I always wondered about framing this as a sort of self-defense position.

When I was working on a site a decade ago where people were constantly defrauding the users we built a lot of tools to creatively deal with these people to make them less effective. It became very clear that law enforcement wasn't prepared to deal with the problem (at the time at least, maybe they've gotten better) so we had to figure out anything that we could do to protect our users.

The fact that you're essentially only allowed to play defense is IMO the reason it keeps happening. If we were able to hire a cybersecuurity company to hack the people defrauding our users for us, we would have done it in a heartbeat and it would have been worth every penny. It always seemed like, in the US at least, this could have fallen under the 2nd amendment as a self defense response.

The issue, of course, with collecting biometric data to stop a problem like this is you are also collecting data from people who haven't done anything wrong at all. One false positive "anomaly" in the system, or a data breach, exposes innocent people to risk they were not informed about.