Why static QR codes can't solve counterfeiting

Every so often someone proposes an apparently clever anti-counterfeit scheme: print a unique QR code on every product, route the scan to a "verify" page on the brand's site, show a green check if the serial is on the whitelist. Intuitive, cheap, fast to deploy — and broken at the most fundamental level. This post is why.

What a static QR is actually doing

The typical setup: each product gets a unique URL like https://verify.brand.com/?sn=A8X-12345. Scan it, the server checks the serial against a whitelist, returns "authentic."

Sounds reasonable. Now think like an attacker: their job is to print one legitimate serial number a million times onto counterfeit goods. That's it. No crypto to break, no SDK to reverse, no traffic to intercept — a phone camera and a label printer.

Three trivial attacks

• Copy one code. Scan a real product in a flagship store, print the code 50 times with a $200 laser printer, slap it on 50 fakes. All 50 fakes will verify as authentic.
• Bulk harvest. Buy 100 real units (or photograph them in transit), collect the codes, print onto 10,000 fakes.
• Serial number generation. If the serials follow a pattern — sequential, predictable — the attacker doesn't even need real product samples.

"But my codes are unique per scan"

Some schemes claim "fresh codes per scan." That sounds like dynamic authentication. But to actually generate a fresh value, the chip itself needs a key and a counter — which is exactly what NTAG 424 DNA does. A printed QR code cannot do this: paper has no CPU, no key, no counter. Whatever you printed is what's there forever.

Dynamic vs static: the foundational difference

Dynamic authentication (NFC + SUN) has one critical property: every interaction is non-replayable. Even if an attacker captures the previous URL, the moment they try to use the same code again, the verifier sees the counter has not advanced and rejects it. That is mathematical clone resistance.

Static QR cannot offer this. It is printed once and is the same forever. "Cloning" is physically equivalent to "photocopying."

Where QR codes actually shine

QR codes are useful — just not as the anti-counterfeit barrier. They're great for:

• Sending consumers to product information pages (marketing)
• Warranty registration, account activation (CRM)
• Human-readable batch identifiers in traceability (when paired with stronger controls)

If a product costs $1 to counterfeit and a QR copy costs $0.001, the printed QR cannot be your anti-counterfeit barrier. The barrier has to cost more than the attack.

When static is good enough

Low unit price, thin margin, weak counterfeiting motive — basic packaged goods, office supplies — static QR plus brand traceability handles low-intensity fraud fine. The moment a product touches a regulated category (pharma, medical devices, luxury, electronic components), the static failure mode becomes a liability for both regulator and consumer.

We've seen teams launch with static QR, run for 18 months, take their first serious counterfeit hit, and migrate to NFC + SUN inside six weeks. Making that call earlier saves a lot of pain.