Authorization is a big part of being an online citizen. In short, are you really you? We deal with this challenge every day. From choosing a password to decoding a cryptic set of letters, to selecting all of the traffic lights in a photo, to identifying where you went to high school or who your youngest second cousin is, we're caught in a security arms race: web sites attempting to protect themselves while the bad guys try to circumvent security steps.
We live online. But what about those security questions you've been using to prove you're you? Have they been living online with us so long that they’re no longer that secretive?
Your family tree is probably online somewhere. This may seem like it’s of no interest to strangers, but if it has your mother's maiden name and that's what your credit card company uses, you’ve got a problem.
What about the security question of the street on which you grew up? That's probably online, too.
Birthdate? Facebook advertises that to all your friends if you let it. Twitter might show a picture of you celebrating your birthday.
What about the "what is your favorite food" question? Check your last Yelp posting or Facebook status, maybe you disclosed that.
That “city in which you were born”? Not too tricky to determine.
There are some techniques to help reduce the likelihood that your identity may get stolen (for more tips, see https://privacyrights.org/resource-types/guides ). The process of authorizing one's self to a web site is increasingly annoying, difficult, and time consuming. And the bad guys are a) getting better at figuring out how to trick you, b) getting more access to your info as you live increasingly online, and c) gaining more incentives to do this because of the increasing amount of money people spend online.
What's the fix? There are some solutions like OpenID (http://openid.net/) but they aren't ubiquitous. More sophisticated technology like biometrics or retinal scans aren't cost effective, ubiquitous, or easy enough for most web sites to implement.
If you have the option to make your own security question, DO IT. Your “only I know the answer to this question” creativity will be better than any canned questions.
If you're given a choice of questions, think about what information is already available elsewhere. If you have the option to make your own question, DO IT, but DON'T use the same one on each web site. You might remember your first kiss, or who your 2nd grade teacher was. You might remember the nickname for your first pet. But before you choose these, think about if you've disclosed them already. If the question a web site requires is too easily acquired, either come up with a different/wrong answer that only you know, or consider a different web site.