(Jeffrey Hazelwood/PCMag; Getty Images)
SAN FRANCISCO—At the 2026 RSAC Conference, Jake Moore, global cybersecurity advisor for ESET, revealed how free AI tools can expose hidden risks in facial recognition technology. With smart glasses growing in popularity and more companies deploying facial scanning as a primary security measure, the potential for misuse has also grown. Moore didn’t keep the discussion theoretical; he also presented a handful of demonstrations that showed how seemingly secure facial recognition software can be bypassed, hacked, and beaten.
Instant Identification: Smart Glasses Turn Strangers Into Data Points
Straight out of the world of Mission: Impossible, Moore held up a pair of Meta's smart glasses that are capable of identifying anyone at a glance. He didn’t hack the glasses, get special prototypes from Meta, or make any hardware modifications to make this possible. Instead, he used the exact same software that many police forces across the UK use to identify known criminals—Corsight.
This software runs in the background and is fed to another person monitoring the activity at a computer. With this simple setup, someone can feed Moore data on who he is seeing in real time.
“I’ve just been fed back the names in my ear to prove it worked. I couldn’t believe that you don’t need to, like, hack these glasses. It works with just what they offer you,” Moore continued, going over how he deployed these glasses in his ESET office. He shared a video showing how the glasses identified his employees in real time, in just a few seconds.
Moore’s demo may seem far-fetched, but the future of these privacy intrusions may become commonplace. “I only read this morning that Meta is bringing out two new pairs of glasses and is considering having facial recognition built in,” Moore continued, “I’m there talking about how crazy this idea is, and they’re thinking about making it standard...It’s wild.”
Breaking the Bank: When Biometric Checks Fail
Next, Moore poked holes in bank-level facial recognition technology. He showed just how easy it is to forge a fake identity and open a bank account using consumer-grade technology. Under a lawyer's guidance, he created a fake passport in Photoshop under the name “Jake Morris” and submitted it to an unnamed financial institution. Next, he used a fake image generated by the AI portrait generator, This Person Does Not Exist, and ran it through an AI deepfake tool to animate the image. After setting up a virtual camera and submitting the video to the bank, he was approved for an account that allowed him to take out loans and apply for credit cards.
“Like any good person, I closed the account. I let them know about it, and they changed it,” Moore admitted. However, he noted that, while lackluster, the technology he just used is already widely available and rolled out well before protections were put in place. He also cited age verification laws in the EU and the US, and how trivial it is to bypass these systems with current, simpler tools.
Beating Surveillance: Outsmarting Police-Grade Facial Recognition
To end the presentation, Moore tried to get himself added to a high-security criminal watchlist. He contacted a few government agencies and police departments, but they didn't allow him to use their systems. However, he eventually convinced a London train station to allow him to run Corsight on their existing infrastructure. He then placed himself on a watchlist and asked the security teams to find and capture him before he boarded a train.
He shared the video, which shows how impressive this technology can be at identifying individuals. Then, he moved on to breaking it. “So, I decided to use a bit of face-swapping technology, and who better to choose than Tom Cruise?” said Moore. He then tricked the Corsight system by running an AI deepfake algorithm in parallel with it. Whenever Corsight detected his face, it would be swapped for the likeness of Tom Cruise.
In his presentation, he showed it working in real-time as he walked through the station, completely avoiding detection by the very same facial recognition software that much of the UK’s police force relies on to catch criminals.
Moore went on to explain that a human guard watching CCTV footage from security cameras saw a clean, unaltered feed. “It is assumed that the camera feed is real...systems trust what they see on the screen, and so does the software.” He stressed that human intervention and verification are needed to truly verify someone, and that observers, officials, and law enforcement cannot trust these systems in their current state. “The best way to verify someone is to bring them to another platform and communicate with them,” Moore concluded.
To finish his talk, he revisited Mission: Impossible and said, “In five seconds, this presentation will self-destruct,” as a small smoke bomb went off at the podium.
Your Face Is Not a Password—and It Can Be Compromised
Moore's demonstration proved how easily facial recognition technology can be misused and defeated. Beyond these practical attacks, the technology comes with inherent privacy risks.
Biometrics are methods of authentication that rely on unique physical characteristics to identify you—think your hair, face, fingerprint, and even your DNA. Thankfully, we’re not quite at the stage where Windows is asking for a blood sample to log you in. Even so, you should still reconsider enabling biometrics on your commonly used devices if you value your privacy.
Facial recognition and standard fingerprint-based biometrics can be convenient for logging into your devices, but you’re sacrificing your privacy and security by enabling these features. In the US, law enforcement can issue a warrant requiring you to unlock devices and accounts protected by biometrics, such as face recognition, but they cannot require you to unlock a device protected by a password or PIN.
Even if you’re not worried about law enforcement getting access to your device, face scans can lead to a compromised identity if your identifying information is stored improperly or mishandled. Data breaches are becoming increasingly common as age verification laws and government surveillance measures worldwide grow. I recommend opting out of face scans where possible to retain some measure of protection against potential attacks, whether that be on your device or the next time you go through the airport.