Not the direct point of the article, but as an aside, it really concerns me how easy it is to find a mother's maiden name these days, considering how often it's used as at least a partial proof of identity.
Being able to identify someone over the phone or internet is an incredibly hard problem that I think more startups should be working on. It is a constant battle between security and customer convenience. It is very frustrating being locked out of your own account because a company can't identify you correctly. If you combine that with the fact that companies are rarely held accountable for these security violations and it isn't a surprise that they optimize for customer convenience.
The best systems I have seen are the ones that use your credit history to ask you several questions like "Which one these four streets have you lived on?" or "Which one of these four employers have you never worked for?", but even those are gameable with some research. There has to be some better solution out there.
> The best systems I have seen are the ones that use your credit history to ask you several questions like "Which one these four streets have you lived on?"...
At least with simple "mother's maiden name" type questions, you could, if you were concerned by its insecurity, choose to use a secret value. With the automation of the process, that is not an option, while the security value of this pseudo-secret information will be eroded by its inevitable over-use.
You do make a good point, but the made up answer option is basically just opting out of the system for both good and bad. In my experience, the mother's maiden name thing is rarely the primary identifier. It is usually used if the primary identifier like a password or passcode isn't known. So the question becomes in what instances would a person have a record/memory of the fake name but no record/memory of their password? The only situation I can imagine that happening is if the person reuses their fake name which defeats the whole point of doing this for the added security. The end result is that the secondary identification system has almost no value.
> So the question becomes in what instances would a person have a record/memory of the fake name but no record/memory of their password?
That is, indeed, the problem that these questions are supposed to avoid, but they only offer sort-of security to the extent that the information is sort-of confidential. Anything that the automated validation service can find from public sources can also be found by the black hats, and the more common these automated services become, the more worthwhile it will be for the black hats to similarly automate their search for them.
The end result is that real security that is based on something you know has to depend on secrets.
> So the question becomes in what instances would a person have a record/memory of the fake name but no record/memory of their password?
I have both recorded in password vault and both are random.
The benefit is it they've reset my password for some reason or it was hijacked. I've been able to recover accounts. Not because I forgot a password but because it was essentially a harder to change 2nd "secret"
For me (and I know others), the rule is to never give the correct answer to any of those questions (what was name of first pet? what elementary school?). That's how Sarah Palin was doxxed
> The best systems I have seen are the ones that use your credit history to ask you several questions
Given how bad the credit companies are at distinguishing me and my father (we share a name), I don't have much faith in this process either. What if you don't have a credit history?
Realistically most businesses don't have a need to pin an identity to a real-world person.
Those can be wrong though. I've been locked out of accounts because they said I incorrectly answered questions about myself (as if they know better than me) and it took weeks and multiple hand-written letters and a physical trip to an office to get it fixed.
The assumption that you have, that the system "just works" is awful. Because when it turns out the system actually doesn't work, it's a fucking clusterfuck just to get someone to listen to you because they don't believe you are who you say you are, and government issued ID is apparently insufficient.
And the government seems to think I am the same person as my deceased father and grandfather because we share a name, and holy fuck is it frustrating come tax season (I have never in my life had my taxes accepted the first try and have had to physically visit the IRS before) or any time anybody tries to do any sort of background check on me.
The credit history questions are a mixed bag. I've gotten questions like "Which make of car have you owned?" with choices of Toyota, Rolls Royce, Duesenberg, and Checker. It's not a hard guess.
Except when say 18 years ago, you stayed with a handful of friends that year because the bottom dropped out of development jobs and you can't recall every address you might have used.
Wouldn't a Google Auth type TOTP be ideal for over the phone? Is there anyone doing this?
It could be the same one I use for 2FA to the website. Or, an entirely offline flow would work too where they sent a dead-tree mail with the shared secret in QR code format.
I think that's one of the best solutions, but it would add a ton of customer service overhead for lost devices (if physical OTP generators are used), clock sync issues, device-specific quirks... And if we want to have a universal system for this rather than each service provider having their own one-off solution, someone would need to foot the bill.
Swedish banks already do this. They first implemnted their own systems with custom hardware (and before that banks mailed a physical scratch pad with codes) but then later together developed a mobile app (called Mobile BankID) which can be used for authentication.
So clearly it can be done. Swedish banks have been doing it for at least 20 years.
