The perpetrators hacked into two pre-paid debit card processors and added vast amounts to the perps' accounts. Then they withdrew the cash at ATMs. Here's a link to the Department of Justice press release about the indictment.
Obviously this was an attack on the card processors' systems, the ATMs were just the first step in the subsequent money laundering – instead of using ATMs they could equally have made purchases at the retail point-of-sale or from web merchants.
Here's a link to the WaPo article containing my comment. Extract:
Henry Schwarz, a security expert who provides consulting to ATM companies, said the main vulnerability lay with the networks that were penetrated by hackers. He said it is extremely difficult to break into a network and obtain a regular customer's four-digit personal identification number.
"The vulnerability was the ability to hack into the card processors' servers," he said. With a PIN, he said, "it's very difficult because a PIN is stored by the card issuer in a heavily fortified" server.
My quote is actually a conjunction of two unrelated sentences of mine, spoken several minutes apart, I hope it doesn't read as a non-sequitur.
The reporter's main interest in me seemed to be whether the hackers could have obtained PINs, I guess he thought that their readers would be concerned about that implication, so I explained that PINs are stored in "heavily fortified" HSMs (hardware security modules).
A fun experience.
Update: Here's my blog post on this subject at Triton's ATMatom blog.