1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is This A Scam?

Discussion in 'Ducati General Discussion' started by Coman, Mar 23, 2018.

  1. I just got an email, apparently from Ducati, asking me to update my password.

    Hi Peter,


    The Ducati website has a brand new look to offer a more entertaining and engaging experience.
    In order to access your Ducati profile, we kindly request that you update and change your password so you can find all the services we have designed for you.


    I clicked on the link to find out what it is a bout

    https://my.ducati.com/gb/en/register/ducati?rid=1-65PEMT&webLogin=peter@####.###.com

    And it opened what looked like a Ducati web page. There are two things which arouse my suspicion: 1) the web address starts www.my.ducati.com which I don't recognise (not just Ducati.com without the my.) and the page opens with no preamble. And 2) It does not ask for my existing password, just to enter a new password.

    That does not ring true to me.

    Anyone else get that email? I'm not doing anything, certainly not changing my password.
     
    #1 Coman, Mar 23, 2018
    Last edited: Mar 23, 2018
  2. Thanks for publishing your Ducati web login name. We shall all now attempt to guess your password and buy loadsa V4s.
     
    • Funny Funny x 2
    • Agree Agree x 1
  3. No need to guess, the link let’s you simply enter your chosen new password so just pick one and crack on :joy:

    Anyway, nothing dodgy about having ‘me’ in front of a proper domain. It’s called a subdomain and can just be a neat way of organising and segregating different functions of your website.
     
  4. Fine bootsam. When you've paid for them get back in touch and drop them round to me.
     
  5. Got that too
    Posted it to junk
     
    • Agree Agree x 1
  6. I’ve just had an email too asking the same.
     
  7. Your email address in the URL is a big GDPR no-no. Any company worth it's salt shouldn't be doing that even though it's not yet enforceable. Maybe remove that from your post?

    However the URL does appear genuine as my.ducati.com is just a sub-domain of ducati.com. It also has a valid and legitimate SSL certificate, though not a particularly high end one.

    The hosting server is in the US whereas the one for ducati.com is in Italy. my.ducati.com resolves to 4.0p10y00000181mhsay.00d0y000000yiyauao.gslb.siteforce.com, which is a CRM outfit; sort of thing used by marketeers so not really unexpected.

    The main worry would be the email address in the querystring of the URL. That's openly confirming that, having sent the email to that address that it is a live and active email address, a spammers wet dream if you can get thousands of these, it's a saleable commodity.

    I would be looking at the email headers to find the geographical source of the email, this is what often confirms my suspicions on messages such as this.

    You have to ask yourself the question; do you need what this site seems to be offering anyway?
     
    • Like Like x 2
  8. I got it too. Looks legit from the email address it came from.
     
  9. I've received it also.
    Steve
     
  10. It is a marketing scam to try and get you to marry the brand more and buy more new Ducati motorcycles :eek:
    Don't listen to it, just buy the older better ones that you won't loose money on dudes :cool::upyeah:
     
    • Like Like x 1
    • Funny Funny x 1
    • Agree Agree x 1
    • Useful Useful x 1
  11. yes..got one also.
     
  12. I got it too
    Doesn’t really do much though, as previously stated it’s a marketing tool
     
  13. There's only one Ducati forum for me !! :kissing_heart:
     
    • Like Like x 1
  14. Erm, not quite. It's totally enforceable. EU is in an "implementation phase" for GDPR and 25th May 2018 is the drop dead date by which you must be compliant. It is a limit, not a target. It's the eye-watering-business-ending fines which go live after 25th May.

    So Ducati have either sold or outsourced and shared our personally identifiable data with a 3rd party without a "double opt-in". That's an even bigger GDPR non-compliance than the email in the URL and constitutes a breach. Even if the organisation is outside in the US, the entity sharing data belonging to a "data subject" is obligated under GDPR to ensure that parties that they work with are also GDPR compliant, regardless of location.

    I guard and manage my PI fairly carefully and I shall be having words with Ducati if my PI is now outside of their organisation - for any purpose.