These systems usually have blink detection, so you would at least have to scan the photo, convert to video, and blank out the eyes temporarily (blink detection tends to be quite crude).
Other systems require you to record a video of you saying a particular sentence which is then checked (presumably) by a human. And others require a video call to a real person.
I got pretty spooked when I opened my credit karma account and it asked me to verify if I had opened a store card a couple years ago, if I took out a loan, and a couple other questions about me.
None of them were true, because when I was first opening my credit karma account was when I first got a credit card; up to that point I had no credit history at all. When it asked me these questions, and I believe it implied one of the questions was true, I assumed my identity was stolen and got a report from transunion and equifax.
Turns out my identity was never stolen and credit karma was just being obtuse.
Not OP, but I found it by going to your HN profile, seeing your email listed there, searching that username, finding a GitHub profile with the same username, then using your first and last name plus your location (listed in your GitHub profile) to look you up. Your profile photo on GitHub gave me your approximate age (middle age, clearly not a teenager or a senior).
Searching your name and city+state in Google shows several websites that collect public records and show relatives. Some include age with names. The only people that showed up as relatives that were plausibly your parents (based on age) were two people: one with your same last name (probably your father), and one with a different name (Klass) (most likely your mother).
Thanks. I knew it was easy to get to my name from my HN provided info. I wasn’t sure how easy it was to get from there to my parents.
Having a pretty rare last name makes it really hard to stay anonymous, especially when you engage in public activities like entering road races, buying a home, and voting. Guess it’s a bit late to start using a pseudonym.
Edit: mylife is insane. I’ve googled myself in the past and this much information didn’t used to be so readily available in search results.
I don’t know how a right to disappear would even work when a bunch of the results are curated straight from public records.
Edit 2: I think if I cared more about this I’d have to engage in a prolonged disinformation campaign to muddy the search.
"Guess it’s a bit late to start using a pseudonym"
Actually, no. It only takes 2-3 years to disappear from most casual google searches. I know people always say 'the internet is forever' and for some things it might be, but I was suprised how much of my online traces just faded over time after I started being more careful with my identity.
I had a bit worse experience. I was a bit careless with posting personal info under a quite specific username I reused on multiple websites, it took me nearly 10 years and changing that username (you might also note that my usernames are more or less random) to finally not be able to google myself (which I consider to be the real test of anonymity). Various forums finally dying in 2010s were a great help.
I'm of two minds as to whether it's better to be wholly unique like my First Name/Last Name pairing is or to have a name like John Smith.
The worst is doubtless to share an uncommon but not unique name with someone who could plausibly be you who is controversial/a criminal/etc. Pre-Web I went to school with someone who shared a name with a very unpopular figure in the same city. My schoolmate got literal death threats left on his answering machine.
I ran across this a few years ago. I made the mistake of registering a .us domain with my home address. Found out the stupidity of that when my wife's ex, who has been out of her life for over 10 years at that point, sent us a wedding gift. We both have fairly unique names - there's only 1 of each of us with the same first/last name in the US. Makes me pretty paranoid about tying stuff to my real name now.
It's also funny how you're supposed to submit such (ostensibly) personally identifying information to a website for them to know.
So it literally only works for this purpose the first time you do it, now it's not private anymore (even if it was to begin with). Now it's on file just waiting to be leaked.
For example, how many of us are suckers who have submitted scans of our passport and drivers license to a website like coinbase.com?
It's only a matter of time until https://haveibeenpwned.com/ lets you type in your DL/passport number and it'll tell you how many scans it found in data dumps.
Just don't answer those questions "truthfully. What I mean is I use 1password to store my credentials. So whenever a site asks me to provide 3 security questions and answer I will usually select 3 random questions (especially ones that don't apply to me like "where did you meet your wife", well i'm not married), then provide an answer like "dog bow rainbow toss three". Even if one place is breached and hackers find my "mothers maiden name", it's about as useful as a one time access token.
Someone doing social engineering may answer "It was a bunch of random characters/words, I'm sorry I don't have it in front of me" and have that accepted. If they don't accept it, hang up and try again with another rep until someone does.
Picking a random real place off Wikipedia (different for each website, and store that in 1password) avoids this.
It's a question of effort, really. The bad guys get infinite tries; support only needs one person to fuck up once.
My hope would be their training largely prevents "oops I can't remember" getting through, but I suspect you'd eventually get someone quitting tomorrow who doesn't care, or someone having an off day.
