There are actually a few problems. While the DOB is harder to guess, the data isn’t exactly confidential (besides the fact that it only has roughly 16,200 possible answers (12 x 30 x between the ages of 15 and 60)), based upon possible average user demographics. Attackers attempting to brute force the answer may easily do so at an average speed of 1 guess per second, taking only hours to exhaust them all. Which bring us to the next problem: There is no limit on the number of guesses an attacker may try before the account is locked.