The official, vendor-certified "fix" was that since the reply to this query contained the user ID, when calling this API you should always write a do-while loop like:
accountsReply = bankCore.getAccountsForUser(myUserId)
} while (accountsReply.userId != myUserId)
A $300 atm, card-present withdrawal several hundred miles away (at a golf course country club) from where I had used the card less than an hour before.
Skimmer + camera for pin is sort of the only other explanation, and I'm fairly paranoid about checking for skimmers.
Rooted point-of-sale devices are also a possibility - that's what led to the big Target hack.
So POS systems store pins? I can't imagine them being certified if they do, or for what reason they might.
AFAIK, the POS hacks all ended up with cc numbers, no pins.
POS systems aren't supposed to store PINs, but a compromised one certainly could.