Redbox Shows Businesses How To Properly Handle A Data Breach

Redbox rents DVD movies via vending machine in drugstores and supermarkets throughout the country, and on Friday they announced that they’d found credit card skimmers attached to three of their kiosks. What’s surprising is that they ‘fessed up so quickly, and in a highly public manner—they’ve got the text “SECURITY ALERT” at the top and bottom of their website, and the email they sent to their members is detailed, forthright, and helpful, and reposted in its entirety—along with photos of sample card skimmers—on their site. Attempts at identity theft no longer surprise us, but a competent handling of the issue by a company is pretty amazing.

One reader, Meiran, put it this way: “I’m rather impressed by their reaction, it seems like most modern companies would attempt to push this under the rug and pretend it didn’t happen, leaving customers to wonder what those strange charges on their statements are.”

According to Wikipedia, the company is mostly owned by McDonald’s and Coinstar, so it’s not like this is an example of a start-up that’s never encountered the heavy hand of corporate influence. This means Redbox’s board of directors intentionally chose to be proactive on the matter. They seem to have figured out something that lots of other companies still struggle with, which is that if you empower your customers to help protect themselves, they’ll help protect you, too. We wouldn’t be surprised if the next time a skimmer is detected, the alert comes from a customer who remembers Redbox’s email.

“Redbox Security Alert – Credit Card Skimmer Attempt” [redbox](Thanks to everyone who sent this in!)

RELATED
“Redbox Warns Customers about Credit Card Skimming” [Hacking Netflix]

Comments

Edit Your Comment

  1. cloudedice says:

    Maybe I’m just highly in tune with how scammy that skimmer looks, but how could you not know that something weird was going on with that machine?

  2. sonneillon says:

    I don’t know why someone else wouldn’t just steal the skimmer.

  3. Bye says:

    Point taken, but these machines are so new that people really don’t have something to compare them against.

    Kudos to Redbox although I’m not necessarily a fan of their business model.

  4. SpenceMan01 says:

    I love redbox, and I have yet to pay for a rental. We use free codes from [www.insideredbox.com] and be sure to get them back the next day before charges start. I figured that the cheap rentals had to be subsidized by the store where the machines reside (in our case, the local McDonalds), but I was both surprised and unsurprised to find out that redbox is partially owned by McDonalds.

  5. mamacat49 says:

    I, too, have yet to pay for a Redbox movie. They make it easy to use the codes, and I like getting an email telling me that it was returned. If you know you’re wanting to watch a movie tonight, it’s worth walking into a place to get it for $1.00. Another blow to Blockbuster.

  6. bohemian says:

    I have noticed our local ATM network has stopped using the machines that have the side swipe style card reader. They are either using the ancient kind that suck your card into the machine or the ones that you push the card in and pull it out fast. Someone had put a card reader on one of the newer side swipe machines about two years ago and now that I think about it I have not seen one of those side swipe style ATM machines in town since. Maybe redbox just needs to change the kind of card reader they use?

  7. bohemian says:

    @mamacat49: If they had one in walking distance we would probably use it. But returning said movie would cost me an extra $3 in gas to drive back to the nearest redbox and back.

  8. Thomas Palmer says:

    @bohemian: There are card skimmer devices that can fit over those style of card readers too, infact they are are even harder to notice. I would stick with the swipe devices that Redbox already uses.

  9. Shadowfire says:

    They quote wikipedia… interesting. :)

  10. cmdrsass says:

    @SpenceMan01: File this under Consumerist category: “Ruining it for everyone”

  11. cerbie says:

    @cloudedice: around here, FI, there are many vending machines that will take cards, and they have all had readers added. They look like hack jobs, but are legit. The picture shows a setup I bet most people would not notice.

  12. Mr_D says:

    I might be (am) a pessimist, but this isn’t really negligence on RedBox’s part – this is (I hope) a third party’s doing. If RedBox could be blamed, they might not be so forthcoming.

