Hanko stamp with anti-fraud mechanism

 Item P Ginko Images Dialbank Setumei

In Japan, contracts are signed using a hanko, an engraved stamp. (I bought one for the name "Mark" just for fun when I was in Japan. We also bought one for my daughter's karate teacher and he loves it, and now uses it on the certificates his gives his sudents. You can order a hanko online.)

Japan Sugoi writes that Mitsubishi Pencil has announced a hanko with built-in fraud protection:

Non Japanese people usually sign legal contracts or other important documents in ink, but Japanese traditionally prefer an engraved stamp called a hanko. One concern though, is that the stamped signature, usually the owner’s name, can be easily forged. Mitsubishi Pencil’s Security Enhanced Personalized Hanko stamp ダイヤルバンク印 alleviates the risk of fraud by adding a two-digit dial that creates a series of marks around the printed name, making it difficult for an unauthorized person to copy someone’s stamp. It also wards against theft by requiring a code to be entered before use.

I'm not sure how people can tell whether or not a correct combination was used, though. perhaps a Japanese reader can explain.

Mitsubishi Security Enhanced Personalized Hanko Stamp



  1. It’s common in East Asia to sign your documents with a marked seal made using a chop. In Taiwan, most people have a unique chop that’s made of carved stone. Various services have images of your chop on record. The original idea was that while someone’s handwriting was easy to forge, it would be nigh-impossible to figure out the original shape of someone’s chop stone, the exact pattern used (illumination? engraving? small imperfections?), and what was written on it.

    Nowadays, I expect it isn’t as secure given that photoshop exists, hence the security measures.

  2. what do you mean “how do people know if the right combination was used”?
    the dials with the numbers are each connected to a different ring on the outside of the central stamp. as you turn the dials, the shape of the stamp changes. in order to get the outer rings of the stamp to be in the right position, making the stamp have the right shape, the numbers have to be in a set position.
    having the combination is supposed to help in case your stamp gets stolen. the complexity of the markings on the rings around the central character are supposed to make it more difficult to forge it.

  3. When seals are used for official purposes, they’re generally registered with the government. So if someone stole your seal, and it used this sort of security measure, they wouldn’t know what combination to use to make an impression that matched what was on record.

    However – if they had a sample of something you had signed with the seal it seems like it would be pretty easy to figure out the combination. I guess the assumption is that whoever stole / acquired your seal doesn’t have access to anything you’ve signed with it before.

    1. Hmm…. How do the other “signatories” verify that you made your correct seal? Or are such documents pending until they verified the seal? Though I guess the same problem applies to signatures.

      Hah, people should just act like a Vor – nick your thumb and make a thumbprint in blood. :-)

  4. First the access security. My guess is that there is a collar around the stamp-face, and you need to rotate the number dials to a position, which unlocks the stamp-face to travel down, within the collar, to stamp a page.

    Second, as far as the numeric printed security code, I’m not going to speculate how it DOES work, but it would be neat if it operated like RSA smart-tokens. That is, if the encoded data (the stamped rings) were dynamic based upon some privately known data.

    I think I’m correct on the access security portion, which would mean that this device always stamps the same “ring data.” However, if you could set them dynamically, you could have some sort of cipher, such as setting the number dials based off of a hash of the day’s date, as a means of authentication. (I think it would be difficult to do this with the 2 dials with 10bits each, but it is a neat idea.)

  5. You know what would be fun? A small hanko stamp that stamps dynamic (cryptographic) QR-codes. So, you could authenticate the document. Since i’m going all SciFi brainstorming here, it could take a picture of what you’re signing, OCR it, make a cryptographic hash, and then generate a dynamic QR code that authenticates the document with your private key/signature.

    1. The difficulty with your suggestion is that once one puts a QR Code on a document, the hash of the image of that document then is altered, meaning the authentication algorithm has to subtract the QR code from the image — meaning documents “signed” in this manner have to have a dedicated area for the QR code to ensure the quiet zone is not intruded on, and if you staple, fold, mutilate, smudge, or pencil on the document — or even laminate it to protect it, or photograph it in different light – you change the hash of the image. Thus the difficulty with cryptographically authenticating analog — physical — clear documents.

      Technically, it would not be hard to implement your idea’s first half – it would be implementing a robust authentication technique that can verify the document in more ways than just the hash of the image.

      1. I think the idea was to hash the plaintext, acquired by OCRing a picture or scan of the document. I’ve never found OCR to be 100% accurate, so that could cause some issues, but it would be a far better bet than hashing an image.

        1. You are correct – it was to OCR the text. Some of my concerns disappear but some remain valid – OCR is not exactly highly robust and reliable, as you note, and if a less-than-robust OCR algorithm issues the hash but a robust one tries to confirm it, you get a false negative.

