Re: This is really bad
If I was to hazard a guess I would go for the mobile app.
It runs on rooted devices.
It allows "Balance Peek" without entering a pin code. Not sure how this works in the Android ecosystem, if you don't authenticate within an app does this exclude you from the secure parts of Android?
If you reverse engineer the app with Apktool what do you get? Not something I would try due to the obvious legal implications.
When you consider Tesco's reaction then this is not some run of the mill hack. I can understand online restriction but to suspend contactless is an indication that not only do they have access to accounts but they also have access to a lot more information and are able to use that information. Does this mean their NFC keys are compromised?