3 Times Businesses Were Denied Cyber Insurance Payouts

Cyber insurance is a type of insurance that protects businesses from financial losses that can result from a cyberattack. While it’s an essential tool for businesses of all sizes, there are some facts you should be aware of before purchasing a policy.

Just because you have cyber insurance, it doesn’t mean you are guaranteed a payout in the event of an incident. This is because you may not have the correct coverage for certain types of cyberattacks or you might have fallen out of compliance with your policy’s security requirements. As a result, it is critical to carefully review your policy and ensure that your business is adequately protected.

Learn from the past

Even though these examples are from the United States, it could easily happen in Canada as well. Here are three real-life examples of denied cyber insurance claims:

Cottage Health vs. Columbia Casualty

The issue stemmed from a data breach at Cottage Health System. They notified their cyber insurer, Columbia Casualty Company, and filed a claim for coverage.

However, Columbia Casualty sought a declaratory judgment against Cottage Health, claiming that they were not obligated to defend or compensate Cottage Health because the insured didn’t comply with the terms of their policy. According to Columbia Casualty, Cottage Health agreed to maintain specific minimum risk controls as a condition of their coverage, which they then failed to do.

This case reminds organizations of the importance of reading their cyber policy, understanding what it contains and adhering to its terms.

BitPay vs. Massachusetts Bay Insurance Company

BitPay, a leading global cryptocurrency payment service provider, filed a $1.8 million insurance claim, but Massachusetts Bay Insurance Company denied it. The loss was caused by a phishing scam in which a hacker broke into the network of BitPay’s business partner, stole the credentials of the CFO of BitPay, pretended to be the CFO of BitPay and requested the transfer of more than 5,000 bitcoins to a fake account.

Massachusetts Bay Insurance stated in its denial that BitPay’s loss was not direct and thus was not covered by the policy. Massachusetts Bay Insurance asserted that having a business partner phished does not count as per the policy.

Although BitPay is appealing the denial, this case emphasizes the importance of carefully reviewing insurance policies to ensure you understand what scenarios are covered. This incident also highlights the importance of employee security awareness training and the need to reach out to an IT service provider if you don’t have a regular training policy.

International Control Services vs. Travelers Property Casualty Company

Travelers Property Casualty Company requested a district court to reject International Control Services’ ransomware attack claim. The company argues that International Control Services failed to properly use multifactor authentication (MFA), which was required to obtain cyber insurance. MFA is a type of authentication that uses multiple factors to confirm a user’s identity.

Travelers Property Casualty Company claims that International Control Services falsely stated on its policy application materials that MFA is required for employees and third parties to access email, log into the network remotely and access endpoints, servers, etc. They stated that International Control Services was only using the MFA protocol on its firewall and that access to its other systems, including its servers, which were the target of the ransomware attack in question, were not protected by MFA.

This case serves as a reminder that when it comes to underwriting policies, insurers are increasingly scrutinizing companies’ cybersecurity practices and that companies must be honest about their cybersecurity posture.

Travelers Property Casualty Company said it wants the court to declare the insurance contract null and void, annul the policy and declare it has no duty to reimburse or defend International Control Services for any claim.

Don’t be late to act

As we have seen, there are several reasons why businesses can be denied payouts from their cyber insurance policies. Sometimes, it could be due to a naive error, such as misinterpreting difficult-to-understand insurance jargon. In other cases, businesses may be maintaining poor cybersecurity hygiene.

Claritech Solutions can help you avoid these problems by working with you to assess your risks and develop a comprehensive cybersecurity plan. Feel free to reach out for a no-obligation consultation.

To learn more about cyber insurance, download our infographic titled “What Every Small Business Needs to Know About Cyber Insurance” by clicking here.

3 Types of Cyber Insurance You Need to Know About

As the world becomes more digitized and cybercrime increases, the need for cyber insurance is something businesses should not overlook. If your company handles, transmits or stores sensitive data, you need to know about cyber insurance.

Cyber insurance is intended to protect businesses from the monetary losses arising from a cyber incident that could jeopardize their future. It covers financial losses caused by events such as data breaches, cybertheft and ransomware.

