I thought I’ve seen every design anti-pattern out there but had the luck to run into a new one a couple of days ago. I was buying domains on Namecheap and ended up going through checkout without verifying the payment details. Turns out that I had an old credit card on file which led to a declined payment. I was redirected to a page that told me to update my payment methods but instead of doing that I ended up hitting back and refreshed the page which triggered another failed charge attempt. One more and I’m locked out of my account.
Ironically, other than speaking to a rep the only way to unlock my account was by entering the last 4 digits of the credit card which I no longer have. It only took a few minutes to clear that up with the rep and it was basically my fault but it’s still interesting to see security questions based on ephemeral information. Old accounts are likely to have outdated credit cards, phone numbers, and addresses. In those cases it’s too easy to get locked out and be stuck with having to speak to a service rep - and I suspect most companies won’t be as responsive as Namecheap.