Have you experienced being asked to provide, or confirm, a so-called security question over the telephone "to prove that it is you" where there is little or no security in the information?
For example, mother's maiden name.
For some people that might be quite secure if, for example, the person lives away from where they grew up or if their parents had moved house after they were married.
But if someone grew up in a rural area and their mother was a local girl and had a brother who had a son, then it is well-known what their mother's maiden name was.
Or two cousins whose mothers are sisters.
Or, "for security", your date of birth.
I once had a credit card where they wrote to me that they had a new facility where I could find out my balance by telephoning [number] and then keying a four digit .security number that (supposedly) "only you will know", namely the last two digits of your year of birth and the last two digits of your home telephone number.
The real problem with this is that if something goes wrong then the organisation is quite likely to seek a defence of saying that they asked security questions and they were answered correctly and so they "had to assume" that the caller was genuine.
I was asked for mother's maiden name when I got a debit card, "for security". I declined and said I would use a password instead, and that was accepted.
Years later, I was asked for two letters of my security password and the asker (I had rung them) said "it may be your mother's maiden name". I stated the two letters but did mention that it was not in fact my mother's maiden name but a password.