What's to keep me from having a file containing valid
biometric data that I have created/hacked/stolen,
and uploading it for validation.

Once biometrics come into widespread use for
access to protected sites, tools for bypassing
the fingerprint scanner will be the first tools
to appear.

I can't see how they can tell whether you really
put your finger on the scanner, or just uploaded the data.

Then it's just a matter of stealing someone's fingerprints,
or, once you know the format, generating plausable ones.