  13. econobiker says:

    It appears from their website photos that redbox already has a card skimmer format that includes a block to try to deter the add-on skimmer criminals…

  14. Pro-Pain says:

    This is just insane. They should start giving mandatory 10 year sentences at a Federal pound me in the ass prison for this crime. That’d stop them. Right?

  15. Kazari says:

    I think they deserve kudos for this.

    Also, I have gotten a few codes and gotten free rentals — but for the love of God, man, it’s a dollar.

  16. savvy9999 says:

    I would so love to find a skimmer and steal it and take it apart to see how it works. Not the reading part, but the how-does-it-store-memory part.

  17. RvLeshrac says:

    @savvy9999:

    The same way everything else stores the information.

  18. SuperJdynamite says:

    @cloudedice: “how could you not know that something weird was going on with that machine?”

    Did you look at the article? While the pictured skimmer looks pretty lame (you can clearly see both card readers) there’s another one on an ATM that looks reasonably legit.

  19. SuperJdynamite says:

    Why don’t they put one of those hologram certificate of authenticity stickers around the card reader? If I see something glued over the sticker I can be sure it’s a skimmer.

  20. cde says:

    @savvy9999: Buffered input to an eeprom. Nothing fancy. I too want one though, but with my luck, I see one, grab it, then police arrive to arrest me :/

  21. forgottenpassword says:

    good for redbox!

    I tried them a while back (because I got several free rental codes). But I hate the “only keep the movie for one day” thing, which is just inconvenient & expensive (especially with gas costs these days). Also… their movie selection sucked quite a bit.

  22. homerjay says:

    I love redbox and have done the ‘multiple promo code’ thing several times. Then I realized that they deserve my $1. I mean, its a buck. Really, is there any cheaper way to watch a movie that was just released?

    That being said, I HATE going back to the store to try and return a movie only to find that there’s a line of about 10 people in front of me. Each of them takes like 5 minutes and if you ask if you can cut in line just to return a movie (a 10 second act) people get all pissy…
    they should have a separate slot that only does returns.

  23. stopNgoBeau says:

    @homerjay: Agreed! Although my wait has only been 2 people deep, it is about 5 minutes per person as they stand there and go over every page to see what they want. I used to do that too, but now I just look online to see their selection before I get to the store. They even have it updated to each kiosk so you know that a movie should be there, but its currently sold out.

    I usually watch the movie the night I want it, or just copy it (OMGWTF!!!) to a hard drive to watch it later. I’ve only been late returning it once.

  24. coan_net says:

    So where are the Redbox located at in the US? Their website is useless since it only lets you search 20 miles from a location (so I know there are none within 20 miles of me), but I’m curious in what part of the US they are mostly located at?

  25. aka Cat says:

    We wouldn’t be surprised if the next time a skimmer is detected, the alert comes from a customer who remembers Redbox’s email.

    I don’t care how much I might despise a company. If I noticed skimmers attached to their card readers, I’d report it and mark it “out of order”. After all, it’s their costumers who’re being robbed.

    Now, whether any company that makes my “despised” list would do anything about it, is something else entirely.

  26. mmcnary says:

    There are a bunch in the midwest, St. Louis has had them for a while and KC just recently started putting them out.

  27. WannaBblonde says:

    I rent the movies online and then go to the grocery store to pick up dinner, swipe my card at the Redbox machine – the movie pops out and it literally takes 15 seconds. I like the fact that I can find the movie I want and know it will be there for me. When you rent online they hold it until 9pm the next day for you sit it’s pretty cool.

    I think I would notice if there were extra scanners but I bet most of my friends wouldn’t give it a second thought

  28. Verdigris says:

    @Rey: Redbox is hardly new. I worked for a McDonald’s about 2 years ago and we had one there. Then again this was in Minnesota and we are usually a test ground for new consumer devices/services cause we generally have the dumbest people. Dumb people = good testing ground to see if your product stands up to, well, dumb people…

  29. Giant_of_Landover says:

    @coan_net: You can find RedBox at just about every McDonald’s, many supermarkets, and I think now at select gas stations.

  30. CRSpartan01 says:

    @coan_net: We have a bunch up in Des Moines.