    The link I received actually goes back to mag-news.it, it's not even a Ducati subdomain and it's not even https, merely http. There's no fucking way I'm doing anything with that other than contacting Ducati to find out who they've shared my data with. Not happy at all. Trust me, they are properly fucked.
     
    • Like Like x 1
    • Thanks Thanks x 1
  15. Shit-a-gram already on it's way to Ducati Motor Holdings Spa. I've already got a couple of PPI and insurance claims companies spinning around in shit-stained-GDPR circles.

    I can't wait until 25th May, there is going to be some epic payback for all the crap these marketing twats put customers through. Facebook and Cambridge Analytica is just the start.
     
    • Like Like x 2
  16. Dont fancy writing me some letters/emails do you?

    Ive lost count of the amount of times I've opted out of marketing, unsubscribed, written directly and asked to be removed from lists and yet they still keep coming from the same repeat offenders.

    Im all up for companies I've done business with to contact me to try and boost their sales, no issue with that at all, as long as i get to say when to stop.

    Its the ones that don't complete the data removal, or that don't give a shit or even know where they've acquired your data from in the first place that makes my piss boil.

    Had a call yesterday from someone in 'insurance' , when i asked where they acquired my data and what list its circulating on i was told they couldn't tell me because of data protection :thinkingface:
     
  17. I received this too. I haven't responded to it although I see that the linked URL is to ducati.mag-news.it and does NOT contain my email address. I wonder why Coman's does? The sending IP address comes up as
    IP Address Country Region City
    46.29.201.162 Italy [​IMG] Emilia-Romagna Faenza
     
  18. Spammers often split the load between different sending IP's otherwise they end up on the spam blacklists and find themselves unable to send anything at all. It's another reason why Ducati and many other companies don't actually send this crap themselves as it would trash the reputation of their own domain.

    There are a bunch of spam reputation entities (Spamhaus, etc) which a lot of hosting companies subscribe to. If a domain ends up on one of their databases then most email servers will refuse to forward email from that domain. You can get a domain removed from the black lists, but only 3 times and then it's perma-blacklist and nothing you can do about it.
     
  19. I should add that quite often these campaigns get dreamt up by some little shit-head marketing graduate that would sell his own grandmother to get ahead. They come up with ideas for absolutely brutal campaigns that pay no attention to any kind of ethics or any mere notion of a thing called privacy. They've got all the data about customers and never stop to think that just because they can do something with the data, should they do something with the data.

    Managers, etc, don't offer any oversight to what these green-behind-the-ears-shitheads get up to, and if they overstep the mark and look like they're going to cause reputational harm then historically they just sack them and move on. I work in IT infrastructure, security and compliance, and I see it all the time and I spend my entire life telling marketing fuckwits "No! You can't do that, you'll get us in trouble."

    After 25th May this is going to stop. The GDPR laws mean that ownership of data is changing - any information about you is owned by you, not the company that stores it or processes it. You have a default right to privacy, you have a right to know who your data has been shared with and you also have a right to have that data deleted if the company that holds it has no legal right to it.

    Ducati does have a legal right to process our data if we've bought one of their new bikes, so that they can support the bike and process warranty claims, etc, but once that bike is outside of warranty, that's it. Their obligation to retain and process your data stops. If they want to retain your data after that period then they MUST have your permission and it cannot be assumed - you must have consciously "opted in". The same goes for sharing your data and it is a completely separate "opt in". So you can approve the use of your data but not allow it to be shared.

    I've had a read of Ducati's privacy policy and it is horribly out of date. Some of the terminology is consistent with GDPR but it is worded as such to imply that any dealings with the company automatically allows them to also share your data with 3rd parties. That activity is going to get them fined after 25th May. Plain and simple.

    For weeks I've been struggling with the prospect of trading in my MT-10SP for a Panigale V4S, but this shit now makes me feel professionally conflicted in a fairly major way. I'm fucked if I'm dealing with a company that treats my privacy in this way. Yamaha YZF-R1M incoming instead. :mad:
     
  20. Got the same here.
     
Do Not Sell My Personal Information