Since small businesses often lack the resources or budgets of big corporations, cyber insurance can provide critical financial protection in the event of a cyberattack, helping them recover quickly.

Types of cyber insurance and what they cover

Although insurers may have their own specific classifications, cyber insurance can be divided into three broad categories:

Cybertheft insurance

With more and more businesses storing sensitive data online, the risk of cybertheft is more prominent than ever. As a result, ensuring that your company is adequately insured against this growing threat is critical.

Cybertheft insurance protects businesses from financial losses caused by digital theft. This type of insurance can cover a variety of cybertheft scenarios, including first-party cybertheft, embezzlement scams, payroll redirection and gift card scams.

Businesses of all sizes can be victims of cybertheft, and no business is too small to need cybertheft insurance. Therefore, even if there is a remote chance that your data or digital assets will be stolen, ensure you have cybertheft insurance for your business.

Cyber liability insurance

Cyber liability insurance includes third-party coverage for damages and losses, data breaches, regulatory penalties, credit monitoring and lawsuits.

Cyber liability insurance is a vital tool for small businesses like yours because the financial ramifications of a cybersecurity breach can be more severe than you can handle. This does not mean you should panic right now; it simply means that having cyber liability insurance can help your business recover and move forward even after a breach, without being stunted.

Cyber extortion insurance/ransomware insurance

Cyber extortion insurance protects businesses against ransomware attacks. This type of insurance can help cover the cost of ransom payments, recovery expenses, business interruptions and more. It can also provide access to a team of experts who can help with cyber extortion negotiations and forensics.

Keep in mind that an attack could still succeed even with the right cybersecurity solutions in place to protect your business. That’s why it’s critical to have cyber extortion insurance. It can help you recover from a ransomware attack and reduce the financial impact.

Let’s work together to ensure your success

Cyber insurance is a complicated and ever-changing industry. There are many factors that can influence whether or not you qualify for a payout in the event of a cyberattack, and trying to remain compliant with your insurance policy can be difficult. Working with Claritech Solutions can help you better understand your options and ensure that you have adequate security in place, increasing your chances of receiving complete coverage.

Not sure where to start? Contact us today to schedule a consultation. Our knowledge and experience may be just what you require.

We’ve also created an infographic titled “Cyber Insurance and Why Your Small Business Needs Coverage” that you can download by clicking here.

Don’t Fall for These Cyber Insurance Myths

As the world increasingly moves online, so do the risks to our businesses. Cyber insurance is one way to help your business recover following a cyberattack. It covers financial losses caused by events such as data breaches, cyber theft, ransomware and more.

Cyber insurance can be beneficial in many ways since it typically covers the cost of:

  • Recovering data
  • Legal proceedings
  • Notifying stakeholders about the incident
  • Restoring the personal identities of those affected

Due to the complicated nature of cyber insurance, there are a lot of myths out there that can be harmful to your business if you fall for them. Let’s debunk them together.

Cyber insurance myths debunked

Busting the top cyber insurance myths like the ones below is necessary so that you can make informed decisions for your business:

Myth #1: All I need to protect my business from cyberthreats is a cyber insurance plan

This could not be further from the truth. Your insurance provider will only cover your business if you meet the requirements outlined in your contract. Most reputable insurers will require proof that you have been following the proactive measures outlined in your policy. If you can’t prove your compliance, your claims are unlikely to be paid.

One of the most common insurance requirements is that you have top-tier cybersecurity protection. Despite the availability of a variety of cybersecurity solutions in the market, keep in mind that not all of them are the same. Finding a solution that offers the best protection for your needs is crucial.

Myth #2: I don’t need cyber insurance since I have cybersecurity solutions

Even though cybersecurity solutions can boost your defenses, they don’t make you immune to cyber incidents. Yes, cybersecurity solutions can reduce the risk of a cyberattack by identifying and protecting vulnerable points in your system. However, no solution can provide complete protection against all threats because staying on top of emerging risks can be challenging.

Additionally, human error can always result in vulnerabilities in a system, regardless of how secure it is. That’s why it’s a good idea to have a cyber insurance policy in place to fall back on in case of an incident.

