Security questions decrease account protection. Here's why:
I just signed up for a new Verizon DSL service. Upon signup, I was asked to create a password with certain properties — capitalize, numbers, special characters, between 8-20 characters, etc. and the choice of security question.
These were the security question options:
What was your favorite place to visit as a child?
Where did you and your spouse first meet?
What was the first live concert you attended?
What is the first name of your best friend?
What was the first name of your first roommate?
What is the name of a memorable place?
What was your favorite restaurant in college?
Let's put ourselves in the mindset of someone trying to gain access to my Verizon account. Black beanie with a striped shirt... check.
Questions 1 through 7 are easily solved by searching for my Facebook account. The task is easier if I were born after 1995 — whereby Facebook has a treasure trove of my personally-identifiable-information (PII). A great deal of PII is publicly available, but there is a simple countermeasure for when it is not: we can make a fake Facebook account with photos of a hot lady/dude in order to gain access to the target.
Friend requests from strangers with attractive photos should not be trusted. They just want to steal our PII.
If security answers can be found on Google, then they are not very secure.
This is precisely how Bitinstant was hacked for a large amount of money in 2013.
You can protect yourself by not answering security questions. Use a password manager (like keypass or onepass) to generate a new password. Then use that string of random characters as the answer to the security question.
ex. What was your first pet’s name? HqD36e4L2qkRBo
(which can make for some fun customer support interactions)
If you aren't using a password manager to generate complicated passwords, then just assume that your accounts are already compromised.
Web developers: Please stop using security questions in your applications. They make your user accounts less secure. Look at 2FA/MFA/XFA alternatives.
Edit 9/24/19: Check out HighSide