ESET’s Jake Moore used sensible glasses, deepfakes and face swaps to ‘hack’ widely-used facial recognition methods – and he’ll demo all of it at RSAC 2026
13 Mar 2026
•
,
2 min. learn
Facial recognition is more and more embedded in every thing from airport boarding gates to financial institution onboarding flows. The widely-held assumption is {that a} face is difficult to faux and that matching a stay face to a trusted supply is a dependable id sign.
Jake Moore, ESET World Cybersecurity Advisor, lately put this assumption by way of a number of sensible stress checks. His experiments confirmed that the highly effective expertise can truly be each misused and defeated.
In a single take a look at, Jake used a pair of modified off-the-shelf sensible glasses that may establish folks in actual time. He walked by way of a public house, captured folks’s faces and in contrast them towards publicly out there on-line information sources, with id matches returned inside seconds. The names and social media profiles have been pulled from nothing greater than folks’s glances.
This skill may come in useful if, say, a convention attendee struggles to recollect folks’s names, nevertheless it’s far much less palatable when you think about what somebody with ailing intentions might do with that info.
The second demo had a distinct spin. It went after monetary providers, turning a fraud prevention system towards itself. Utilizing AI-generated pictures and freely out there software program, Jake created a fictitious face to open an precise checking account. The financial institution’s facial recognition and eKYC (know your buyer) platform accepted it as a real individual.
After proving the purpose, Jake closed the account and shared all info with the financial institution, which has since shut down that particular methodology of id abuse. However one broader query stays: what number of monetary establishments should be prone to this type of assault?
Lastly, Jake added himself to a facial recognition watchlist at a busy prepare station in London. He then walked by way of the monitored space whereas operating real-time face swap software program that overlaid Tom Cruise’s likeness onto Jake’s personal within the digicam feed. The system, which can also be utilized by the UK police, by no means acknowledged or flagged him. It was as if he merely wasn’t there and anybody actively trying to find him on CCTV would have seen the actor as a substitute.
There’s much more to those experiments than we will cowl right here – they’re all a part of Jake’s discuss at RSAC 2026, which is due in San Francisco from March 23rd-26th, 2026. For those who’re on the convention, take into account attending the discuss – in spite of everything, seeing this all work towards an in-production system in a stay atmosphere is totally different from ‘simply’ studying about it. To be taught extra, together with about different ESET talks on the convention, go to this web site.
The massive image
Facial recognition methods are being deployed with implicit belief that does not match their precise resilience when somebody tries to interrupt them – even the place they solely use off-the-shelf client {hardware} and simply out there software program, similar to Jake did. Identification verification that’s solely depending on a face match clearly carries extra danger than most individuals and organizations understand.
The experiments additionally ship a message to distributors of facial recognition methods and anybody chargeable for id verification methods. Amongst different issues, the methods must be examined in assault simulation settings and beneath different adversarial circumstances. The expertise behind facial recognition is fragile in ways in which matter when somebody makes an attempt to subvert it.
