Interesting topic. if only it was as easy as Barnaby describes, wouldn't all the different banks use different hardware/software configurations? also consider CCTV recording, dye technology, etc.
In Australia, physical ATM attacks are preferred apparently
"Even self-service banking is expensive to provide. An ATM costs cost on average $40,000 and it then has to be installed, maintained and stocked with cash."
Sure, usually people that sell things like vending machines will sell the types of ATMs you see at convenience stores. They aren't quite the same as the ones the banks use, but they still hold cash.
I don't know about buying one from a vendor, but I bet if you knew the right ahem ring of people you could get a... used... one for whatever the blackmarket rate is
I don't know about the US in particular, but most countries have laws against intrusion into computer systems, referred as "automatized data processing" or the like. For example in France, you'd risk up to 3 years in prison and a 300,000€ fine for that kind of actions.
In Australia, physical ATM attacks are preferred apparently
http://www.smh.com.au/national/move-to-thwart-atm-gas-bomb-a...
http://news.ninemsn.com.au/national/701017/explosions-at-two...
http://www.abc.net.au/news/stories/2009/08/13/2654709.htm
as I was searching for those old articles I also came across:
http://www.crimes-of-persuasion.com/Crimes/InPerson/atm_scam... - ATM Cash-point Scams using "Lebanese Loop" Plastic Sleeves / Skimming Devices (which I initially thought was a joke) and
http://www.schneier.com/blog/archives/2006/09/programming_at... - from Schneier which is a good read.