Premier League fantasy football app introduces 2FA to combat account takeover hacks
Authentication controls added to defend against threat of account takeover
The English Premier League has introduced two-factor authentication (2FA) controls to its official Fantasy Premier League (FPL) game, giving football fans the ability to secure their accounts.
2FA’s debut for the 2022/23 season follows a flurry of allegations of account hijacking attacks over the past two seasons. Criminals allegedly carried out multiple “transfers” of players from compromised accounts, leaving victims with weaker fantasy football teams while simultaneously racking up penalty points.
CONTEXT Fantasy Premier League account hack wave prompts introduction of extra login verifications for football fans
Victims struggled to make up lost ground and for many their entire season was ruined. Unidentified attackers, whose potential motives could range from mischief to sabotage, also used to change the names of teams of hacked victims.
Third parties caught “offside”
The FPL game had over nine million players last season, but the wave of hacking attacks appears to have disproportionately targeted the top performing teams – those ranked in the top 100,000 players.
Success in FPL allows players to win mini-leagues and earn bragging rights to their friends. Getting ahead in the game requires close or at least weekly attention to the form and fixtures of the Premier League stars that FPL participants select.
Although some participate in paid mini-leagues, free FPL is a hobby for most. Even so, many devote considerable effort to building the best team possible, a task aided by a community of FPL YouTube channels and team selection help websites.
Some of these team selection sites offer the option to sign users using the official FPL game login details rather than creating a new account with the third party website. This practice leaves many people at risk of so-called credential stuffing attacks if one of the FPL team management or statistics sites they use were hacked.
Keep up to date with the latest password security news and analysis
In September 2021, at the start of the 21/22 season, the Premier League blamed account takeovers on users sharing login details with anonymous third-party websites.
“There is no indication or evidence of a security breach on any of these individuals’ accounts via fantasy.premierleague.com or the Premier League mobile app,” he said at the time.
A team management website, Fantasy Football Hub, suffered a hack a few weeks later in October 2021 which exposed hashed user usernames, emails and passwords.
In response to the ongoing issue, the Premier League initially opted for the half measure of tweak how the game works so managers were barred from making more than 20 transfers in a single game week, except in cases where a free move token was in play.
The change was criticized by the community as being inadequate, prompting the Premier League to promise the introduction of 2FA – but only from the 2022-23 season.
This commitment has been honored, with 2FA becoming a supported feature during the game’s recent relaunch for the 2022-23 season, ahead of games kicking off on August 5.
Adding two-factor authentication to an account means that just knowing a user’s login name and password isn’t enough – you also need a 2FA challenge code, usually a number six-digit variable generated by an application.
The technology has been used by businesses for remote access to email for years, but more recently it has become widely available to consumers as a way to add protections first to email and then to social networks and now to online gaming accounts.
The introduction of 2FA to fantasy football has been well received by the community, although there have been some issues that the feature is hard to find and not the easiest to activate.
In a typical response, Twitter user @FPL_Eire said: “A big thank you to @OfficialFPL for listening to the FPL community and adding it to the game. Getting hacked is a nightmare for FPL managers, so luckily we won’t see that happen to anyone this year.
YOU MIGHT ALSO LIKE “Dirty dancing” in OAuth: Researcher reveals how cyberattacks can lead to account takeover