Why is Mother’s Maiden Name still used as a security question?
Because people are lazy and/or incompetent. And, well, you know, the Internet is full of chimpanzees.
I would argue that all security questions are bad, but using the mother's maiden name is exceptionally bad:
- At least in Sweden, I can find out anyone's maiden name just with a simple call to the tax office. It is literally public information.
- It's 2018, and fairly common for couples to adopt the bride's name when getting married. Your mothers maiden name is then your surname. Great.
Luis Casillas rightly adds:
There are dozens of countries, with billions of inhabitants between them, where women don't change their legal name when they marry. The United States in particular has huge immigrant minorities of people from such countries.
Seriously, there are no excuses for this. It's just bad.
"Security questions" may be the only solution to a hard problem. You've got a customer, they've lost their password (and their email access) and you'd both like to get them back.
It may not be proportionate to have them perform in person verification at your offices or with a notary, which would really be the only totally secure solution (matching secure government id against their appearance/biometrics).
I think banks (just as a for instance) which use this kind of verification have pretty good statistics on the prevalence of every type of fraud and will know the risks and benefits (e.g. say my bank needs to identify me when travelling overseas, they can't and they lose me a customer along with tens of thousands in lifetime profit - versus they allow fraudulent use of a card and lose tens of thousands directly - but they know only 5% of flagged transactions are actually fraudulent).
Lethargy and/or inertia
More seriously institutions relied on this information being essentially secret for a few decades. The age of mass publicised data breaches is very recent.
Most organisations are slow to react to change.
Simple as