  31. mamacat49 says:

    @coan_net: I’m in NC and I have 6 within 5 miles of me (at McDonalds and 5 different grocery stores). If I actually think about it, I can combine it with a trip to the grocery store.

  32. IndyJaws says:

    Much love here for Redbox. I’ve actually found the selection to be pretty impressive for the size of the machine. I especially like being able to go online and reserve a movie to ensure that it’s in stock before I head out.

    I do hate the people who do the mindless searching of movies while others are watching. It certainly seems like they’re purposely taking their time (kind of like when you’re waiting for someone to pull out of a parking space and they do everything but balance their checkbook before letting you have the spot). The ability to return movies while someone else is browsing the selection would be a huge improvement.

  33. savvy9999 says:

    @RvLeshrac: I was hoping it would maybe be a little more sophisticated than that. Maybe write to a micro-SD card that could be surreptitiously removed and replaced… something a little less brute force than EEPROM.
    Does the whole chip have to be removed to be read out, or is there a serial or USB port on the skimmer?

  34. stre says:

    @Giant_of_Landover: obviously they’re not at just about every mcdonalds supermarket out there, since coan_net doesn’t have one within 20 miles (and who doesn’t have at least 15 mcdonalds within 20 miles [that’s more than 1200 square miles]), and i hadn’t seen a single redbox until moving to the chicago suburbs, so maybe preface your comment with “in my area…” next time.

  35. stre says:

    @savvy9999: are you researching for how to make one?

  36. gmss0205 says:

    It’s the best bargain in movies. For a dollar you get your movie. Sure beats Blockbuster. We actually cancelled all of our cable movie channels because nothing was ever on. Now when we want to watch something we just reserve it through the Web site and pick it up. We probably watch about 6-8 movies per month. $6 a month is much better than the $25 that we were spending for HBO, Showtime, Movie Channel.

  37. scoosdad says:

    According to Wikipedia, the company is mostly owned by McDonald’s and Coinstar

  38. scoosdad says:

    @scoosdad: …to continue:

    Makes sense, in my local supermarket this machine is sitting right next to the Coinstar machine. Would be nice if there was a tie-in. Exchange your coinage for free DVD rentals. I know there’s already ways to exchange your coins at face value for name branded gift cards (Amazon, for example) so this kind of a connection would not be surprising.

  39. Kazari says:

    There are lots of them in the DC area. I know that there aren’t any in central Florida, though.

  40. savvy9999 says:

    @stre: LOL, no, I just like to tinker with things. Through my work, at any given moment I have access to LOTS of valid CC #s… if I wanted to pull a scam I wouldn’t go through the hassle and risk of building & deploying one of these.

    Truth be told, I wouldn’t even know what to do with a list of CC #s. Go on a w00t buying binge for a week or a month before it all came crashing down? No thanks.

  41. DCGaymer says:

    Those card swipers cost a few bucks…so be sure to pry them off and take em home with you. Be sure you prying off the right card reader though before you do it.

  42. quagmire0 says:

    MY GOD! I had read the email from Redbox yesterday and wondered what those skimmers actually looked like so I could detect them. All this time I was thinking about how I would see the skimmer. THEY’RE FRIGGIN’ HUGE! :D How do people not notice that?!?

  43. cde says:

    @savvy9999: You can get them in different models. Serial or usb. Wired or bluetooth or irda. It’s all just serial-to-whatever inside. And why need a mini-sd or transflash? 4kb per credit card *max* times 1000 and you still don’t need more then like 1 megabyte of flash to store it. Remember, all a credit card holds is account number + name + expiration date, just like the front of the card. Text is very space saving :D

  44. SegamanXero says:

    redbox emailed me the warning, im very impressed how they handled this!
    I looked at the picture and can’t belive people fall for that, a skimmer on top of the normal scanner is very obvious… to obvious…
    anyways if i see one ill report it.

  45. Sys Admn says:

    @SpenceMan01:

    Even with the “free codes” it’s probably a net win for McDonalds. I’d bet enough of the people returning movies also make a purchase for McD’s to notice. And probably only a small percentage of those returns are within 24 hours. The machine’s only got to break even on the buck or two most people pay.

