An appsec anti-pattern I absolutely hate is asking users to turn over their financial credentials to "verify" account ownership, such as adding a bank account (think
@Plaid and
@Yodlee).
This habituates users to give away their credentials, NOT something we want to teach them.