Myth #3: Cyber insurance is easy to get

As technology advances, so do the occurrences of cyber incidents. With small and medium-sized businesses being the most susceptible targets of cybercriminals due to a lack of enterprise-level protection, the likelihood of an attack is high. Consequently, insurers are reluctant to provide coverage since the risks are significant. While policies are still available, they are becoming more expensive and difficult to obtain.

Myth #4: If I have a cyber insurance policy, my claims will be covered in case there’s an incident

If you can’t prove that you’ve complied with your cyber insurance policy’s prerequisites, your claim may be rejected. This is why you might want to consider partnering with an IT service provider, like us. Claritech can help you remain compliant with your cyber insurance policy as well as provide evidence of such compliance.

Partner for success

It’s crucial to not fall for the above myths about cyber insurance so that your business qualifies to invest in a policy and receive coverage. However, it’s also important to remember that cyber insurance is something that demands a lot more time and effort than you might have.

To protect your business effectively, you should partner with an IT service provider like Claritech to help you understand how to increase your chances of receiving coverage and a payout in the event of an incident. Reach out to schedule a no-obligation consultation.

Additionally, we created an infographic titled “What is Cyber Insurance and Why Your Business Needs Coverage” that you can download by clicking here.

Chrome Windows 10 Notifications – Here’s how to make them stop

More frequently, I’ve logged into user computers and notice that their right side Windows 10 notification bar is inundated with notifications. A common complaint is that they don’t know how they got there, they are incredibly annoying, and they don’t know how to get rid of them.

The origin of these annoying notifications is usually by visiting a site with Chrome. Other browsers also likely allow this, but I’m picking on Chrome because that’s what I use.

The site will usually pop up with a question, “<site> wants to show notifications”, with an Allow or Block option. This is what you get when you go to techradar.com:

A typical notification request

If you click “Allow” you’re giving that site permission to take control of your Windows 10 Notifications at all times, whether you’ve got a current browser window open or not. Here’s an example of a Tech Radar notification.

A techradar.com Windows 10 notification.

At least Tech Radar is transparent enough to show you how to unsubscribe. The good news is that it’s easy to rid yourself of all of those annoying notifications. Here’s how:

  1. If Chrome isn’t open, open it and select the 3 dots below the Close button in the top right corner of your browser window

  2. Select Settings.
  3. Here’s a trick I recently learned. Instead of scrolling through the seemingly endless list of options looking for “Notifications”, go to the top search bar and start typing “notifications”. Chrome will highlight the relevant settings almost instantly.
  4. Click on the highlighted Site Settings, followed by the highlighted Notifications.
  5. Now you should see all of the sites you’ve blocked and the ones you’ve allowed. Click the 3 dots next to the offending site(s) in the Allow section and select “Block”

Keep in mind that there are some notifications that are handy, especially if you use G-Suite or other CRM extensions. Hopefully this post gives you control over those annoying notifications once and for all.

It’s coming from inside the house!

Even if you’ve never seen (or heard of) the 1979 horror classic, When a Stranger Calls, you likely have heard the iconic line, “the call is coming from inside the house”. This line evokes instant fear in the recipient and is the same fear used in a classic email scam.

Fake emails have been around for at least three decades. Even today, it is easy to spoof someone’s email address for sending spam or phishing emails. The trouble stems from how trusting the whole Simple Mail Transport Protocol (SMTP) is. You can essentially set your email address in your email client to be whatever you like and it will tell all your recipients that it came from that email address. Additionally, you can tell the recipient to reply to any other email address and the recipient’s client program will trust that, too.

Here are just a couple of the ways that this simple email spoofing can be used for fraud:

CEO Fraud

CEO fraud preys on an employee’s desire to feel important. It typically appears as an email from the CEO of your company. Often it is an innocent request at first, such as, “Are you still at the office?” to see if you’ll respond. The response always goes to the hacker’s email address, which may or may not appear like the sender’s email. Often, no one notices that the reply is going to a different email address than the sender. Technically, this is accomplished by spoofing the “Mail from:” address and hiding the “Reply to:” address. If the Reply to: address appears similar to the Mail from: address, the fraud is less likely to be detected.

