The hackers begin by installing a file called Backdoor.Win32.Skimer, malware that hides in the cash machine's code waiting for the hacker to open it with a particular card.
Kaspersky explains what happens next:
The Skimer s graphic interface appears on the display only after the card is ejected and if the criminal inserts the right session key from the pin pad into a special form in less than 60 seconds.
With the help of this menu, the criminal can activate 21 different commands, such as dispensing money 40 bills from the specified cassette , collecting details of inserted cards, self-deleting, updating from the updated malware code embedded on the card s chip , etc.
If you know where to look, you can find out if the cash machine has been tampered with, although the hardware has become increasingly sophisticated.
Kaspersky warns that cash machines that have been infected with Skimer are not easily distinguishable and are hard to spot, saying:
In the majority of cases, criminals choose to wait and collect the data of skimmed cards in order to create copies of these cards later.
With these copies they go to a different, non-infected cash machine and casually withdraw money from the customers accounts.