Security surveillance camera mounted on wall

TL;DR: At RSA Conference 2026, ESET cybersecurity advisor Jake Moore delivered a session titled "Facing Reality: Hacking Facial Recognition." He demonstrated three working exploits against production systems: using modified smart glasses to identify strangers in seconds, opening a real bank account with an AI-generated face, and walking past UK police facial recognition cameras while wearing a real-time Tom Cruise deepfake. None of these attacks required advanced hacking skills, just consumer hardware and free software. His core finding: "It is assumed that the camera feed is real. Systems trust what they see on the screen, and so does the software."

Three Exploits. Zero Advanced Skills Required.

Moore, who previously worked in digital forensics for UK police, structured his session around three practical demonstrations. Each exposed a different assumption baked into facial recognition deployments, assumptions that don't hold up when someone actually tries to break them.[1]

The common thread: attackers don't need nation-state resources. Off-the-shelf smart glasses, free AI tools, and real-time face-swap software do the job.

Experiment 1: Identifying Strangers With Smart Glasses

Moore walked through a public space wearing modified commercial smart glasses. As he passed people, the glasses captured their faces and matched them against publicly available data sources: social media profiles, professional directories, anything indexed online.[2]

Within seconds, he had names. Within seconds more, he had their social media accounts, employers, and other personal details.

The glasses weren't custom hardware. The software wasn't proprietary. Moore used commercially available eyewear and free facial recognition tools anyone can download.

This is exactly what Harvard students demonstrated in 2024 with Meta Ray-Ban glasses and PimEyes. The difference: Moore showed it at the industry's biggest security conference in 2026, and the tech has only gotten better.

Experiment 2: Opening a Bank Account With a Fake Face

For his second demonstration, Moore generated a completely fictional face using freely available AI software. Not a real person. A face that never existed.

He then submitted that AI-generated face to a real bank's eKYC (Know Your Customer) onboarding platform, the same systems banks use to verify you're a real human before opening an account.[1]

It worked. The bank accepted the synthetic identity as genuine and opened an actual account.

Moore responsibly disclosed the vulnerability. The bank closed it. But as he noted in his talk, how many other institutions have the same gap?

Banks, crypto exchanges, fintech apps: any service using facial recognition for identity verification now has to answer a question they've been ignoring: what happens when the face is fake?

Experiment 3: Wearing Tom Cruise Past UK Police

This one should worry anyone in law enforcement.

Moore added himself to a facial recognition watchlist at a monitored London train station, the same live facial recognition systems UK police deploy to catch wanted suspects.[2]

Then he walked through the station while running real-time face-swap software. The software overlaid Tom Cruise's likeness onto his own face in the camera feed. To anyone watching the system (or to the automated matching algorithm) they saw the actor, not Moore.

The system didn't flag him. He walked right through.

"It is assumed that the camera feed is real," Moore explained. "Systems trust what they see on the screen, and so does the software."[1]

UK police have been expanding live facial recognition aggressively. Home Secretary Shabana Mahmood announced a rollout from 10 vans to 50 in January 2026. They've arrested thousands. But if a security researcher can walk past the cameras wearing a celebrity's face using consumer software, what stops anyone else?

What This Means

Moore's demonstrations weren't theoretical. They worked against real, deployed systems:

  • Live identification: Public-facing facial recognition (airports, events, retail) can be turned around on anyone by anyone with smart glasses
  • Banking eKYC: AI-generated faces can pass identity verification designed to ensure you're human
  • Law enforcement watchlists: Real-time deepfakes can defeat the exact systems police are scaling up

The attacks share a common vulnerability: facial recognition systems implicitly trust the input. They assume the camera sees a real face. They assume the face belongs to a real person. They assume nobody is manipulating the feed in real time.

None of those assumptions are safe anymore.

Why This Matters Now

Facial recognition is being deployed at unprecedented scale. In just the past few months:

  • The UK announced 50 live facial recognition vans deployed nationwide
  • ICE agents started using Mobile Fortify to scan faces against 200+ million images in real time
  • The US Army signed a $75,000 contract with Clearview AI for access to 50 billion images
  • Meta is reportedly developing a "Name Tag" feature for Ray-Ban smart glasses
  • Retailers like Wegmans, Walmart, and Kroger quietly rolled out in-store facial recognition

Moore's point wasn't that facial recognition is inherently bad. It's that it's being deployed with "implicit trust that doesn't match their actual resilience when someone tries to break them."[1]

The systems scanning your face at the airport, the bank verifying your identity, the police vans hunting wanted suspects: all of them can be fooled with gear you can buy on Amazon and software you can download for free.

What's the Fix?

Moore suggested that camera-based verification alone isn't enough for high-assurance use cases: "The best way to verify someone is to bring them to another platform and communicate with them."[1]

In practice, that means:

Multi-Factor Authentication

Face scans should be one factor, not the only factor. Pair with something the user knows or has.

Liveness Detection

Systems should actively verify the face is real and present, not a photo, video, or deepfake overlay.

Adversarial Testing

Organizations deploying facial recognition should test against attacks, not just optimal conditions.

Reduced Trust

Stop treating facial recognition matches as definitive. They're probabilistic at best, gameable at worst.

What You Can Do

  • Understand the limits: Facial recognition isn't the infallible technology vendors claim. It can be defeated.
  • Question deployments: When you see facial recognition at banks, airports, or stores, ask what protections exist against synthetic faces and deepfakes.
  • Protect your face: Your facial data is being collected and indexed. Consider minimizing public photos tied to your identity.
  • Support oversight: Push for regulations requiring adversarial testing and transparency about facial recognition accuracy.

The Bottom Line

A cybersecurity researcher just demonstrated, live on stage at the industry's biggest conference, that he can identify anyone with smart glasses, open a bank account with a fake face, and walk past police facial recognition wearing Tom Cruise.

He used consumer hardware and free software.

Governments and corporations are spending billions deploying facial recognition as if it's bulletproof. It isn't. Moore proved it three different ways in one session.

The technology trusted to identify criminals, verify identities, and secure borders can be beaten by anyone with a laptop and an afternoon to kill.

References

  1. ID Tech Wire - RSAC Talk Showed Working Exploits Against Live Facial Recognition Systems (March 2026)
  2. WeLiveSecurity - Face Value: What it Takes to Fool Facial Recognition (March 2026)