  46. SegamanXero says:

    screw that when i see a skimmer im stealing it… they cost about $300 to $400 per skimmer..
    Im going to open it and do stuff to it

  47. kbarrett says:

    Don’t steal it. Call the police.

    They will either remove it, or have someone watch it to see who grabs it.

  48. Grrrrrrr, now with two buns made of bacon. says:

    I hope somebody from Hannaford’s is reading this.

  49. cloudedice says:

    @cerbie: I’ve seen a few of those legit “hack jobs”, but not one of them looked like two card readers put together.

    @SuperJdynamite: Yes I read the article, when I it arrived in my inbox. I’ll agree that the ATM one looked legit, but I was specifically referring to the one on the RedBox machine. I probably wasn’t clear enough.

  50. Mary says:

    @Kazari: Agreed. I use the free codes when they send them to me (I subscribe to their email alerts) but for the most part, it’s a buck.

    Additionally, if you sign up every Monday they’ll send you a text message with a free rental code. It’s only valid that day, but a free rental once a week? Pretty good deal.

  51. Mary says:

    @forgottenpassword: You can keep the movie for as long as you like, it just costs $1 a day after the first day if you’re using a free code.

    And if you keep it long enough they tell you “You know what? Just keep it.” I think it’s 25 days for that.

    I like combining Redbox with my Netflix subscription. New releases? Redbox. Netflix is for old movies and tv shows (I currently have Roman Holiday and a disc of Monk on their way to me). Putting the two together is pretty cheap and has worked perfectly so far.

  52. fever says:

    Redbox is great. Coupon codes, $1 rentals, it makes the stuff my girlfriend wants me to watch with her almost painless. There’s also 5 machines within 3 miles of me, and a 24 hour accessible machine a couple miles farther on for those late-night cravings. I bemoan the removal of a Hollywood Video machine at the local grocery warehouse, but I could never find codes for it. It had a larger selection that stretched back a few years, though, and when a sequel came out, they would drop copies of the original movies in too. Now it’s a Redbox, oh well.

  53. SpenceMan01 says:

    @Sys Admn: Bingo. I always figured that McDonalds had some sort of agreement with Redbox. The boxes pull in traffic to the restaurants. It’d be interesting to see the stats of people make food purchases with their DVD rentals (or vice versa). It makes sense that McD’s owns them.

    People that pay for rentals subsidize my free rentals, just like people that pay credit card interest pay my cashback rebate. I remember reading something on the InsideRedbox site that Redbox knows of the code listing and that they’re ok with it; even like it. It’s cheap advertising for them. They could easily crack down on the promo codes if they wanted to.

  54. elephantattack says:

    @SpenceMan01:

    THANKS! That site is very nifty and is getting added to faves immediately!

  55. MEoip says:

    Redbox has been in my area (Indiana) for about a year. They work best in teams since you can return movies to any box the selection gets shifted around a bit since no two boxes in my area have all the same movies. They are outside McDonald’s and in the Marsh grocery stores. Kroger has some other brand of rental box but since I can’t reserve online I’ve never used it.

  56. Mary says:

    @SpenceMan01: “People that pay for rentals subsidize my free rentals”

    What about the people who pay rentals who don’t want to subsidize your free rentals? I know I’d much rather pass.

    Redbox offers enough codes themselves, there’s no reason to be subversive about it at all. I get a free code once a week, as I mentioned. Wouldn’t it be easier and nicer to go through them?

  57. Alan Thomas says:

    To reinforce the earlier point: The headline of this article is incorrect and irresponsible.

    This series of incidents does not represent a RedBox data breach in any possible meaning of the phrase. That would be like calling a fake red kettle a theft perpetrated by the Salvation Army, or accusing the U.S. Mint of being behind counterfeiting of our currency.

    RedBox discovered criminals using their kiosks to commit a crime. They, responsibly, notified the people most at risk of being “taken” by the skimmers–their custoemrs.