          For humans to trust an authentication system, it has to issue false negatives at a rate of less than 0.01% -one in ten thousand. In order for systems to use an automated authentication system, it needs to be less than one in one hundred thousand, preferably far fewer by orders of magnitude. If someone can run a day’s output of a data entry center through and get a failure, it’s going to get a reputation for being unreliable because humans have perceptual biases.

          1. How about this way: the hanko is also a usb stick. A bank emails you a document they want you to sign. Plug the stick into a computer with your gpg private key on it. Drag a document onto the hanko stick. The hanko creates a digital signature for the document against your private key, and creates a physical representation of the signature around your chop (using these cute rings or something else, whatever). Print the document, stamp your chop onto it. To verify *you* signed it, the bank scans or photographs the stamp, extracts the signature, and compares against your public gpg key and the digital copy of the document. Step 3, profit. I guess the question is, can you jam enough data into a stamp for a gpg signature?

  6. The issue still appears to remain that, once you have a copy of a document that someone’s stamped, you don’t need to go through the rigmarole of working out the code — you just create a static stamp with the circles in their correct position.

    Hmm, what would be really fun is to work out some mechanism that produces a deterministic but non-predictable pseudorandom set of codes around the name. Then the “stamp authorizers” could have an identical stamp and check to see if the codes were possible. Kind of like a mechanical version of the secure changing pin numbers.

    1. True, but it would protect things like your bank account where the image of the hanko on record is kept secret and only used for verifying by the bank staff and not revealed to the customer.

      You need a hanko in order to “sign” official documents, and organisations such as banks will do a very high resolution scan and map the individual nicks and irregularities that were left when they were carved, meaning no two hanko are alike, even if two customers have the same name and even used the same carver. In that sense they’re far more difficult to forge than a signature, but you’re up the proverbial creek without a paddle if someone steals it, and not everyone has access to a bank-grade hanko scanner. A security system such as this, that is verifiable by the naked eye and that protects against unauthorised use would seem to be an excellent solution to those two problems, although a two-bit combination seems a little weak cryptologically speaking.

  7. I do not know for certain, BUT a plausible explanation of the numeric dial is for the use of serialising the stamp – First document signed gets “04”, second gets “05”, third gets “06”, or according to whatever serialisation method one prefers to use that’s documentable and reversible — and probably, preferably not easily guessable by an attacker. All official copies of a document stamped with the same serial number and hanko combination.

    In short, it acts like a split physical token – if the two stamps (two halves of a broken stick, originally, were used as proof of stock holding) match up, documents are authentic. No match, you may have a forgery.

  8. Assuming you have a copy of the signature of the person you, you just have 81 combination to test before you can run with all her saving. More like an illusion of security.

  9. My guess is that there’s enough slop in the transition from hanko pattern (especially fine patterns) to image on paper that it would be a difficult problem to go from scanned image to forged hanko. And even if you did, there is (as with signatures) a fairly limited set of circumstances in which having the forged hanko would be useful.

  10. According to the website for the product, the dials are for a two-digit PIN which is a secret: you set the PIN, stamp the hanko, register that stamp with the bank (or other authorities) so that they know the authentic seal, then every time you use it, you set the PIN, stamp, then tumble the dials randomly — so that if it is stolen, the thief can’t use it (unless they happen to have a copy of your stamped seal available, in which case they would easily brute force the two digits until they got a matching stamp seal).

  11. My theory is that you dial in a different number, probably incrementing by one but optionally by a secret algorithm, every time you use the stamp. Each signature would then be, in effect, a mechanical hash of the previous signature. The complexity of the hash would depend on the complexity of the linkage between the combination dials and the rings at the end of the hanko. It would also help if the combination number used was incorporated into the resulting stamp mark in some sort of braille encoding.
    For a signature to be legitimate it would have to have the next combination number in the sequence, and the image would have to match that combination number for this particular hanko. The authenticating authority, who would presumably be contacted every time the stamp was used, could keep track of the current sequence number and would have a sheet containing the images produced at every combination setting.

  12. I thought the Japanese were relatively honest, and this sort of thing wouldn’t be necessary!
    oh well.

  13. I think some people are over-thinking it here – why would it matter if you stamped your documents with a number that just increased every time you stamped something? what if you forgot to increase the number, and what would be there to prove in which order you stamped documents? serialization doesn’t really prove anything unless you keep all the documents in one place.

    I think it’s pretty simple – you have a specific number that stamps your correct hanko, any other number will stamp the hanko with lines in different positions; the sheer number of lines and subtlety of placement makes it considerably harder to duplicate.

