Google has been receptive to these findings, but its attempts at a fix have so far been hampered by the need to coordinate with the banks, since changing the way the PIN is stored could also change which agency is responsible for its security. In the meantime, zvelo advises that there are some measures users can take themselves, aside from putting a protective hand over their pockets: refrain from rooting your phone, enable your lock screen, disable USB debugging, enable Full Disk Encryption and keep your handset up-to-date.
Update: Google has responded by emphasizing that it's only users of rooted devices who are at risk. In a statement to TNW it said: "We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."
[Thanks to everyone who sent this in.]