7

I would like to manage my inventory using a barcode system, but I am afraid that people will be able to scan or copy my barcode and make duplicates.

I would like to offer a discount card that has a unique barcode for each customer. It is important that customers cannot rescan or duplicate the barcodes because each barcode is a voucher for 5, 10, 20 taxi rides.

How can I prevent people from duplicating my barcodes and reusing already purchased services?

Nichole
  • 71
  • 1
  • 1
  • 2
  • 2
    I think this may be a duplicate of http://security.stackexchange.com/q/5420/485 - can you have a look to see if the answers there help you at all. – Rory Alsop Mar 20 '13 at 07:43

2 Answers2

25

You can't stop duplication of barcodes. What you're describing is a replay attack. The solution to this particular case is to keep a database of issued barcodes and their values. When a barcode is redeemed, the database must invalidate that code.

It works best if this system is online in which codes are atomically applied and cancelled. It is also possible to limit the window during which codes can be re-used in a batch processing based system if the terminals cannot be online, though any use of a code between when it is first redeemed and when that redemption is copied to other systems is a risk.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • 2
    +1. Must say that each barcode has to be tied to the customer's ID, and ID needs to be verified prior to applying the barcode. Otherwise there emerges the threat "it wasn't me, 'twas another Joe Smith!" – Deer Hunter Mar 20 '13 at 04:18
  • It is worth noting that this is the same way that vendors ensure that printable coupons are not reused. – AJ Henderson Mar 20 '13 at 13:23
3

You could consider printing the barcodes on special paper or cards that are difficult to duplicate. For example use a plastic card with a hologram, or a transparent window, or some textured print. Basically anything that makes it hard to counterfeit. Have a look at the cards or money in your wallet for the security features that make them hard to copy.

davidwebster48
  • 782
  • 3
  • 8
  • 3
    Difficult to copy != impossible. Jeff's solution is the better one. –  Mar 20 '13 at 06:31
  • 2
    I agree, Jeff's solution is ideal if the barcodes can be invalidated in the database immediately. This might not always be possible for a number of reasons (database is down, connectivity is off-line, client side hardware is broken, etc), and making the cards hard to counterfeit would reduce the risk of fraud in these cases. I heard about a case where criminals cut the data cabling to a supermarket, so they could perform fraudulent transactions while the credit card terminals were working offline. – davidwebster48 Mar 20 '13 at 10:08
  • Why not add a hologram next to the barcode? The questions sounds like some human will scan the barcode anyway, so they could verify the hologram, which would probably cost more to forge than the intended discount is worth. The trouble is of course that even producing the original isn't that cheap... – Tobias Kienzler Mar 20 '13 at 12:55