October 13, 2015

Secure University Certificate and Transcript Solution

This is Part 3 of a series of blog posts investigating university certificate fraud and potential solutions. This part provides an overview of our secure certificate generation solution and how it addresses the issues raised earlier. Part 1 explains the problem and Part 2 investigates typical solutions deployed by universities to address same.

At Qryptal, we have been working in this space for years and feel that an ideal solution to address this problem should have the following characteristics:
  • Should work on physical printed paper:
    Often documents are required to be be submitted in physical paper format or copies are generated for printing  - making electronic digital signing solutions great in theory but not too viable in practice. This may seem counter intuitive with nearly everyone carrying a smartphone but when is the last time you submitted or verified an electronic signature?
    With smartphones, often instead of scanning paper - users simply take a photo of the document and share it instantly. Electronic digital signatures get lost in this process of printing or taking “photos”. This is the practical reason why for a decade everyone has been hailing these electronic signing solutions as a panacea -  which never delivered.

  • Easy to validate on an ad-hoc basis:
    If a solution requires many steps/equipment - it will simply not get used!
    Just because you make a system available for document validation, it does not mean that it will get used.
    We technologists are guilty of this sin all the time. Often a big budget grand project is created with a lot of fanfare to solve a problem. After it finally get’s deployed - we wait and wait for usage and then finally blame the user for not “getting it”.
    It is not the fault of the user - complexity inundates us everywhere and the solutions which are easy and feel intuitive are the ones which end up getting traction.
    So if your mission is to make your documents trustworthy, then you have to make it super easy for anyone to validate the same without compromising on the security aspect. No messing around with visiting websites, creating accounts etc etc.

  • Avoid Central Database or network access to validate:
    As recent hacking news has made it clear, network based solutions can introduce their own vulnerabilities (DNS, SSL, Privacy) and attack surfaces.
    Educational Certificates are especially vulnerable because if someone sneaks in a new record for a student who apparently graduated ten years back, how will that be detected?
    Perpetuators could be outside hackers or even some future disgruntled employee who thinks that this is a victimless and undetectable crime.

The Qryptal Secure Document System (QSDS) has been designed from the ground-up to provide the most elegant solution for securing university degrees and certificates.

This is how a secured certificate looks like:
The systems adds the secure Qryptal code to the certificate. Since this is a visual bar code (QR Code), it not only appears on the original but also copies: whether scanned or simple photos of the document.

Now anyone coming across this certificate can simply scan the code with the validation App and instantly verify. You can also try this right now by visiting
on your smartphone, installing the App and scanning the code above.

The major features of the Qryptal Secure Document System technology are:
  • Server-less:
    No servers, cloud or central database is required - just need the App to validate.
    Apart from security and privacy benefits, this feature also implies that once a certificate is generated and issued, that certificate  stays valid and can continue to be verified without the need to maintain any infrastructure!
  • Tamper proof code:
    Digitally signed code uses levels of security much higher than those commonly used for internet banking (equivalent to a 3072 bit key)
  • Small Code Size:
    Unique compression technology keeps the code small while maintaining high levels of security

Deploying the Qryptal Secure Document System is also easy and we currently offer the following options:
  • Web Service API:
    This is a RESTful API where your existing document generation system can make secure API calls to our system and get the secure code or the fully generated certificate PDF based on your template.
  • On-premise software:
    We provide you with the Qryptal Generator software that you run in-house to generate these secure codes/certificates.
  • MS Excel Add-in:
    If you use MS Excel as a database, we have an Addin which makes it easy for your operators to just click and generate secure codes/certificates.

For more information or trial, please contact us at:

July 28, 2015

How do Universities provide certificate verification services

This is Part 2 of a series of blog posts investigating university certificate fraud and potential solutions.  Part 1 gives an overview of the problem.

University degree certificate fraud has been occurring for a long time. Unfortunately the pain of fraud is felt primarily not by the university issuing the certificate but by institutions accepting those degrees and persons (students) to whom the certificate was issued to.

Institutions are now generally more careful in accepting certificates and follow various processes to vet the certificates:
  • Request to inspect original:
    Not really used today because it is now easy to source “original” looking fake certificates.
  • Ask the copy of the degree to be attested by the Embassy of the country where the University is domiciled:
    Also out of favour because the embassy staff can also be fooled, or even worse - facilitate the tampering.
  • Check with the University itself:
    Not too difficult if the University is local but not really practical unless the university offers a streamlined process to do same. More on this below.
  • Engage third party investigation agencies:
    These agencies would check with the issuing university in their respective home countries. This often costs a lot in terms of both money and time.

As one can sense from above, the actual price of fraud is paid daily by persons to whom the certificate was issued in the first place and by institutions accepting those documents.

The time delays lead to missed opportunities, unfilled positions and generally add an unwanted tax to the simple task of ascertaining the authenticity of a document.

