In reply to Fraser:
> (In reply to winhill
>
> [so if they looked at you a bit weird when you queried it, they've broken the trust and should be avoided.]
>
> No, you're wrong, it would be the OP who first broke the trust by querying it.
Crikey, each to their own, I guess but if you were interviewed in the street by someone 'researching computer passwords' would you tell them your banking passwords?
The default has to be that a user doesn't reveal ID details unless the person requesting them can establish trust, the first onus is on the requester, not the requestee. A trustable requester will acknowledge this.
Biometrics is a particularly high trust environment, if they used a combination of your membership number and a PIN, if someone compromised your PIN, what's the worst that could happen? An unauthorised user at the wall or someone burning up your ten session ticket or costing you a few quid?
On the other hand if someone compromises your biometric, thumb print, iris, foreskin pattern, then you can't grow another iris or thumb or cock. Biometrics are for life (barring surgery), PINs last until you change them.