A Retailer’s Journey in Protecting Against Web Supply Chain Attacks

This guest blog was contributed by Ronny Ong, Technical Architect at ReadingGlasses.com.

From opening our first Reading Glasses boutique store in 1987 to launching in 2000 what is now the world’s largest online store for designer reading glasses and reading sunglasses, we’ve always been dedicated to innovating and delivering the very best shopping experience to our customers.


Today, ReadingGlasses.com customers can browse thousands of products in seconds, using our state-of-the-art product search. We’re able to offer our online customers the same level of service enjoyed by our in-store customers for decades, with ease and flexibility of selection across everything from color to frame material, lens type or favorite brands. Our standard shipping is free every day (both ways), but we realize this may not be enough because we don’t have a big name recognized by everyone.


Among the ways we try to reassure new shoppers is by accepting a wide range of checkout/payment options including Amazon Payments, Apple Pay/Google Pay, and PayPal. Any customer who might be reluctant to submit their credit card number to us can choose to go through any of these third parties that they already trust (subject to availability based on various factors such as device/browser type). But there’s a catch: We must maintain connections between our site and multiple third parties, not just for these payment providers but also other vendors who help us optimize our site performance. Some sites don’t bother to make sure their external connections are totally secure on an ongoing basis, but we consider it our responsibility.


During recent years, most major online retailers strengthened their defenses against common hacking methods which were widely used by criminals in the past. Unfortunately, this merely caused many of those criminals to seek out new methods. Whereas their old methods typically tried to exploit holes on the server side (e.g. firewall bugs, SQL database injection, weak passwords for administrator logins, etc.), their newer methods are now starting to target the browser side by injecting malicious JavaScript or other browser-side code, often indirectly (without needing to compromise the retailer’s own servers/network at all, instead going thru one of the retailer’s third party “partners” or sometimes thru a phony browser add-in/toolbar that the shopper was tricked into installing).


Some of these newer security breaches only result in your web browsing getting tracked by marketers/advertisers, but they can also steal your credit card numbers, passwords, bank account numbers, Social Security number, and other confidential information. The ones which do this are known as “web skimmers” (like the magnetic stripe readers that crooks have attached to gas pumps and ATM machines) and this kind of cybersecurity attack is called “Magecart.” The important thing to understand about Magecart is that it is capable of intercepting your usage of a site regardless of how much effort/expense the site has invested in securing their own servers/network. Although Magecart isn’t the biggest threat out there (yet), we refused to wait. For many years, we’ve been a leader at protecting the personal information of our online shoppers, and we wanted to keep it that way.


Finding the best solution


Developers of major web browsers (Apple, Google, Microsoft, Mozilla) had already created mechanisms known as security policies that sites like ours can use to guard against attacks like Magecart, but full implementation of these policies plus ongoing monitoring/maintenance is not a simple task. We saw that chase.com had already become a leader in the financial industry at adopting these security policies on their site, but ReadingGlasses.com is a comparatively tiny business, lacking Chase’s budget/resources, so we went looking for help.


All of the options we considered in early 2020 were either half-baked or works in progress, so we were tempted to suspend our evaluation and revisit in a year or two, but it was clear that Tala’s determination to solve the Magecart threat was so much more extensive than anyone else’s that we were certain to choose Tala sooner or later.

Granted, we did initially encounter a few minor technical challenges while integrating Tala’s offering into our existing web site infrastructure, but Tala was extraordinarily responsive and immediately understood our concerns, allowing us to quickly resolve all of our obstacles. Our decision in 2020 did not take into account the industry awards won by Tala, but in hindsight, it’s obvious to us how Tala earned them.


Benefits and business impact


Following the successful deployment of Tala Security, we have realized significant benefits and business impacts:

  • Cost and resource savings: Tala’s automation of standards-based controls has led to significant cost savings: it could have otherwise taken a dedicated security engineer to maintain Content Security Policy (CSP) and other browser-side security policies that we were committed to embracing.

  • Enhanced reporting and continuous monitoring: Through Tala, we have been able to continuously monitor our third party vendors for suspicious tampering of their code. Tala has also provided us the tools to continuously vet critical scripts for indicators of compromise and approve new third party scripts. Additionally, Tala also monitors data flows in the browser to ensure that allowed scripts don’t misbehave.

  • Near-zero performance impact: Tala has simplified operations without any impact to key metrics like page load times and time to first byte.

###