The Old Milkman

I have strong memories of my childhood TV shows featuring milkmen as part of the storylines. I had never seen one come to my house and as I think back, most of these shows were broadcast in black and white and aired late at night on one of those old re-run channels. Back then, the need for fresh ingredients, specifically dairy, was high. Reliable supply chains with refrigerated trucks and storage were not as common as they are now. Going back even further, refrigeration was a luxury so keeping these items fresh was a priority. The option of having a daily delivery of dairy was the optimal choice for most middle-class households.

As the food supply chain matured and refrigerators were more common these products became readily available in supermarkets and local grocery stores. The supply chain improved and both businesses and consumers benefited.

The New Milkman

Today’s supply chains are so efficient, mature, and widespread that we are taking advantage by once again having our groceries (including dairy products), household cleaning supplies, paper goods, clothing, and other items delivered in 2 days, next day, or in some cases, the same day. The new ‘milkman’ dresses in brown or purple outfits, drives energy efficient cargo trucks and can be seen multiple times a day around your neighborhood. 

Businesses using eCommerce are making good use of available resources to deliver their products to consumers on demand (Instacart is a great example). But these businesses are also using a new supply chain to deliver content, enhancements, and to gather valuable data on their customers. This is the digital supply chain. Made up of third-party JavaScript vendors, this supply chain provides instantaneous content to customers.

Figure 1: JavaScript Supply Chain (Source Defense)

Chain Immaturity and Usage

This new supply chain is growing and evolving. New innovations in tracking and content delivery are constantly being developed. The eCommerce space has moved from solely website based to including apps and social media. Retail stores have embraced this space for two decades. Grocery stores, supermarkets, and local specialty retailers have been slower to adapt, but with the increase in isolation and distancing over the past six months, these retailers have seen a dramatic increase in eCommerce usage for everyday grocery items. 

This sudden demand has resulted in the need for third-party JavaScript, that new supply chain, to deliver proper services to customers is increasing. Many smartphone app downloads for grocery delivery services have seen a drastic increase in new user downloads from February to March of 2020.

Figure 2: App download growth according to apptopia (Grocery App Daily Downloads)

In addition to app downloads, total consumer spending amounts in the food and beverage space are increasing year over year. Grocery spending, specifically, has increased dramatically when compared to all eCommerce.  

Figure 3: YOY ecommerce spending (Full Assortment Grocery Spending)

Simple Math

If we put our black hats on we would all come to one conclusion: Supply Chain immaturity plus increased usage and spending equals financial gain opportunities. The third-party JavaScript landscape, while innovative and beneficial to businesses and consumers, has a severe security problem. There is a lack of security with third-party JavaScript. Any “.js” file referenced by a website’s HTML has full access to that site. Meaning elements can be skimmed, written, or hijacked. This exploit is what allows Magecart style attacks to exist in the eCommerce world.

Businesses are liable for data privacy violations and fines, consumers have to deal with financial issues and identity theft issues, and the attacker sells this information for profit. Hundreds of thousands of dollars of information can be skimmed from a compromised site in hours or days. The full extent of financial impact of these attacks is beyond detrimental to both the brand itself and their customers.  

Food for thought

As grocery shopping skews to a more digital experience, both businesses and consumers need to understand the risk of eCommerce activity. Here at Source Defense we have the technology and experience to deal with this supply chain security problem. Using real-time client-side prevention of data theft, Source Defense can stop these attacks before they happen. So your supply chain maintains its effectiveness and your visitors are protected. There’s no crying over spilt milk with Source Defense by your side.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.