use-by date which is in the past, this also provides a warning that the sale of the product may not be legitimate. Also the name of the product stops counterfeiters using the same authentic composite information item 140 for different products and the batch number can be something which can be confirmed by accessing an on-line database of legitimate batch numbers.

This approach is well suited to identify counterfeit products that are being sold by incorrect retailers or in countries where they are not supposed to be sold. Typically, fraudsters who manufacture counterfeit goods copy the packaging of the authentic product many times and use this copied packaging on all the counterfeit goods. They then supply the packaged counterfeit goods through their own distribution channels to their preferred retailers in the countries in which they operate. Using the approach of the present embodiment, a customer in one of the fraudster's preferred retailers can gain access to the retailer and country for sale of the authentic product via the copied packaging and establish that there is a mis-match between the product details obtained and the circumstances in which the product is being offered for sale. Similarly, copied packaging derived from authentic packaging that is now out of date can generate a warning to the customer. The customer can use the packaging to gain access to a use-by date, sell-by date, best-before date, or similar, but since this will be the date associated with the original authentic product it may be out of date which provides a warning. Similarly, a manufacturing date may be far longer than that expected for this type of product which would also provide a warning,

In addition the inclusion of a current date as an information item as well as other location information and specific retailer information in the above aspect would also help to make counterfeiting efforts more easily identifiable if as the date and locator elements would be specific to the product in a time and place, but if copied for a similar product used elsewhere not accurate in time or date references. In addition, an exact description of the product would mean the code couldn't be replicated by forgers for other products. In addition, if there was a risk of the information being copied for a large retailer chain, branch information could also be included. Finally, for date-specific information (in case the method of recording the date was not used) a reference to a major news event could be displayed on the customer device together with the date e.g. Great Actor Peter O' Toole dies 16/12/2013 and this be held on the website for relay to the customer device. Counterfeiters would have to counterfeit dates not in advance but in arrears of the news event making counterfeiting prohibitive. Furthermore, a retailer could produce a time-specific code (not shown) with his hand-held or automated price sticker stamper that would also attach the price sticker to the product. This code would be transmitted by the price sticker stamper via GPS to a relevant control database and entered into the database and prior to sale of the product and would be associated with the authentic composite information item 140as the price stamper would also read the authentic composite information item 140 before producing the code attached to the price sticker. The customer's mobile phone would read this code and the authentic composite information item 140 and check with the secure database before actioning any authentic composite information item 140instructions. With reference to Figure 17, a QR code 192 (as an embodiment of an authentic composite information item 140) is provided on packaging of an authentic product. For example, in pharmaceuticals the QR code 192 could be provided on the packets of an over-the-counter drug for treating headaches. Other QR codes could be used on the packaging of other pharmaceutical products. After manufacture, the authentic headache drugs are packaged and distributed to legitimate retailers. A user device 142 such as a mobile phone is capable of scanning the QR code 192 and has a connection to the Internet 144 for communicating with a single-use product validation processor 194. The single-use product validation processor 194 is arranged to process validation requests from the user device 142 and to interrogate a product parameter database 196 storing a directory 198 of QR codes and associated product information or product parameters.

A method of using the system of Figure 17 will now be described in relation to Figure 18. When a customer finds a product he wishes to check, he presents the QR code 192 on the packaging of the product to his user device 142 for scanning. The user device 142 scans at step 200 the QR code 192 and, following instructions in the QR code, sends at step 202 a validation request to the single-use product validation processor 194. The validation request includes a copy of the QR code or at least a portion of extracted code identifying the QR code. The single-use product validation processor 194 then retrieves at step 204 from the product parameter database 196 the product parameters corresponding to the scanned QR code 192. The product parameters are extracted by searching for the QR code 192 in the directory 198 and looking up the corresponding parameters. The single-use product validation processor 194 generates a response message including the retrieved product parameters and sends this to the user device 142 which receives it at step 206. Finally, the user device 142 displays at step 208 the product parameters to the customer, thereby enabling the customer to check that the displayed parameters match their expectations.

In a variation of this approach, the user device 142 automatically detects information such as the country or retailer the customer is in (using location) and today's date, and inputs these to a process of comparison with the retrieved product parameters to check automatically whether an alert notification should be displayed to the customer. Alternatively, the information automatically detected by the user device 142 may be included in the validation request and transmitted for a comparison process performed by the single-use product validation processor 194. In a further variation, the QR code 192 is scanned by a scanner of the retailer and the retrieved product parameters are displayed for customer inspection on a monitor associated with the retailer such as a monitor of the point-of-sale terminal. Alternatively, the retrieved product parameters could be displayed to the customer on their receipt, in which case the customer would have to check them after having bought the product but if the parameters do not conform to the customer's expectations the issue can be raised with the retailer and the product can be returned.