Nearly every university has an authorised person (“Registrar”) who verifies certificate validation requests. If it is a manual process, then this becomes a bottleneck and sometimes another weak link in the validation chain.

Universities typically provide these validation services to third parties in one of the following forms:
  • No stated process:
    Unfortunately this is the state of affairs in most developing countries.
  • Paper Application (Manual):
    Yes - it is as tedious as it sounds: fill a paper form, get a bank draft made, snail mail and wait. Example: Indian Institute of Technology.
  • E-mail (Manual):
    A validation request is sent via e-mail and response provided by e-mail - typically manually by a human. Example: Harvard Business School.
  • Web Service (Manual or automated):
    Agents wishing to validate need to validate need to create an account on the web portal, provide details and pay some fees. These web services are provisioned in a couple of ways:
    • University run web service:  University run and managed service. Example: National University of Singapore.
    • Third Party Web Services: Here the university ties up with a third party and provides them with their student records database. Agents wishing to validate log on to these third party websites, provide details and get the result after paying some fees. Example: Massachusetts Institute of Technology.

Features and drawbacks of manual processes:
  • One advantage of the manual process is that it does not require connecting the entire student database to some internet connected server. Everyday we come across hacking incidents and the manual process does not increase bulk data hacking risk.
  • Manual processes are slow. On the flip side, since the process is manual - it is easier to maintain a balance between student privacy and third party verifier interests.
  • Time-Person risk: Degrees may need to be verified after years and if the process is manual, at some point in future a compromised person may be part of the office processing such requests. Since many perpetrators consider this a victimless crime, any discrepancies can be next to impossible to detect (no interested party to raise issue).

This case of a MIT Dean needing to resign due to fake degrees is a reminder that individuals with compromised integrity may become part of university administration at certain points of time.

Features and drawbacks of web services offering online verification:
  • Instant verification: This is the major obvious benefit and much more in sync with current expectations.
  • Student privacy: This gets tricky in such services and many institutions have resorted to asking students to give consent for such information sharing. Often the consent is global and not for a specific case - again a compromise for efficiency but less than ideal in today’s world. Example: Carnegie Mellon University explaining the need for consent.
  • Database risk: The risk emanates from the fact that for such a service to work, the entire current student and alumni database needs to be exposed somehow to the internet. This brings it’s own set of risks:
    • Data leakage:
      Identity theft is common and such a database is a great target for such thieves.
    • Data tampering:
      This can compromise the integrity of such a service. This is not so far fetched and cases have actually been reported:

      For $6500, this forgery business claims to be able to input the fraudulent student details into database for many Australian Universities!

      After recent revelations of data hacks of the most sophisticated government departments, reducing database risk should be a prime criteria.
  • Third party web-service risks: Though tempting to off-load validation services to third parties, it is important to realize that all the risks multiply in such cases. From a hacker's perspective, a third party aggregating databases of multiple universities is a much more juicier target than a single university.
We have been studying the certification validation problem for years and feel that the ideal solution should have the following features:
  • Should work for Paper and electronic copies: often documents get presented as physical copies or submitted as scanned copies making electronic only solutions unviable.
  • Offer instant validation: instant validation is a hard requirement for the solution to be adopted and be useful.
  • Avoid Central Database: database risks have to be reduced. It is difficult to secure information today, but securing infrequently accessed information for decades is close to impossible.
  • Maintain Privacy: An ideal solution should maintain the privacy of both the student as well the organisation validating the certificate and the university or third parties should not be in the middle with attendant responsibilities.

We have been working on a solution that addresses the shortcomings of existing solutions mentioned above. The next post in this series will explain it in more detail.

June 16, 2015

The Fake University Degree Scourge

Fake or tampered degrees or certificates have always been a problem but recent scams show that they are becoming more pervasive. This is Part 1 of a series of blog posts attempting to investigate the issue and suggest potential solutions. 

Degree scams are not limited to your average Joe but are now being uncovered in high places as well:

We have been aware of this problem for years and are now alarmed at the increasing frequency of such incidents. Surprisingly, this problem is not just limited to developing countries and such incidents occur literally in every country.

There are three main drivers for this phenomenon:

  • Motivation: Academic credentials are highly valued and considered a passport for leading a good and respectable life - by hook or crook, everyone wants one!
  • Access to technology: Sophisticated scanners, printers and image manipulation software are now easily available to everyone.
  • Globalisation: With increased workforce mobility, it is now very common for people growing up and studying in one part of the world and working in another.

Everyday, society pays a very heavy price for this malarkey. Trustworthy credentials lay the foundation of a merit based society and such incidents shake our faith in the system. 