Mother's maiden name is documented to have been in use for authentication at least as far back as 1882, and even then it was known to be a weakness [1, §3].
[1] Stephen M. Bellovin. 'Frank Miller: Inventor of the One-Time Pad'. Cryptologia 35(3), pp. 203–222, 2011. DOI: 10.1080/01611194.2011.583711
You should be giving gibberish answers to those anyway. They're probably stored as plaintext, but on the off chance they're not, treat them as a backup password and don't answer the question honestly.
For anything that involves human interaction for the verification, this doesn't really work.
I generate random strings for these and store them in my password manager. On several occasions I've called companies for whatever reason and they've asked these questions to verify my identity. When I say "oh it's a random string let me open my password manager to confirm it" they often reply with "oh it's ok, you're right it's gibberish" and consider me verified.
You can generate a pronouceable password based on dictionary words for such cases and get something that you can say over the phone like `leaf-auto-drunk-horse-zebra`. This is supported by any modern password manager.
Had the same experience with blizzard support a while ago. Now I follow the above poster's advice and use it as a secondary password, but make it pronounceable at least.
Would an attacker know that you're the kind of person to type in gibberish?
Also, you don't need to type gibberish. If your mothers maiden name is Jones, you can enter her maiden name as Steenberger and store that in your password manager.
An attacker wouldn't have to know you are the kind of person who puts gibberish... "oh, shoot... sometimes I make up a fake name but sometimes I put gibberish... I can't remember which I used here"
I have thought for a while that the old 'what is your porn name?' joke of combining first pet's name and mother's maiden name was probably originally invented by con artists looking to gather info.
I don't think it was invented by them, but I'm sure it's been used extensively by them since then. I think it was just someone that thought it was funny.
Given the use of pets names and maiden names as common authentication tokens for money, that it is a kind of weird joke to start with and that it doesn't really have a punchline and can easily fall flat, it stinks of grifter patter.
Though it isn't as bad as; 'You can't cheat an honest man'. You hear someone saying that, you start counting your fingers before you shake hands and check them again as soon as your done.
This has always been a funny "secret" to me since I have a hyphenated last name – gee, my last name is "Dolan-Gavitt", I'll give you two guesses what my mother's maiden name is.
I would have no idea what your mother's maiden name is? With only your post as a reference point, I would assume that you're a woman married to a man, and then assume Dolan is your paternal last name, and Gavitt is your married last name.
Encountering men with hyphenated last names is uncommon enough (for me) that I don't know the rules for that, so if that's the case, I don't know either.
It's semi-common (or was, in the 80s) for couples who didn't want to change either of their names to instead give their kids a hyphenated name with both the mother's and the father's name. So my mother's maiden name is... Dolan.
But looking up myself (and my brother) I noticed that the record date is a month or two past the actual month. So for me being born in March seeing myself listed as June and in my Brothers case seeing September listed as December. Well, makes me wonder if they had backlogs back then. But most happy it is that way, I know my actual birth certificate has the correct date (still have the original) and those are accessible in some form or another. Just mindful that not all records are that accurate.
In Sweden we have ”Mobilt bankid” which is a digital identification that you download from your bank and then assign a password to it. After this has been completed you can identify yourself through an official app. Most serious organizations asks you to identify yourself through this app when handling business over the phone.
BankId is a 2FA mechanism that proves that you are who you say you are. Before you can download the mobile app (Mobilt BankId) and assign a password, the bank must issue you a card with a certificate on it (BankID på kort[0,1]).
You use this card to then validate the Mobilt BankId, since it creates a chain-of-custody for identity, as it were.
In other words, someone with your personnummer on-hand can't just download Mobilt BankId and then assign their own password because they're lacking the physical evidence [read: the BankId på kort], which prevents them from falsely representing that they are you.
How Mobilt BankId works with BankId is that it houses a certificate (much the same as BankId på Kort) and leverages the same auth prompting mechanisms for challenge/response to authenticate the user. Essentially, it "replaces" the kort but only in the sense that the kort is required to be physically present in the system. With the Mobilt BankId app, the certificate is always present.
Sorry for the long-winded explanation but it isn't as simple as downloading the app and assigning a password and don't want people to get the wrong idea. :(
I am guessing that most standard and reliable (i.e. you know the answer and it's not going to change) questions are vulnerable to discovery by a halfway determined attacker. That said, there are probably questions/answers that historically would have required at least some degree of serious investigation to uncover that are now often trivially discoverable.
