I today received another obvious scam. Well, basically any email from a bank referring to PIN and/or TANs (for those poor US bank customers: german banks all use one-time-passwords) is ovisouly scam. Especially when it’s a really bad translation…

So I wonder whether I, as an intelligent user, should maybe still go to this scammers page - and enter deliberately incorrect data.

For example by calling

wget "http://202.129.53.211:8081/postbank/privat/app/submit.php?konto=$RANDOM&pin=$RANDOM&tan1=$RANDOM&tan2=$RANDOM&tan3=$RANDOM"

Yeah, they probably have to filter their data anyway. But are you sure they can tell “good” from “bad” values apart? How likely do you think I accidentally hit a legitimate users’ account number and he might suffer from his account becoming accidentially locked?

Does this help the banks to detect this scammer, and filter him somehow (e.g. by saying “invalid PIN” even when it’s valid) after enough incorrect tries?

Hmm… maybe the banks should provide an API to request invalid account numbers to submit to scammers. Then they could e.g. set a cookie or setup IP filters and fight back these scammers.