The worrying aspect is that the scope of the damage is extending beyond sullied reputations or economic costs, fake degrees have literally caused deaths due to fake doctors:

A couple of ways unscrupulous people fake degrees are:
  • Outright fake: Never graduated from the college and either forged a certificate by modifying one from a friend or by using an online degree selling service. The fake certificates  can be such a good imitation that even a trained eye could be deceived.
  • Embellishment: Actually graduated from the claimed college but courses are faked or marks enhanced in transcripts. These are even more difficult to detect because a high level check will validate that the person did attend that college.
Another factor making this an intractable problem is that it is not just individuals faking degrees but organised commercial operators.

The above story about an operator in China providing degrees from Australian Universities is remarkably brazen even by the standards of these shady operators:
  • The degrees, which the business claims are sourced from the same parchment providers used by the universities, range from $3500 for “copy” quality to $5700 for an “original”
  • For $6500, it claims to be able to input the fraudulent student details into university databases!

Such incidents should raise the hackles of any university administrator. 

In the next post we will discuss some of the options being used to mitigate this epidemic of fake degrees.

April 07, 2015

Updates on the QR Code and NFC Platform for Out-of-Home (OOH) Advertising

This earlier post gives a brief overview of our platform for OOH advertising providers. The platform has become popular with OOH media owners and advertisers because it adds value for all - including the user.

Nearly every campaign today has an online component (LIKE us, register for event, get a coupon, purchase...) and providing an instant, relevant, actionable trigger goes a long way in meeting the objectives of the campaign.

Since launch we have added many features to support the unique workflows of the OOH industry.

A couple of notable ones:

Campaign Scheduler:
A tedious manual process used to be updating the campaigns every week. Usually OOH campaigns are sold on a weekly basis and on the designated day (typically late at night), new posters and material is put up for the up-coming campaigns. This of course required changing the settings for all the QR Codes and NFCs on our platform as well.

The Qryptal system always enabled uploading a spreadsheet with details of the up-coming campaigns. But though the actual physical posters would always need to be changed manually (until it is all digital screens) - it was doubly frustrating to do the re-programming of the NFCs and QR Codes every week.

Now we have added capability that you can upload campaign spreadsheets and schedule them. So if you are running 10 campaigns/week - you can just keep on scheduling as when the clients confirm and not do so on that particular changeover day.

Since the spreadsheets could have an error, we also have dry run processing which emails you incase of any problems are encountered in the data set.

OOH Assets Updater:
Changes to OOH assets happen frequently, particularly in a large network with thousands of assets. We have further streamlined the process of updating the assets so that the campaigns are correctly deployed and the analytics accurate.

We are encouraged by how well our platform is now working for the OOH industry and look forward towards adding more capabilities to serve this industry.

June 10, 2014

New Facebook LIKE Coupons for local businesses with redemption tracking - works online and offline

"Like" us on Facebook and get "reward"

UPDATE: Facebook has changed their platform and campaigns as mentioned in this post are no longer possible.

Facebook is an awesome platform for small and local businesses to connect with their customers and build an engaged community. Millions of local businesses are already on Facebook because this works and because that's where their customers are.

To promote their products and Facebook page, businesses conduct promotion campaigns:
"Like" us on Facebook and get "reward" - where the reward can be a discount or a free sample.

Usually such campaigns are a pain for both the merchant and the user.

We come across these in online media, print and also in-store promotions. Some merchants have even installed kiosks for customers to log-in to Facebook and "prove" the LIKE. Now how painful is that for the customer? for staff? privacy?

With our extensive experience in coupons we are now introducing a new streamlined service where you can set up an offer in minutes and which your customers can actually use with confidence.

For the merchant it automatically insures that ONE Facebook LIKE leads to one coupon - preventing coupon hogging. So have something new for customers? Use this and ensure that your free samples are not cornered by a few.

Further it provides for redemption and expiration tracking - saves staff time and avoids misuse. This also works if you have multiple outlets!

Try these demo campaigns on your phone:

January 27, 2014

Get Rid of Paper Coupons

Many businesses use coupons to attract new customers or to reward existing ones. But paper coupons are a lot of work for both customers as well as businesses.

image source
It is easy to replace these messy paper coupons with Qryptal Mobile Coupons.

Not only these coupons reduce paper work, they are simply better for all.

User Benefits:
  • No clipping and keeping paper coupons
  • No worry about carrying coupons
Coupon Issuer Benefits:
  • Keep track of who is getting coupons and when they are redeemed
  • Block multiple redemptions
  • Keep tight inventory control
  • Reduce backend paper tracking 
To understand how this works - scan this QR Code to issue a demo coupon:

The system is easy to setup and supports extensive customization.

For further information and demo:

December 05, 2013

QR Code and NFC Platform for Out-of-Home (OOH) Advertising

This post outlines how the Qryptal Platform is being used in Out-of-Home (OOH) advertising.

