Fake Moustache Bypasses Age Verification, Raises Online Safety

Drawing a moustache with an eyebrow pencil, a 12-year-old boy bypassed an online age verification system, successfully registering as 15 years old. This single event, detailed by a parent in a recent UK survey, powerfully illustrates the fundamental vulnerabilities present in current digital age verification protocols.

The UK Online Safety Act came into force in July 2025, and while it was meant to be a turning point for child protection, the early results tell a more complicated story.

The act pushed platforms into taking stronger steps to keep children away from harmful content and age-restricted spaces. Over half of children in the UK say they were asked to verify their age on platforms including TikTok, YouTube, and Roblox.

Around half say they now see more age-appropriate content, and roughly four in ten parents and children feel the online world has become somewhat safer.

Researchers at Malwarebytes noted that a report from the UK’s Internet Matters, which surveyed families after the Act, reveals progress has been modest at best. The findings show that while safety features are more visible, harmful content remains widespread and age checks are easy to get around for a determined young person.

About a third of children surveyed admitted to bypassing age checks recently. The methods ranged from entering fake birthdates and borrowing a parent’s login, to using spoofed facial images and VPNs.

The moustache trick was among the more creative workarounds, but it highlighted a serious gap in how well facial age estimation actually works.

Fake Moustache Bypasses Age Verification System

Despite the frustration, 90 percent of children who noticed improved blocking and reporting features said they viewed them positively. Children pointed to clearer rules, fewer contacts from strangers, and limits on high-risk functions as real benefits. Their support shows that young people are not opposed to online safety. They just want it to work.

Even though age verification is now common across platforms, the technology has clear limitations that families are starting to notice. Platforms rely on facial age estimation, government ID submission, and third-party age assurance apps. These methods are often simple enough for children to complete, which makes them just as easy to bypass.

In the month after child protection codes came into force, almost half of children still reported encountering harmful content online. This included violent material, hateful messaging, and body image content the Act was specifically meant to restrict. The gap between what the law promises and what children experience remains wide.

Stronger enforcement and more consistent application across platforms may be needed before age checks become a reliable safeguard. Without that, age assurance risks becoming a box-ticking exercise rather than a real layer of protection for young people.

Privacy Concerns Cloud the Path Forward

Parents are not only worried about whether age verification works. They are equally concerned about what happens to the data once it is collected. The thought that a government ID or facial scan submitted to one platform could be stored or reused by industry or government has become a growing source of anxiety.

The Internet Matters report found these concerns are pushing families to call for central, privacy-protective solutions rather than fragmented data collection spread across dozens of platforms. The current setup leaves families with no clear picture of where their data goes or how long it is kept.

Because age assurance systems are both data-heavy and easy to circumvent, the report concluded they do not yet offer a strong enough safety-to-privacy trade-off. Concerns around screen time, AI risks, and persuasive design also remain largely unaddressed under the current framework.

One blind spot the survey could not capture involves adults pretending to be children to access child-only spaces online. Parents linked this directly to predatory behavior, and it is a threat no facial check or birthday input can reliably stop. The Online Safety Act has started a conversation, but the work is far from finished.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.