A further embodiment of the invention will now be described with reference to Figures 19 and 20.

A system for checking the authenticity of a multiple-use product is shown in Figure 19. A banknote is an example of a multiple-use product for which the checking of authenticity is of interest because banknotes can be used validly on multiple successive occasions and they are value document susceptible to fraudulent copying.

Using the example of a banknote, every banknote is unique so individual banknotes in circulation can be traced. A picture of normal use can be built up for banknotes of different values to work out normal ranges of frequency and geographical spread of use. Using these normal ranges as a reference, fake banknotes can be detected because they are typically generated by copying a single banknote many times, for example one thousand copies may be made. This will lead to an outlier with far greater frequency and graphical spread of use than expected owing to the extra copies. This abnormal use pattern can be used to detect counterfeit multiple-use products.

In order to trace banknotes, each is provided with a QR code 210 as part of its security features as shown in Figure 19. This QR code 210 can be scanned to log the use of the banknote at a particular time and place. A picture of the use of that banknote can be built up and analysed to check whether it is within the normal ranges expected for an authentic banknote that has not been fraudulently copied. From the time when a banknote is first traced, the picture of its use builds up and it will either fall within the normal range or indicate excessive use as a result of copying. Going forward, a banknote falling within the normal use range may move into the excessive use region if fraudulent copies are released into circulation for the first time.

The system of Figure 19 includes a user device 142 such as a mobile phone for scanning the QR code 210 of a banknote. The user device 142 is connected to the Internet 144 for transmitting a message to a multiple-use product validation processor 212 for logging the use of the banknote. The instance of use is stored in a product history of use database 214 and the picture of use is analysed by an analysis module 126 of the multiple-use product validation processor 212.

A method of using the system of Figure 19 will now be described with reference to Figure 20. In association with the use of a banknote, the banknote is presented to the user device 142 which scans at step 220 the QR code 210 of the banknote. The user device 142 sends at step 222 a validation request to the multiple-use produce validation processor 212 via the Internet 144. The validation request includes data identifying the QR code 210 such as a copy of the QR code, an indication of the timing of the use of the banknote such as the date of use, and an indication of the location of use such as an indication of the point-of-sale terminal used or the city or town where used or global positioning satellite (GPS) location data. The data contained in the validation request is received by the multiple-use validation processor 212 which logs it at step 224 in the product history of use database 214. This logging step updates a record of use (not shown) stored in the product history of use database 214 so that the analysis module 126 can determine at step 226, based on the up-to- date record, whether a risk threshold has been met - i.e. whether the pattern of use of the banknote is outside the normal range. If the risk threshold has been met, the multiple-use product validation processor 212 transmits at step 228 an alert message to the user device 142. If the risk threshold has not been met, the use pattern is in the normal range and the multiple-use product validation processor 212 transmits at step 230 a validation message to the user device 142.

The system may additionally or alternatively be arranged to detect specific instances in which a banknote is used simultaneously in different locations, thereby indicating that a fraudulent copy is in circulation.

In the embodiment described above the user device is provided as a mobile phone, perhaps of a customer, but in alternatives it could be a retailer device capable of scanning a QR code such as a device associated with a point-of-sale terminal. In that case, the retailer device could be arranged for scanning a banknote when it has been presented by a customer so that the retailer can check the banknote is authentic before proceeding to accept it for a transaction. Alternatively, the retailer device could be arranged for processing high volumes of banknotes at the end of a day of business for efficiently logging the use of the banknotes taken that day.

In other embodiments it is possible to add further layers of security which are particularly useful for banknotes which are highly susceptible to counterfeiting. For example it is possible to implement the QR code in infra-red ink. This means that a forger has to forge both the serial number and the hidden QR code. The hidden QR code would direct the scanner to a predetermined website where the website can validate that the scanner is a real scanner and can record the serial number (which can be embedded within the QR code for example).

In an alternative embodiment, it is also possible to use colour shifting inks on the banknote. Here irradiation of the banknote with light of a first wavelength produces a response from the colour-shifted ink which is at a wavelength expected by the scanner and at which the scanner (image capture device) captures an image of the QR code.

It is to be appreciated that the above described embodiments are exemplary only and that modifications will occur to those skilled in the art without departure from the spirit and scope of the present invention, as defined in the appended claims.