Skip to main content

Combating Digital Banking Fraud and Account Takeover (ATO): A Strategic Approach Through the Lens of the Pyramid of Pain and Kill Chains

In the ever-evolving landscape of digital banking, the sophistication and frequency of fraud attempts have escalated, posing significant challenges to the security of financial institutions and the safety of customer assets. Among the various types of fraud, account takeover (ATO) stands out as a particularly insidious threat. ATO occurs when fraudsters gain unauthorized access to a bank account and make fraudulent transactions, transfer funds, or steal sensitive personal information. This form of fraud not only results in financial losses, but it can also damage the trust between banks and their customers.

The means by which fraudsters carry out these attacks include social engineering, phishing, multifactor authentication (MFA) bypass, credential stuffing, external account linking, and others. Furthermore, these attacks are most often carried out in stages. This means that to effectively combat ATO (and other forms of digital banking fraud), it is crucial to understand and disrupt the tactics, techniques, and procedures (TTPs) employed by fraudsters. This approach is encapsulated in two conceptual models that offer valuable insights into developing robust defense mechanisms: David Bianco's Pyramid of Pain and the concept of kill chains.

The Pyramid of Pain

David Bianco's Pyramid of Pain is a framework that categorizes the ways we can detect cybercriminals and illustrates the goal of increasing the adversaries' cost of operations. From the bottom to the top, the pyramid includes hash values, IP addresses, domain names, network/host artifacts, tools, and TTPs. As one moves up the pyramid, the difficulty for attackers to change their methods increases, making TTPs the most effective yet challenging level to address.

Pyramid of Pain

Let’s walk through a common example. When the question is asked, “Can we block the IP address of a known fraudster?”, the simple answer, of course, is yes we can and oftentimes do block IP addresses. However, you will notice that this is toward the bottom of the pyramid. Why is that? IP addresses are trivial for an attacker to change. They simply originate their attacks from a new location and carry on their nefarious operations. One can see how the business of identifying and blocking IP addresses can more closely resemble a game of Whac-A-Mole. It should be noted that there are other good reasons why IP address blocking is not ideal, but let us set those aside for now as that is not the focus of this article. 

By focusing on the top of the pyramid, organizations can force adversaries into more costly and time-consuming efforts to change their behavior, thereby reducing the frequency and effectiveness of attacks. So how do we do that? What are these TTPs at the top of the pyramid and how do we disrupt them? 

The Concept of Kill Chains

The concept of kill chains breaks down the process of an attack into stages, providing a structured framework to understand and disrupt cyberthreats. Originally developed by Lockheed Martin, the Cyber Kill Chain framework includes reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives.

Cyber Kill Chain Framework

Visualizing fraud attempts within the context of a kill chain allows financial institutions to identify and mitigate vulnerabilities at each stage of an attack, effectively disrupting the fraudster's workflow. Other frameworks have followed in the footsteps of the original Lockheed Martin kill chain, including MITRE ATT&CK, Blade framework, and others. While some of the words used and the organization might differ, the core underlying concept remains the same. Like those before us, we should adopt this approach and work through the following ATO Kill Chain which has been simplified into three main stages: planning, launching, and cashing.

ATO Kill Chain

Combating Fraudsters Through TTPs and Kill Chains

To combat digital banking fraud, especially ATO, it is essential to disrupt the fraudsters' TTPs across the various stages of the kill chain. Here are strategies to address each tactic:

  • Planning—TTPs include breach datasets, personal information for sale on the Dark Web, reconnaissance
  • Launching—TTPs include phishing kits, copycat domains, malware delivery, social engineering, and various hacking attempts in the form of credential stuffing, username enumeration, MFA bypass, and session hijacking
  • Cashing—TTPs include external account linking, P2P transfers, and other forms of money movement

Combating digital banking fraud, particularly account takeover, requires a strategic approach that focuses on disrupting the TTPs of fraudsters. By applying the principles of the Pyramid of Pain and the concept of kill chains, financial institutions can develop a defense in depth strategy that addresses vulnerabilities at each stage of an attack. Q2 leverages this approach when designing our digital banking products and introducing fraud countermeasures. For help and detailed guidance on how to implement any of these countermeasures, contact the Q2 Fraud Intelligence team at