DNA would actually be a great way of doing identity. As long as you're alive, your DNA can be checked. And it's not really feasible for someone else to fake.
You also don't lose it or forget it, like you would password or 2FA device.
You also can't change it, though, if someone gets a hold of it. Someone with a bit of your blood could impersonate you forever, and you wouldn't be able to stop them.
Perhaps. My anecdotal experience does not show a high ratio of women on facebook who are also friends with their mothers. I have also noticed older seem to list their maiden name less frequently.
However, I do agree that in general several "security questions" that are meant to be hard-to-guess data points are actually easy to find the answer to frequently. Maiden names, and school names/cities/mascots, are often found in online profiles in one way or another.
At the same time, I'm not sure the risk is as large as it seems. These security questions help prevent bulk identity theft and add a friction point to the process, they are certainly not equal alternatives to real 2FA, but they are also less "brute forceable".
I was honestly baffled to see the proliferation of DNA analysis companies... aren't people concerned about the importance of the data they're giving out? AND you pay to give them that data... leaves me speechless.
How accustomed we've become to giving our privacy away.
I bet insurance companies would pay handsomely to know all your genetic health risks before they insure you. I am none of the things you described but think having our genetic information out there is not a good idea. Call it a gut feeling but I listen to my gut.
And the facts would also show that it was only just recently that Canada was the last G7 country to pass laws preventing insurance companies from doing it. And if you also read more on the topic it is suggested that as genetic testing becomes cheaper and more reliable perhaps in the future this topic will need to be re-examined. So I stand by my gut and it says I would rather keep my dna private. Just in case they change the law in the future.
The speechless part is because of how recklessly some people give out information that an insurance company could use against you for example... specially when these companies make no mention of respecting your privacy in their terms.
I considered using these under a fake name, but from reading the article, it seems like that wouldn’t be enough.
I do see the appeal that this indformation has for individuals, of course.
Yes. Everyone has a remarkable inability to ask the question 'Who benefits?' when they engage with a service. Like Facebook, with consumer genetic tests you give up whole lot to get back very little. You are the product.
Your DNA is no more your private property than your or your grandmother's face.
It's just not that big a deal. You shed your DNA everywhere. Knowing it isn't more useful than information about your life that is already collected and used to manipulate you all the time. It's one of the weaker forms of personal information available.
In the US, you do have certain rights to your image. I cannot use an identifiable photograph of you for marketing or advertising without your permission. (That's why, for example, a lot of conference registrations require you to affirmatively agree that photos or videos of you may be used for marketing purposes.)
But pretty much any other use of a photo in a public place is fair game if it doesn't misrepresent you in some way.
31 states recognize such a right, but the extent of the protections involve vary considerably. In some states, it only protects your name and likeness, while others extend it all the way to things like "stage persona." California naturally has the highest degree of protection, given that it's the center of the entertainment industry.
Agreed, "My DNA is my personal property," is a weak argument.
"My DNA is my personally-identifying data," is a better one.
The question of what rights we have to our personally identifiable information is not yet answered fully, and the debate is an important one (e.g. consider GDPR and the "right to be forgotten").
Data's worth is recognized today by those who are harvesting it from us. The mountains of data which only a few multinational corporations can gather and store in globally-distributed data centers are imperative to machine learning and the artificial intelligences they are making, which will soon direct a great many of our daily conveniences at potentially great profit to them.
So it is important for us to today define what rights we demand to such a valuable resource, which is created solely by, and living within, the only item any of us has true natural possession of: our very bodies.
Just because there are dozens of other pieces of personal information that are collected by the powers that be and used to manipulate people doesn’t mean they all are justified.
None of which are actually "uniquely yours", because everything we know to date about fingerprints or faces or DNA is that there is a low probability of collision with someone else having those same attributes, but it's not zero probability.
Somewhere, somewhen, there is likely to be another person who has a face, or fingerprints, or snippet of DNA that cannot be distinguished from yours within the accuracy of the tools we have today.
There was actually a podcast by Radiolab recently that discusses how and why this is not the case. It's counterintuitive for sure, but pretty interesting.
What about the image of my face I left behind on the subway, or on the field during an ultimate frisbee game? Sure you can keep my image on your camera, or photo print, but you may not profit from it, because it isn't your property.