First, a brief recap of the Qryptal Platform:

  • PCodes: These are serialized QR Codes and pre-programmed NFC tags. Typically customers bulk generate and print them in advance and point them to a placeholder campaign. Later when an actual campaign is deployed, the PCodes are assigned to the desired campaign.

    For physical deployment, the operations team has to ensure that the serial numbers on the QR Codes and the NFC tags match up.

    The PCodes can be also be linked to a location database. Typically our OOH customers do this because:
    • They already have the co-ordinates (latitude, longitude) of their OOH assets
    • Linking a PCode to it's location enables OOH relevant analytics

  • Campaigns: To be of any use, the PCodes have to be pointed to a campaign. These are created on the Qryptal Platform and are primarily of two kinds:
    • Redirect Campaigns: Here scanning the PCode would redirect the user to the assigned redirect campaign URL (can be any URL).
      The platform enables creation of sophisticated URL redirects based on many parameters: time, sequence of visit, random, language, geo-lock etc.
      Interesting campaigns can thus be easily created: scan first time and see movie trailer #1, second time see trailer #2 and so on.
    • Hosted Campaigns: These campaigns are designed and run on the Qryptal platform itself. These can be for contests, check-ins, feedback, coupons, mobile forms etc.
      Profile creation with mobile number verification can also be incorporated.
  • Analytics: A summary report and raw logs are provided. Linking the location database enables displaying of a map with #scans at each site (including by type: QR/NFC).

There is a lot more to the system in terms of things you would expect for managing campaigns with hundreds or even thousands of points of presence.

October 25, 2013

Scratch and Win QR Code Campaigns

Scratch and Win campaigns are one of the most effective uses of QR Codes and NFCs in marketing. They work because they are easy to setup and provide an incentive to end-users.

Just Scan QR/NFC -> Scratch and see if you won something!

To understand how this works - just scan this QR Code a few times to check out the different prizes:

As an organizer, you will get real time information on who is participating and what they are winning. You will be surprised how rapidly your database builds up and how quickly you can start identifying your regulars.

The system can track across multiple outlets and locations. You can also set up different odds for different prizes and can also limit users to get only one try for the entire campaign or say a fresh chance every day!

Such campaigns can be utilized anywhere:

  • Events and Exhibitions
  • A regular campaign at your establishment
  • New product launches 
  • Marketing Campaigns
  • Anyplace where you wish to engage your customers!

September 24, 2013

Mobile Enabling Industrial Products with QR Codes

Here is another example of using QR Codes in Industrial Products:

via diessel.com
GEA Diessel introduced the new QR codes in response to requests by customers who wanted to be able to access specific information quickly and easily.
This is a great use case: providing authoritative information instantly. For a business with many products, it takes time for customers to locate the right information. With a QR Code, the customer gets precise up-to-date information, right on the spot!

With thousands of products, building such a system can take a lot of resources - that is why we offer Qryptal Database integrated Mobile Pages to make this easy.

The solution can be enhanced further by adding the service request module: Customer scans QR Codes and not only gets the right information but can also request for service and include photos and videos of the issues they are facing.

The service team would not only know exactly which product, serial # but also have a much better understanding of the issue. Here is a demo code for this:

June 27, 2013

Waiting For The World To Change

(This post is by guest blogger Dave from California)

So when will manufacturers finally turn their products into platforms?

My Kenmore Elite refrigerator has stood proudly in my kitchen for five years, but it still doesn’t know a thing about me.  

(nor does it realize it is under new ownership; it came with the house I bought)

A week ago, my cable company (Xfinity, fka Comcast) brought me a new docsis 3.0 modem.  It’s much larger than my old modem, a one-foot tall tower with white UPC code stickers on both the back, and the bottom.  It appears to be made by a company called ARRIS, in China.

In order to implement new VOIP phone service through the modem, I had to call the Technical Department, who told me I needed to speak with the Activations Department.   This transaction required 23 minutes.  Each person separately verified my name; the phone number I was calling from; the phone number I wanted to activate; my address; and the last four digits of you know what.

It occurred to me that this activation work could have been done entirely through the magic of a simple QR code, in about 30 seconds.

I could have scanned a code on the modem and triggered a live session with a server to conduct the activation, like the one that now happens with my renewed credit card.   

And even if I’d never scanned a QR code before, this vendor could have simply emailed me instructions to download a QR reader, or, better yet for them, to download their app.  The marketing value of getting me to download their app is so great, they could have afforded to provide me with a financial incentive to do it.  

60% of the USA has a smartphone, and that number is rising.  An un-internet-connected phone will soon become an endangered species.  

I found that Linksys, Netgear and Motorola all offer modems of this kind, and wondered how they do activations.  To say nothing of the hundreds of manufacturers of other stuff sitting in our homes that could offer me the chance to interact with them. But instead, I have a drawer full of paper installation guides, warranties and product registrations, and zero relationship with any of them.

The internet of things?  Still waiting.