If you reply to the original innocent request, the hacker will then usually ask for a monetary favour with some sense of urgency to prompt a quick response. It could be as complicated and expensive as a wire transfer request, or as low budget as some iTunes gift cards. It can be embarrassing for the recipient and very costly for the company.

For more information on CEO Fraud, check out: https://www.knowbe4.com/ceo-fraud

Bitcoin Extortion Fraud

The bitcoin extortion fraud preys on its victim’s concern about being publicly exposed. This simple email scam involves sending a note to a recipient, using the recipient’s own address as the sender. The body of the email then goes on to say that you’ve been hacked and the hacker has complete access to your computer and all your contacts.

It continues that he has been recording you watching adult content on your PC. The only way to prevent the hacker from sending this recording to all of your contacts is for you to pay a certain amount of bitcoin to the hacker’s private wallet.

A variation of this scam is that the hacker includes a password of yours as “proof” that they’ve compromised your account. This password is invariably a real one that you recognize and is particularly dangerous if you happen to use the same password on many sites. The source of the password is almost always from a breach of a popular web service, such as LinkedIn or Yahoo. There have been dozens more over the last few years alone.

Protect Yourself

How can you protect you and your company from these attacks? The simple answer is training. While there are technical solutions that attempt to spot and prevent these types of emails from coming in, the reality is that the tactics are changing all the time and rely on unsuspecting users to fall victim. Proper training can harden you and your users to these attacks and help you spot future creative social engineering exploits. If something looks suspicious, it definitely warrants a closer inspection and a pause for thought.

Please call me if you’d like further information or would like to discuss training. It is much less expensive than you think.

Gone Phishing

phishingToday I witnessed first hand a new threat that has successfully infiltrated a friend of mine: a DocuSign phishing email.

Hackers have stolen the customer email database of DocuSign, the company that allows companies to electronically sign documents. These criminals are now sending phishing emails that look exactly like the real DocuSign ones, but they try to trick you in one of two ways:

  1. With an attachment to an encrypted (to bypass antivirus software) Word document and an accompanying password to “unlock” it. This will potentially launch any sort of nasty surprises upon its victims, including Ransomware, which I wrote about last week;
  2. With a link to a phishing site that asks for email credentials to gain access to the DocuSign document. This provides the hacker complete access to your email account, including potential access to your OneDrive or Google Drive documents and also a base from which to launch a further attack to all of your contacts.

Either of the above two scenarios is not pretty and malware may be installed on your workstation. So if you get emails that look like they come from DocuSign (or any other web service, for that matter) and have an attachment or a link requesting login credentials, be very careful. If there is any doubt, pick up the phone and verify before you act on any suspicious email. When I replied to the email I received today, it was actively responded to by the hacker, who “assured” me that it was legitimate. This is a classic example of why you must use a separate medium to confirm the authenticity of any suspected email you receive!

How can you protect yourself from this type of threat? There are two things you can do:

  1. Pay attention to any email you receive and always be suspicious, particularly when an email is unexpected.  If you or any of your staff needs security awareness training, contact us!
  2. Implement two-factor authentication (this is a very old link – I’ll update it shortly) on your email system to prevent third parties from stealing your credentials. Again, contact us if you need assistance with implementing this for yourself and your users.

Remember: Think Before You Click.

Stay safe out there!

Dan

 

Ransomware Alert – What you should know

EXECUTIVE SUMMARY:

Yet unknown cyber criminals have taken an NSA zero-day threat and weaponized a ransomware strain so that it replicates across networks without user intervention. There is a 2-month old Microsoft patch that urgently needs to be applied if you have not done that already. For older obsolete systems, such as Windows XP, the patch was just realized this weekend.

I have written about ransomware in the past. For more information, see this link: Ransomware 101

Please contact us if you’d like more information or have any concerns.

WHAT YOU CAN DO ABOUT IT:
I have said this before: be very careful when you get an email with an attachment you did not ask for. If there is a .zip file in the attachment, do not click on it but delete the whole email. Remember: “When in doubt, throw it out!” If it was truly important, the sender will contact you by other means and can always resend the email.

