Current curbside procedure:

1.   Click on a URL,
2.   Fill in attributes about the car, your parking spot,
3.   Get a verification code on your smart phone's web screen
4.   Text and email are sent saying that staff will be out shortly
5.   Show verification code to the person and get your stuff.

Proposed change:

1.   Click on a URL
2.   Fill in attributes about the car, your parking spot,
3.   Verification code sent ONLY to the listed email and/or text number listed by the purchaser.
4.   Text and/or email has a means to indicate that either a) you are ready for the pick up or b) that the pick up is a bogus request.
5.   If selection (a), the clerk confirms the verification code and hands over the item.

Here's the case that inspired this suggestion.  My part arrived - something trivial that I was going to pick up in a day or two.  Some random person typed in the correct URL. Since the verification code was sent to their browser, they were able to take my goods.  I received a text telling me that my goods were being stolen, and there was no way for me to alert the store of the issue.  I falsely assumed that a lack of a correct ID would prevent the store clerk from giving away my purchase.  I then received a text saying that the item had been given away.

The current system assumes that a specific URL is sent to the customer - that they have exclusive ability to submit the URL.  I have no idea how this person got the URL for my purchase, but the fact is that they did.  Once they have that, there is nothing to stop them from stealing the item.  I was informed by the store that they were no responsible since the URL had been provided.  I can see from the manager's point of view that the issue is not worth pursuing.  I'm hoping that someone at the corporate level will realize the vulnerability inherent in your current procedure and fix it.