Sites like PayPal still ask you for a “security question” (or two in case of PayPal). This question will be asked, in cases where you cannot use your login any more (e.g. when you don’t remember the password) and the email address is not usable any more (e.g. you did register your account using your business email address and you left the company). In such cases one or two questions will be asked that “only you can know”.
This concept is really old: you may have seen it in many movies even before the age of the internet when one person asks the other for details about a situation from the past. Unfortunately in the age of information distribution over the internet the core assumption of this concept is not true: your mother’s maiden name is known by many people. Surprised? Have a look at some of the nice services:
Such services do work with your data – and it’s not always under your control who enters data about you: your sister might have set up a family tree that includes her parents, grant parents and … you. So your name might have already been published to the internet with a connection to your grandpa – and this connection might provide the information of interest: the maiden name of your mother.
The second information might be the name of your first pet – which might be available through your Facebook profile?
So you can see: “real” information might not be something you should rely on for “security questions” – no matter what they are for, today. Tomorrow the site you provided a nearly public answer to such a question might use it to “protect” the change of your email address for password recovery procedures.
A better approach might be to let a tool generate a random string (https://lastpass.com/ does have one, if you like open source: http://passwordsafe.sourceforge.net/) and use that as an answer to one of the questions. Such questions are just another password – use long, unpredictable strings and don’t reuse them on different sites.