By Kurtis Ming


TURLOCK (CBS13) — A Call Kurtis investigation uncovers a security flaw at your neighborhood Redbox kiosk.

When a Turlock viewer noticed the gaping hole in their security verification process he called Kurtis.

When you rent a movie and enter your credit card. They want your ZIP code to verify it’s really you.

But he learned you can enter any number you want and the sale goes through.

“I just noticed it and it was by accident,” said Tyler Combs.

After swiping his credit card Tyler Combs doesn’t mind punching in his ZIP code at the Redbox kiosk.

After all, the company said right on it’s machine, it’s “for verification purposes only.”

He enters the ZIP code 35791, which doesn’t even exist.

The machine accepts it he gets this DVD never checking the number against Tyler’s credit card information.

“That’s a concern,” he said.

Ryan Argyle also noticed it and wonders why he has to even enter a number.

“It should work the way it’s designed to work,” he said.

“They’re capturing that information for another reason, obviously,” Combs said.

“They’re really walking a tight rope here,” said consumer privacy attorney Jeff Keller.

He said it’s illegal to collect ZIP codes in California unless it’s for verification purposes.

A district court judge threw out a lawsuit against Redbox last year for collecting ZIP codes saying it served “a legitimate need — fraud prevention.”

But what if they’re not actually using ZIP codes to prevent fraud?

“Redbox is really gonna have to explain themselves about why they’re collecting this data,” he said.

Redbox refused to answer our questions, including why it requires ZIP codes, saying “we’re unable to comment.”

Concerned about privacy, Combs thinks the company owes him and its customers an explanation.

“They need to do something,” he said. “The only real option to do is to fix it.”

If companies break the law, they could be charged up to $1,000 per transaction, which could be billions of dollars.

Comments (2)