    1. oh, this image on the site seems to confirm my theory:


      Also this text (google translated)

      “First, dial the number registered in the bank seal like your own. According to withdraw at the bank when dialing numbers registered after using the rotating dial numbers randomly varying Please keep a seal.
      That way, you can register a seal case-dial number is stolen, so no one knows but you, a very low risk of unauthorized Brought important deposits are safe. (Limited to financial institutions have abolished the marked sub.)”

      So it seems like you register a certain hanko combination with your bank (if they participate) – and they have some sort of key to be able to tell if it’s correct. If your hanko is stolen no one can use it because they don’t know the correct combination, so it won’t match up with the bank.

    1. It is not and is not supposed to be either. If someone else manage to copy your Hanko all you need to do is get a new and a new PIN to reset to the beginning. If you lose your thumb print you can never reset it and will have to live with the possibility of your thumb being used as the basis for forgery all your life.

  14. Like hiragana and katakana are for written Japanese, this is an overly complicated solution, further compounding the problem. Hankos are cute and all, especially for children’s karate teachers, but impractical for daily life. Lots of people have very common names, and you can simply go to the stationary store and buy one.

    These function in Japan because, and only because, Japanese people rely on the fairly safe assumption that other Japanese people don’t do illegal things like commit fraud.

    So much of the daily functioning of Japanese society is predicated on other people not taking advantage of pretty obvious opportunities.

    1. Actually, most people get them custom made for anything official where security is important. Noone in their right mind would use a mass produced stamp as their registered seal because it offers no security whatsoever.

      As they are hand made, usually to order, the variations in the size, shape, whittling and placement of the characters is almost infinite. It’s a far more secure solution than a signature.

      1. The cheap ass ones you see in stationery shops are for normal, every day use (signing for documents, paying bills etc) where you don’t need the security afforded by your official seal. People carry round the cheapo ones, knowing that they can lose them without too much worry; their official seal is a completely different matter, and is usually kept at home under lock and key unles it is specifically needed.

    2. “Hankos are cute and all, especially for children’s karate teachers, but impractical for daily life. Lots of people have very common names, and you can simply go to the stationary store and buy one.”

      To put it in context:

      Signatures are cute and all, especially for children’s baseball teachers, but impractical for daily life. Lots of people have very common names, and you can simply scrawl their names.

      1. There is a lot of truth to that, you know. I certainly copied my father’s signature and when I wrote excuse notes after skipping school as a child.

        They’re both pretty easily copied, and you generally only find forgeries when you expressly look for them, which happens rarely.

        Fortunately, with my signature, I didn’t have to buy it — especially not an expensive personally-crafted one — I never forget and leave it at home like I have so often with my hanko (nor do I have to lock it up when it is home like poster Cynical said some do), and I don’t have to carry around a little circular red ink pad with me when I need to sign something.

    3. “Like hiragana and katakana are for written Japanese, this is an overly complicated solution”

      What? I’ve never, ever heard that before. What’s your issue with it? Is it because it’s a syllabary instead of an alphabet? At least it makes it possible to write everything phonetically, unlike English which is not at all suited to the Latin alphabet.

      I’ve heard people complain that kanji are complicated, but never hiragana and katakana. Is it because they have two sets of letters instead of one? That’s no worse than capital and lowercase letters that don’t look anything like each other. Is it because katakana is woefully inadequate at transliterating foreign words? I don’t see how that means it’s “overly complicated.”

      The only possible way I can interpret your comment is that you think it would have been better for them to come up with a system where the consonants are separate from the vowels, but THAT would really be overly complicated and unnecessary for a language that doesn’t have any consonant clusters or more than five vowels.

      If the consonants were written as separate entities instead of parts of syllables, it would be hard to see how consonant shifts are used. If か were written ‘ka’, you would have no idea it had anything to do with が (ga). If ひ,び,ぴ written as hi, bi, pi, they would appear to have no relation. はちひゃく (hachihyaku) being simplified to はっぴゃく (ha-pyaku) would make no sense, but with hiragana you can see the syllable drop and the consonant shift.

      /sorry for off-topic rant, that comment just confused me.

      1. Anon 37: No, no, you completely misinterpreted me. It wasn’t my main point anyway.

        I didn’t mean at all that hiragana/katakana are complex. Quite the contrary. I wish the Japanese would dump kanji and only use kana. After all, Korean society somehow didn’t descend into chaos when they did it.

        All I mean is that Chinese characters are clearly an inefficient fit for Japanese, a language that, at least structurally, is completely unrelated to Chinese. Instead of taking the obvious route by eliminating the characters and adopting a phonetic writing system like virtually every other language did looong ago, they keep them and add in yet more characters in an attempt to plug the holes — in this case being the verb conjugations, particles, etc.

