Citing a presentation at the Chaos Computing Congress in Hamburg, Germany, the BBC is reporting that thieves at European ATMs cut holes in the machines in order to access USB ports.
The thieves then inserted USB drives into the ports which then installed malware. This allowed the thieves to take control of the ATMs.
The two researchers who detailed the attacks have asked for their names not to be published.
After noticing that some ATMs were being emptied, the bank increased surveillance and noticed that attackers were physically cutting holes in the machines, inserting the drives and then patching up the holes. With the malware running, the attackers needed to enter a special 12 digit code in order to bring up a user interface which displayed how many bills of each denomination were in the machine. They could then specify how many of each to dispense. The attackers would then dispense the highest denomination bills in order to minimize the time they were at the machine.
Distrustful of the people who actually inserted the drives, the malware authors put a second one-time code process into the activation of the software which required the attacker to read a code off the screen and tell it to another gang member.
There is much information missing from this description: If the attackers were able to install malware simply by inserting a USB thumb drive, then Autorun or some such feature may have been turned on. These have been turned off in Windows by default for many years. What operating system and version were the ATMs running? Or perhaps there is some other interface device, like a keyboard, inside the ATMs, accessible through the hole. It may be that USB drives are used by ATM technicians for legitimate purposes.
In any case, it would appear that the attackers are highly sophisticated with inside knowledge of the ATM hardware and software. The BBC story also says that the malware itself was hardened against analysis.
ATM hacking is a fairly widespread problem all over the world. If you want more information, security researcher/reporter Brian Krebs has extensive reports of attacks on ATMs and other bank-related technology on his blog.