Claritech has checked our list of supported devices and are actively patching the handful that were not up to date as they come online. If you are not under a current Claritech support plan, we urge you to either patch your systems yourself or contact us as soon as possible.

Whether or not you are a current Claritech customer, please contact us if you have any concerns or would like more information and a free vulnerability assessment.

BACKGROUND:
You may have seen the news this weekend. Criminal hackers have released a new strain of ransomware that spreads itself automatically across all workstations in a network, causing a global epidemic. If you or a co-worker are not paying attention and accidentally open one of these phishing email attachments, you might infect not only your own workstation, but it could automatically spread to those around you.

Hundreds of Thousands Machines Infected Worldwide
FedEx Corp, Renault, Nissan, Russian banks, gas stations in China, and Spanish telecommunications firm Telefonica which reported 85% of their systems being down as a result of a cyberattack earlier today, and ironically the Russian Interior ministry had 1,000 machines encrypted. Even the German Railways were infected.

Dozens of hospitals in the UK were shut down. Cybersecurity experts have long used the phrase “where bits and bytes meet flesh and blood,” which signifies a cyberattack in which someone is physically harmed. This monster has infected hundreds of thousands of systems in more than 150 countries. Monday morning when people get back to work, these numbers will only go up.

Laptop Buyers Guide – April 2017

 

I often get asked, “What laptop should I buy?”.  In response to that, I wrote a quick and dirty buyers guide that I’ve emailed out to a few individuals.

For choosing a laptop, here’s my general criteria:

xps-family-polaris-sub-cat-franchise-laptops-mod-06

Models

My bias tends to be with Dell. Dell Latitudes and XPS models have worked well for me in the past. Lately, however, I’ve had bad experiences with the lower end Latitude models such that I can no longer recommend the 3000 series Latitude line. I’ve never been a fan of the Inspiron models either. Stick with the 5000 or 7000 series Latitude or XPS models. If you don’t like Dell, my second choice is ASUS laptops.

Screen Size / Weight

notebook-xps-family-polaris-sub-cat-franchise-05a

Pick your screen size first. That will dictate the portability. I recommend a 13″ or 14″ screen if you’re planning to carry it with you at all and want to hook it up to a monitor at home or the office. A 15″ would be okay if you don’t plan to hook it up to a monitor.

 

 

Processor

Once you’ve determined the size, the next thing I look at is processor. Depending on your budget, I’d get an Intel i5 processor as the minimum and an i7 if your budget allows. I don’t recommend AMD processors, but that’s just my personal bias.

Memory

KTAMB667K24GMemory is next. I like to get a minimum of 8 GB and 16 GB is ideal these days. You can get away with 4 GB if it’s starting to get too expensive and the memory is upgradeable. It’s almost always cheaper to add memory later than it is to buy an upgrade from Dell. Before committing to a purchase, make sure the memory can be upgraded. Some smaller laptops only have room for one or two sticks. If you purchase a laptop and the slots are full, you’ll have to throw the existing sticks away to upgrade. Even worse, some models of laptops don’t even allow for memory or hard drive upgrades. If upgrades aren’t possible, make sure you get 16 GB if you want your laptop to last more than a couple of years.

Storage

g_139_4Finally, the choice of storage is important. Since the cheaper laptops generally come with a 500 GB hard drive, the only decision you need to make is whether to go for the more expensive, but much faster solid state drive (SSD). Again, it’s about $300 to get a 250 GB SSD from Dell. If budget is a concern, I recommend going with the larger, but slower regular 500 GB drive and upgrading later. Swapping a hard drive for a solid state drive can dramatically speed up a slow laptop a year or two down the road. If you have it in your budget, you can always purchase an after-market 500 GB SSD for around $200 and throw out the drive that the laptop comes with. Doing it right away is going to be easier since you won’t already have a bunch of files on your new hard drive that you need to transfer. Again, make sure you check that your hard drive can be upgraded later if necessary. Some of the smaller portable units cannot be upgraded. If that’s the case, you are best going with a 500 GB SSD for longevity.

Touch or Non-touch

Does a touch screen matter? Personally, I don’t find touch screens to be worth it unless there happens to be a deal where you’re paying less than $100 more for touch. I tend to use touch on the smaller monitors when I’m not using them docked. In that mode they behave almost like a tablet. Most of the time, however, I’m docked to a larger monitor and to use touch on only one monitor out of two (or three) is kind of pointless.

