Sometimes a web site wants to go a little more in depth to make sure that you are the person you say you are. So they will ask you something which is called a security question. These are supposed to be questions that go beyond your password. They are supposed to be questions that get personal and should be things that only you or maybe a few other people know. And in most cases that is actually the case. As safe as they may seem, there are problems being found in these types of questions as well.
The problem that you are starting to see is that these types of security questions are being used more and more. This is especially true when you see web sites use a technology that is called two factor authentication. This technology works by allowing you to log into a web site only after you have placed your username, password, and then answered a security question. Security questions are also used when you forget your password and they need to make sure that it is you asking for it.
The problem lies not in these web sites using security questions but in the fact that they are using the same security questions over and over again. How many web sites have you visited where when they ask you to supply the security question it is the maiden name of your mother. Or the question is what state were you born in? You see that all of the time and they very rarely are something different.
You might be asking yourself why is this a problem? It is a problem because if a black hat hacker is targeting you then all of this information is not that hard to come by. With the internet how it is these days, most of the answers to these questions are in the public domain. This is especially true with services such as Facebook. If a black hat hacker is able to get into your Facebook account then they can very easily see your family ties. We put more information about ourselves online due to social media than ever before. Since a black hat hacker will already know the security questions to certain web sites and they are targeting you, then they will do what they can to get that information.
The answer is for web sites to change the security questions that they use. A security question should be something that is unique and not something that is used by every other web site on the web. This way a hacker has to at least do a little bit more work.