I wonder if DNA will actually become less usable in convictions as a result of these sorts of developments. With it being easier to identify an individual based on DNA at a crime scene, eventually someone is going to be accused and turn out to have an ironclad alibi proving they couldn't have done the crime, even though their DNA was present.
True if you did it that way.
Which is why you would buy (or make) one and PCR the rest.
Besides if it aligns with the authorities goals it would not take much.
If someone downloads my DNA from 23andMe, they can't really plant it at a crime scene can they?
Even if they could synthesize DNA from that information, they'd need to mix it with SOMETHING to show that it's not planted. Is the information collected by 23andMe even close to accurate enough to do something like this?
In the article Someone1234 commented in sibling apparently the innocent suspect's DNA was on the victim (they think maybe because she rode in his cab).
This may be a good moment to get a refresh on this question:
Can anyone recommend a sequencing service that offers some semblance of a reasonably solid privacy guarantee (in exchange, of course, for a suitable fee)?
At GeneInfoSec we are working on a method that will allow all sequencing services to encrypt DNA molecules themselves. With this molecular encryption even your sequencing service will not have access to your genetic data.
With unique molecular tags, random mutation and PCR, various cryptographic methods can be applied. But random mutation and PCR are not necessary for some relatively simple use cases. Reversible mutation is not used, but the information concealed through mutation is recoverable with the decryption keys.
The real lesson is that your DNA was never a secret at all. Almost the entirety of it is shared with many people (your family) and you literally leave it everywhere you go. Don't assume any of it will be kept hidden.
If you read the article you'll note that the key problem is not what the author did, it's what her relatives did - uploading their own DNA. It is trivial to discover relatives by DNA match, so using a set of DNA samples you can easily construct a social graph based on family relations. If you can then identify any point in that graph, you can identify individuals. The countermeasures therefore consist of things like: 1) don't add your DNA to a database and 2) Don't allow your family to add their DNA to a database.
> Don't allow your family to add their DNA to a database.
IE, DNA is my personal property, hence, I own my family. Come off it.
You cannot claim to be concerned about individual privacy when your recommendation for how to protect your privacy is to intimately examine your family member's actions and then actively attempt to prevent them from doing something that is -- according to your ethics -- their right.
I didn't make a single ethical claim, I just suggested what needs doing if your goal is to remain unidentified by DNA. If it wasn't clear my reply was a bit tongue in cheek, since obviously you cannot control what your family does.
But a fake entry in the database would result in a negative match. Thus the researcher would (at least at first) eliminate you as a possible candidate.
Of course, uploading fake DNA with your real name would have other implications — your relatives that upload their own DNA and look for matches might suspect infidelity on the part of your parents... and relatives of the "fake DNA" might think the same of their father/grandfather/etc.
That's the sort of thing a detective would work out relatively quickly though. If you share none of your mother's DNA, the only possible explanation would be adoption. And if your mother, for whatever reason, told the detective you were not adopted. Then that detective would have their suspect.
So if you tried that, the stranger would have to be a very carefully selected family member in any case. Someone from your mother's side, same gender, not likely to submit his/her DNA, AND not likely to be in DNA databases already due to prior arrests. (Also, it goes without saying that they can't be adopted.)
But even taking all these precautions, I'm pretty sure a detective would still work it all out.
> If you share none of your mother's DNA, the only possible explanation would be adoption.
Not necessarily. There was a case where a DNA test of a woman's children showed that they did not share any of her DNA. Social Services was threatening to take them away from her. When she had another child, they court ordered an officer to be present during the birth and collect DNA from both of them at that time. Even still the DNA "proved" she was not the mother. It was only after another similar case was discovered that they were able to determine that she was a chimera, basically that she was her own twin, and had two different DNA strands.
Yeah, but if your mother is not a chimera, they're gonna nail you right out of the box unless the fake DNA comes from a member of your mother's side of the family.
I'm fairly certain the non-ironclad part is in the handling and processing (testing labs screw up quite often), not in the actual methodology or ability to accurately identify individuals.
Collection of evidence is also another likely place to make a mistake. The issue is that a non-pristine sample taken from a public place (like a crime scene) may have multiple DNA profiles represented in it. I'm not highly familiar with the technology but I've read that techniques like PCR that "amplify" the DNA collected from the original sample by synthesizing copies of the DNA can further exacerbate the issue.
