FA (belatedly) says OK to 2FA

The English Premier League has bowed to pressure from fans to add 2FA authentication to its fantasy football platform after a spate of account hacks

A spate of account takeover hacks has prompted the English Premier League to promise to introduce two-factor authentication (2FA) controls to its official Fantasy Premier League game (FPL) from next season.

FPL has more than eight million players, who sign up with a standard email address and password, although 2FA is not offered as an option.

A wave of hacks this season has seen attackers seemingly targeting successful teams ranked in the top 100,000.

The precise number of account takeover attempts is unclear, but simply searching for the term ‘hack’ on FantasyPL Reddit shows many people are claiming to have been affected, and the problem is far from isolated.

In some cases, accounts have been deleted and many victims have struggled or failed to get back lost fantasy football league points.

Catch up on the latest password security news and analysis

The FPL game is free to enter and the chances of winning a prize, such as a trip to see a football game or Premier League merchandise, is slim to none.

Nonetheless, many FPL participants devote considerable time in researching and selecting their team over a period of months, in an effort to outscore and outrank their friends and colleagues in the many private leagues that are a feature of the game.

The game has also spawned a vibrant community of YouTube channels, discussion, and (several subscription-based) team aid selection websites.

Fantasy Premier League is a hugely popular fantasy football platformFantasy Premier League is one of the world’s most popular fantasy football platforms

The hackers have been making many transfers, resulting in deductions of points to compromised accounts and a severe ranking slide that can easily ruin a player’s season. The as-yet-unidentified miscreants have also been changing the names of victims’ teams.

The motive of the attackers (sabotaging rivals, sheer devilment, or something else) much less their identity remains unclear.

The Premier League has reacted to the escalating prevalence of hacks over recent weeks on its official Twitter account, advising users to frequently change or update their password on a regular basis – a practice that has drawn scorn from password security experts.

“Updating passwords on a regular basis is old and bad advice… you [should] use long and unique passwords for each service… coupled with 2FA,” Per Thorsheim, security expert and founder of the PasswordsCon conference, told The Daily Swig.

It’s all kicking off

Back in late September, earlier in the 21/22 football season, the Premier League – which is run under the auspices of the Football Association (FA) – offered a statement blaming incidents of account takeover on users sharing login details with unnamed third-party websites.

“There is no indication or evidence of a security breach on the accounts of these individuals via fantasy.premierleague.com or the Premier League mobile app,” it said at the time.

FPL players often use third-party websites or applications to aid team management. Many are assumed to be using the same login credentials across multiple sites, leaving them wide open to credential stuffing attacks if any site they have visited suffers a breach.

The Daily Swig sought the expertise of breach expert Troy Hunt, the founder of popular data breach search engine Have I Been Pwned?, who told us the circumstances of the hacks bore the hallmarks of credential stuffing attacks.

Read more of the latest cybersecurity news from the UK

One popular fan assistance site, Fantasy Football Hub, experienced a security incident earlier this year when it emerged that it had failed to use a strong hash for passwords. User passwords were compromised by the incident, Fantasy Football Hub admitted.

It’s unclear what influence, if any, this issue has had on the growing problem of FPL account takeovers.

Controversial rule change

Escalating incidents of accounts takeovers over recent weeks has brought the issue to the boil.

Last week the Premier League implemented a rule change, disallowing managers from making more than 20 transfers in a single game week, except in cases where unlimited transfers can be made without penalty (e.g. when the once-a-season Free-Hit chip is played).

The move from the Premier League to tweak the rules of the game than introduce 2FA sparked anger from the community and, under the weight of fan pressure, the Premier League relented on Tuesday (January 25) by promising to introduce 2FA – albeit, only from next season onwards.

“We will continue to take steps to protect account security and we are committed to the introduction of two-factor authentication for the 2022/23 season,” the Premier League said through its official Twitter account.

In an associated blog post on the Premier League website, game organizers blamed the spate of account takeovers on breaches to third party websites – further evidence in support of the credential stuffing theory – without naming particular suspects:

“A number of Fantasy Premier League managers have had their squad compromised in some way during the last week. We are sorry their season has been impacted in this way and the frustration it has caused.

“There is no indication or evidence of a security breach on the accounts of these FPL managers via fantasy.premierleague.com or the Premier League mobile app.

“Unfortunately, those FPL managers affected had used the same email address and password combination on other third-party websites or applications that have been involved in security breaches in the past. These breaches are not limited to websites or applications that provide FPL-related information or services.

“We would like to take this opportunity to remind all FPL managers that using the same email address and password combination on other sites puts the security of your FPL team at risk.”

Additional reporting by Jonny Pringle, software developer at PortSwigger.

YOU MAY ALSO LIKE Tor Project heads to Russian court in appeal against censorship