Yesterday I noticed an order for a "Conair Sound Therapy Pillow" on my Amazon order page. I asked my wife if she had made the purchase because I had not. She said she hadn't so I started to suspect we were the victim of a hack and started changing all our online passwords. The weird thing was that even though we had not made the purchase and it was billed to our credit card, the delivery address was our home address. Was this a half-hearted hack? A test hack? Was the hacker just seeing if they could pull off the unauthorized purchase without going through the trouble of shipping to a compromised address nearest them? I attempted to cancel the order but it was already shipping and too late to cancel. I wasn't worried about getting my money back from Amazon with their excellent customer service and return policy but I was worried the hacker would be emptying our bank account next.
I started going through the browsing history on our PC, phones, anything that left a digital trail. Did one of my mischevious co-workers find my phone unattended and placed the order using my Amazon app as a joke or a lesson? Had I butt-dialed the 1-Click Ordering button? I racked my brain and remembered you can order stuff from Amazon using Amazon Echo, aka Alexa. We have one but it is mostly used as an alarm clock, spell-checker and streaming music. We certainly had never made a purchase with it. Then I remembered we technically had three Echos on our account; One in Mississippi and two in Florida. "How?" you might ask. My wife had been telling her mother in Florida how useful Echo was and talked her into buying two, one for her bedroom and one for her kitchen. She didn't have an Amazon Prime account so I suggested she purchase them using our account since she didn't buy a lot of things online but would be able to stream music using our account.
Unfortunately, my mother-in-law broke her hip last week and had to have emergency hip replacement surgery. She has been in a rehab center since so it wasn't possible for the order to have been place using her Echos. Or was it?
I opened up my Amazon Echo app and went into the history settings where you can "view requests to Alexa" and lo and behold there it was! A request to Alexa to purchase the Conair pillow! But how did this happen with my mother-in-law convalescing away from her condo on the other side of town?
Well, it turns out the maintenance man in her building was taking advantage of her being away to paint the kitchen. While he was painting he was talking to his girlfriend via speakerphone and this is what transpired...
Click play hear the "request" for the pillow.
This was Alexa's response.
Click play to hear the confirmation to buy the pillow. All Alexa was listening for was an "ok" so when the girlfriend said "ok" over the speakerphone, Alexa placed the order. I found my "hacker"! lol
The Amazon Echo app has an option to turn off voice ordering or at least require a spoken 4-digit code to confirm purchases. This has since been turned on :) Thanks for looking!