> One of the biggest strengths of PCR(e) for DNA typing is the degree to which DNA
can be amplified. Starting with a single DNA molecule, millions or billions of
DNA molecules can be synthesized after 32 cycles of amplification. This level of
sensitivity allows scientists to extract and amplify DNA from minute or degraded
samples and obtain useful DNA profiles. In this context, the sensitive nature of
PCR works in a lab's favor, but it can cause problems if great care is not taken
to avoid contaminating the reaction with exogenous DNA.
> Because extremely small samples of DNA can be used as evidence, greater attention to contamination issues is necessary when identifying, collecting, and preserving DNA evidence. DNA evidence can be contaminated when DNA from another source gets mixed with DNA relevant to the case.
This is not at all surprising. They have a database with everyones genes mapping out most of the world at this point (at least some relatives). This is why all of us should be afraid of the future and why the U.S. needs similar laws to the GDPR in the EU.
Hell, with just a few comments I can identify people/alts on HN (or other social media sites)...
Lobbying has corrupted US democracy, freedom, privacy, and legislation to the point that these may never recover. The moment something GDPR-like will be drafted, those snakes (large corporations & lobbies) will do their best (aka bribe $$$$$$$$$$$$) to stop this. (for those who don't like the word bribe, feel free to replace with 'donate' - but imho paying someone elected to change their mind and go against the people's interests, is pure bribery-fraud)
Once a USA-GDPR moves in (which will never happen), people will start to wake up and smell the coffee, and realize that the threat is real. That awakening will lead to another issue.
The 3-leter-agencies (whether in the Light or in the Dark) will also fight this tooth and nail. Now they have a sweet deal. They spy on everyone, people are stupid/naive/careless enough to publicise every-thing they do/eat/say. In a USA-GDPR scenario where civilians will start 'thinking' again, agencies will have to try harder (aka increased budget/spending) to hoard the same amount of information.
We just got the CCPA (effective Jan 1, 2020), which basically GDPR, in some ways stronger.
It's "California only", but companies have little choice but to implement it for the entire US (much like car manufacturers building all US cars to meet Cali emission standards).
I wouldn't think they tie names to sample. You can't do that with DNA samples in a hospital, and I would hope 23 and me's policies mirrors HIPAA (would be aggressively irresponsible and a legal time bomb if not). You certainly don't need names to do analysis.
"When you purchase our Services or create a 23andMe account and register your kit, we collect Personal Information, such as your name, date of birth, billing and shipping address, payment information (e.g., credit card) and contact information (e.g. email, phone number and license number)."
Also: This means there is enormous potential to pollute their signal with tons of false noise. I hope(dangerous word) that this has already happened, or is in progress.
I was disappointed the only example they gave for misusing data was that celebrity dead beat dads might be exposed.
>> As DNA databases grow, so too does the potential for abuse. “Misuse of surreptitious DNA is potentially a big problem,” says Debbie Kennett, genealogist and author. “You can imagine celebrities and politicians being stalked to get illicit DNA samples for paternity testing without consent.” <<
Certainly, there must be worse outcomes than some powerful men running the risk of being shown to be someone’s dad?
It's a great example if they want regulation in the industry. Showing how something can threaten powerful men's positions is a great way to get it buried in regulation or downright outlawed. In the US, we're lucky not enough of them understood the potential power of the internet until it was too late.
Not a biologist, but I'd imagine that's because we currently can answer "is this DNA likely the same as that other DNA" with some degree of reliability, but anything more (except for some very specific diseases) is still not quite here yet. I'd also imagine all this is changing very quickly.
Happy to be corrected by someone with actual knowledge of course.
It's along the same lines but DNA sequencing has very serious consequences in countries that have a history of strict filial piety such as China.
In these countries a family is not just the basis for raising children - families can often act as a sort of "corporation" where everyone is cooperating to enhance the wealth and future prospects of the group.
There was a lot of confusion around family relationships during WWII with the occupation of the Japanese and again after WWII with the Chinese Communist Revolution as children were adopted when their parents went missing or were killed in the war.
If people inside a family are found not to be related to one another there's a serious potential for the social fabric to start breaking down.
AFAIK, the family unit there is not so strictly around genetic lineage. I could adopt a child in with the intention of having him be my successor. He is my son then, without the genetic lineage.