        I simply was trying to say that this hanko solution is similar — adding further and unnecessary complexity to solve a problem. I didn’t explain this well, I suppose because I didn’t want to blab on and on like I just have.

  15. My guess is the dials are not a security feature. It’s a cost saving feature. Instead of turning out individual stamps that are all unique, you make thousands of this standard stamp.

    Different people might buy the same design, but because they’ve turned the dials to different positions, they each effectively have a “unique” stamp.

    One hundred number combinations isn’t that many. Maybe you buy this for your 6 year old kid as a toy/trainer, or use it yourself on unimportant things. Like when you accept documents from couriers. This way, your real stamps are only used for important stuff. The less you use it, the less likely is it that “bad people” will have a copy of it and make a fake.

  16. How to make this a Dynamic stamp:

    1) Assume the text being signed is digital and plain text such that there is some way a printed page could, unambiguously, be re-rendered as digital text.

    2) md5 check sum this (to make a short version not to encrypt it) and encode that with your private key.

    3) write this short string on the document.

    4) take the last two digits of that and set the chop to that pair ov values.

    5) stamp it.

  17. It does make sense, and two digits does seem like a reasonable hash size for generating the hash around the document. Not, however, for the suggestion of a click-cap.

    The reason is that security doesn’t need to prevent as much as slow down. If it were a cap, the thief could fiddle with combinations until the cap popped off. Having the dials alter the imprint itself and not give a sign whether you’re correct or not makes testing the stolen hanto take much, much longer. The longer it takes, the greater the risk of detection, or invalidation when the hanto is reported missing.

  18. “I’m not sure how people can tell whether or not a correct combination was used, though. perhaps a Japanese reader can explain.”

    Not sure why a Japanese reader could explain this, since the product is not used. The print surface seems to be made up of outer and inner rings. It looks like setting the combination would also turn some of the these rings changing the print surface, resulting in a different stamp. So wrong combination means the stamp itself would look different. Quite clever.

    But unfortunately nobody bothers to check stamps (or signatures) against originals anyway. Honestly, who has the time? It’s only when the authenticity of a document is disputed that someone bothers to check. And in such a case, there are countless other factors that go in to determining whether something was actually agreed to or not. The signature or stamp itself usually mean little to nothing.

  19. Yeah, sounds like if I have an image of your valid stamp and a potato to carve it into, I can duplicate your mark. Not very secure unless you start incorporating some sort of cryptographically secure addition to make each use certifiably unique.

    1. @blackanvil: If you had an image of a hanko, and copied it into a potato, then it would be as obvious a fake as if you had tried to carve someone’s fingerprint in the potato.

      I think you underestimate the resolution to which these seals are typically scanned.

      @dainel: yes, this does look like a mass-production-of-unique-hankos idea. If you look carefully at the image, you’ll see “8” above the 1, so only 8*8=64 combinations: even fewer than a 1-in-100 chance of collisions between two people with the same name. Though could be 1/256 if you count “Halfway between” as a valid number. And if the two surrounding bezels are selected from a range of, say, 8 of each, then the chances of a collision drop to 1 in 4k.

      And if the centre hanko can be replaced with a handmade one on a standardised fitting, then it’s pure security.

      @kaiza: the combination doesn’t merely unlock the stamp, because a combination lock, once stolen, is trivially brute-forceable, or smashable. If they found the combination that unlocks the stamp, they’d know instantly that they had found the right combo.

      With the proposed system, they wouldn’t know they’d got the wrong combination until they tried it at the bank, and the bank’s computer threw up a mismatch. If they tried *that* several times, they’d certainly raise suspicions.

      To be honest, I’m surprised that similar puzzle-hankos haven’t been used for centuries.

  20. Price = 210,000 yen. I haven’t seen anyone mention that in the comments, yet. My Japanese contacts are business executives of a high level, and they each typically have FOUR stamps: one for the bank, as mentioned, the “under lock and key” stamp for municipal documents, a common one for everyday use and another for the wife (it’s a complicated system for a salaryman — prnounced sa-lar-ii-man); the man earns the paycheck, then typically turns it over in it’s entirity to his wife who is then responsible for the household expenses (that’s the 4th one). They tell me my real name in Kanji is “Dancing Arrow.” :) Aside from sounding like a bad Kevin Costner movie, that’s kind of cool; I’m a Sagitarrius and that astrological symbol is an arrow with a cross to represent a bit of the bow. Anyway, 210,000 yen is A LOT. “The good ones” are carved for about 100,000 yen. Plastic is 15,000 yen (good enough for schoolboy excuse notes, as mentioned above).

  21. Given the price, why don’t people just carve their own? They worried their chisel-work will look bad, I guess?

    But the puzzle-dial part of this is something most makers could make, much cheaper and more unique.

Comments are closed.