The entire system is based on machine-generated codes created at the factory level and printed in individual packs. Firstly, factory-level secret keys are stored on company and government servers. Each key provides "license" to print a large amount of Codentify codes. Thus, any misuse of privileges at this level in the system could allow criminals to generate extra codes under a given factory's name. These codes are generated on "Printer-Level" computers in the factory; therefore, nefarious elements need only to obtain the factory-level keys and the encryption algorithm to generate their own codes and copy them onto illicit or counterfeit products. A primary element for auditing the system is a central database, accessible to both government entities such as customs, and company elements. While Codentify promotional materials and other sources stress the technological centrality of such a database, which does not exist in actuality. This means there is no central register of codes and packs, with characteristics and quantities for both. So essentially, there is no way to check if a code is genuine or not. The only thing the system verifies, is if the code printed on the package was printed by the Codentify system.
Any counterfeiter worth their salt has quite a few ways to get around this. One is "Code Recycling"; the codes printed on packs rejected as part of standard quality control can be reused simply by reprinting them on new, counterfeit products. Anyone with good contacts inside a factory could obtain a large number of such codes and use them to their advantage (either before or after the rejected packs were shredded or disposed of). Another, more sophisticated method of counterfeiting codes is "Code Cloning"; printing the same code on multiple packs. Because of the way the system checks the codes, it only indicates if a given code had been checked before. When a code is checked once, all other checks will result in a "previously checked" message, with no way to distinguish genuine product from counterfeit. This means customs and smokers have no way of knowing if they have bought a counterfeit product with genuine code. And it also means that criminals and counterfeiters can reuse genuine codes they get their hands on multiple times without fear (Read more).
Other flaws in the system can lead to "Code Migration"; that is, due to the lack of a central database, codes printed in one country can be reprinted in another with no way of checking - this magnifies the amount of times a counterfeiter can reuse genuine codes at least 28 times (for each country in the EU). This amount of technological flaws in a supposedly secure system is staggering.
These technological weaknesses are magnified by the human weaknesses the Codentify system is susceptible to. The various levels of verification can be disabled or corrupted at the factory level by a management decision (contrary to the tobacco industry's promises regarding the system). For example, many factories continue to use a mixed approach for verification, including old-style paper tax stamps and newer Codentify codes; our source has noted that genuine packs have been sold with Codentify codes but without official tax stamps in several instances. Another human weakness is social engineering of relevant IT workers at the factory level; with their cooperation, all of the above technological flaws can be exploited. Indeed, according to our source, the Codentify system's security is based on a "mutual honor system" amongst the various factory workers; all anybody needs to make the system insecure is the cooperation of several workers at the factory level.
Conclusively, it can be said that Codentify is a deeply flawed system. Firstly, it is controlled by the very industry it is meant to regulate, which constitutes a blatant conflict of interests. Secondly, it has wide-ranging technological flaws which can be exploited extensively (as they exist at the factory level) in a variety of ways. Lastly, these flaws are only exacerbated by the human weaknesses inherent in the system as well.