Once the magic card is inserted, the malware is ready to interact with two different types of cards, each with different functions:
1.Card type 1 – request commands through the interface
2.Card type 2 – execute the command hardcoded in the Track2

After the card is ejected, the user will be presented with a form, asking them to insert the session key in less than 60 seconds. Now the user is authenticated, and the malware will accept 21 different codes for setting its activity. These codes should be entered from the pin pad.

Below is a list of the most important features:
1.Show installation details;
2.Dispense money – 40 notes from the specified cassette;
3.Start collecting the details of inserted cards;
4.Print collected card details;
5.Self delete;
6.Debug mode;
7.Update (the updated malware code is embedded on the card).

During its activity, the malware also creates the following files or NTFS streams (depending on the file system type). These files are used by the malware at different stages of its activity, such as storing the configuration, storing skimmed card data and logging its activity:

Securelist

TOKYO (Kyodo) — A total of 1.4 billion yen ($12.7 million) in cash has been stolen from some 1,400 automated teller machines in convenience stores across Japan in the space of two hours earlier this month, investigative sources said Sunday.

Police suspect that the cash was withdrawn at ATMs using counterfeit credit cards containing account information leaked from a South African bank.

Japanese police will work with South African authorities through the International Criminal Police Organization to look into the major theft, including how credit card information was leaked, the sources said.

The theft at convenience store ATMs took place in the morning of May 15 in Tokyo and 16 prefectures across the country, and police believe over 100 people might have coordinated in the unlawful withdrawal.

In each of the approximately 14,000 transactions, the maximum amount of 100,000 yen was withdrawn from Seven Bank ATMs using the fake credit cards, according to the sources.

Mainichi.jp

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/may/gsmgprs-traffic-interception-for-penetration-testing-engagements/

An excellent howto on gsm gprs listening and setting up your own 4g / 2g base
to intercept traffic