And then security only works if it's strictly enforced... the moment I read your message I had to think of Security Now's Horrifying PayPal Revelation of the Week. Check out Security Now Episode 188, and look for "Horrifying PayPal Revelation of the Week"....

I'm going to kill the suspense: the security question was the last 4 digits of the bank account linked to the account, and the person who forgot his password was able to guess these numbers, with a little help from Paypal's customer service rep....

Yeah, that's what you want in a public place...

"That's five four two three"
"I'm sorry, what was the first number?"
"Five four two three!"
"Four five?"
"No, FIVE FOUR TWO THREE!!!"

And the shady looking man three tables down is thanking you on his way out...

The main problem I think is that a lot of businesses use it as if it were a secret. If that mindset would change, the problem would go away.

"So you say you're Mike Jones. We need to verify that. What are the last 4 digits of your SSN?"
- "Hold on, let me get your last bill, where it's printed on the top of every page."

How can that be used as a security measure? Using an identifier as an authentication method is simply a BAD IDEA.

Right, right. Because IT people are going to be more knowledgeable than SALES people who make their LIVING persuading people.

The idea is that you give arguments why it is a bad idea, and convey them in layman terms. If Einstein was able to explain the Special Relativity Theory by talking about a person on a train with a flash light, we in IT should be able to do something like that too!

Oh, that's only a factor of.... err.. 500? Oops.

Reminds me of a high school chemistry teacher showing us the difference between Na and K. His words:

"Na is very reactive, so we drop only a small amount in water to show the reaction." - poof

"K is a little less reactive, so we can drop a larger amount in water." - BAMMM! (and one erlenmeyer explodes in front of 35 students)

Of course, today that would mean the teacher would be sued by the parents for endangering the lives of all those students. But in my day, this means that 30 years later I remember that K is less reactive than Na, but not by very much.