Impersonation, in any modern form, depends on the impersonator being able to answer the questions that the genuine person would be expected to answer. The full name. The date of birth. The mother's maiden name. The previous address. The recent transactions. The names of family members. The schools attended. The professional history.

Almost all of this is, in modern conditions, available on the public record. The full name and date of birth are routinely findable on registers. The mother's maiden name is recoverable from the marriage register. The previous address is in the electoral roll, the property register, and the credit databases that are sometimes leaked. The professional history is on the directories that the principal themselves has populated.

The questions that procedures have used for years to confirm identity were chosen, in good faith, because they were considered private. They are no longer private. They are, in many cases, the items most easily found about a person who has lived a connected life. The impersonator with patience does not need to guess; they need to assemble.

The procedures depending on those questions no longer perform the function they were designed for. The customer answering 'mother's maiden name' is no longer demonstrating something only they know. They are demonstrating something they share with every party that holds their data, plus every party that has acquired that data subsequently.

The work in this category is largely about replacing the procedures that depend on questions of this kind, in the accounts where it matters, with procedures that depend on something else. A physical token, a known device, a confirmation by callback on a registered line. The procedures take longer to administer, which is rather the point; their slowness reflects the fact that they ask something that an outsider cannot easily supply.