I just got locked out of an important banking account because I couldn't remember the answer to my verification questions...<p>I have mental issues that cause me to have a VERY bad memory.<p>Generally I use a password manager so I can still have unique and strong passwords for everything and I even use 2-factor when I can.<p>Verifications questions on the other hand: usually I am forced to have a unique answer to each one AND there are like 5 for each company that uses them and each company uses different questions.<p>I can't use a password manager and I can't reliably know the answers. Even something as simple as "what's your favourite movie"... I don't know. I like lots of movies? Did I pick a classic one from my childhood? A modern one that's pretty cool?<p>Where was your first date? I have absolutely no idea.<p>first dogs name? I don't know. I remember he was black. That's about it.<p>Do they even add any security at all?
I use the "notes" field on 1Password for just this sort of thing. Plus, I make them up, so if they ask me for my mother's maiden name, I would use something like "plexitrough", or my first pet is "Fortran". And I use different ones for different accounts.<p>To answer your final question, using the true answers to the question is in fact insecure, and has been known to be so for nearly 10 years.
I'm willing to bet that for many companies, it's part of their regulations or pushed by their security teams as a best practice. The point was to add a second factor of authentication, but one that didn't require you to have a cell phone on hand. The problem is that it's very rare to find good questions that you can remember years from now that's not easily discoverable by a hacker. (I'm currently locked out of an Apple account because of this, especially with their practice of requiring you to get all 3 verification questions correct.)
If hacker stole your data from lousy credit rating bureau or alike - security questions are not information commonly associated with your SSN.<p>Every merchant/sevice in this case keep their own "last line of defense" - your security Q/A's.<p>While being PITA sometime - they are offering a way to steer hacker away from you to easier targets.<p>You don't know how many times some bad guy failed to answer your security question and moved on.<p>But this does happen often.
Not to mention, I now have to call in - using your company resources on a call, wasting time with a call rep and not to mention pissing me off so I might switch.
Not an hour goes by these days without a service forcing me to enter information for security. It's so out of hand. Same basic tragedy of the commons as every app thinking it belongs in the systray. Except now every service thinks it needs to ask me questions, text my phone, check my ip, and send warning emails every 15 minutes. And I'm not talking banks, here.