[dawnerd]

Sad part is they're stored often plain text and agents can read and even sometimes use their own judgement so a little social engineering acting like a confused older customer could be an easy bypass - especially if the agent sees it as a keyboard mash.

I till use random security questions though, better than the alternative.

One time I was trying to set up a security question and it kept saying the info doesn't match their records and it seemed they were actually validating against public records. How friggin stupid.