It’s 2009, do you know where your data is?

 

In this post I want to talk a little about our data.  By our data I mean any information that is unique to us: files we’ve created that can contain personal or important information that we may want to keep private and/or that we want to have backed up.  Examples include your email files, your photos, tax files, resume, letters, school papers, even your MP3 files.

One of the challenges of managing all of this data is backing it up.  If your hard drive dies for whatever reason, the data on that hard drive may be unrecoverable and all of that information (some of it priceless to us) may be forever lost.  There are many options for backing up data and I highly recommend checking out this IT Business article for more information on some free online services as well as inexpensive external hard drive solutions.  I personally use and recommend free Mozy for home and we resell Mozy Pro for business.Continue reading

The Trouble with Untrusted Sites

 

It seems that rogue web sites will always be a part of our daily lives.  You run into them most often when searching for a particular topic and click on one of the listed sites from your search:  suddenly your browser takes on a life of its own, spawning additional browsers and taking you places you’d rather not go.  More often than not, these sites will start a fake antivirus scan and “alert” you that you’ve got multiple infections and then provide you with an easy “fix” that will not only ask you for a credit card number, but will also install all sorts of nasty spyware on your computer.

There are a number of ways to protect yourself from these rogue sites, but unfortunately none of them are foolproof.  A good antivirus product should always be your first and best line of defense.

In this article, I’m describing one of my favourite low-cost measures to protect your Internet Explorer browsing experience:  the use of Trusted sites.  Here’s how it works in a nutshell:

  1. Under Internet Options/Security, crank up the security of the Internet zone to the maximum (High).  This will disable (almost) all functionality on any untrusted site you stumble across.
  2. Whenever you find a site that has functional problems because it uses Flash or Javascript, and you trust that site, you can manually add that site to your Trusted Sites list under Security Options to enable (most) functionality.

The concept is simple, yet in practice it can be a bit of a pain to setup and use successfully.  Here is a good how-to article I found when searching on Internet Explorer and Trusted Sites:   http://surfthenetsafely.com/ieseczone7.htm.  It explains exactly how to set this up and includes a link at the bottom for a Power Tweaks utility from Microsoft for IE that can be used to add a “Add to Trusted Sites” menu option to IE.

Once you’ve configured your IE browser to work with Trusted Sites, there are still times that things just don’t work.  Some sites will give you a hint as to what the problem is (“this site requires you to have the latest version of Flash, or have ActiveX enabled, etc), but many other sites just do nothing, even after they’ve been added to your Trusted Sites zone.  The most common reason for this is that many sites use background services on affiliated or even third-party sites that also need to be part of your Trusted Sites zone for full functionality.  An example of this is any site that uses CAPTCHA (a challenge-response mechanism to ensure a live person is subscribing), such as Ticketmaster.

If a particular site doesn’t work even after you’ve added the site to your Trusted Sites zone, here are some of the things you can try, in increasing order of complexity and/or decreasing order of security:

  1. I often add a wildcard to the trusted site, such as *.ticketmaster.com, to get all of the sub-domains of the main www site.  Sometimes you also need to add *.ticketmaster.ca, if the site has a Canadian presence.
  2. If item 1 fails, try going to menu Page/ (in IE 7) or Safety/ (in IE8) and Select Webpage Privacy Policy…  In the window list that comes up, you’ll see all of the web sites that make up the page that you are viewing.  Be very careful NOT to add all of the sites that you see in that list to your Trusted Sites zone.  Many of these are just advertisement links and other tracking processes that you really don’t want to trust.   You need to look for the one or two sites in the list that can likely be causing you problems.  In the case of Ticketmaster, the sites are *.ticketmaster.ca, *.ticketmaster.com and https://api-secure.recaptcha.net, the site that provides the CAPTCHA challenge/response code on behalf of Ticketmaster.
  3. If all else fails,or if item 2 above is too complicated, it’s always a good idea to have a second browser (such as Firefox) available to try on the uncooperative site.

Whichever method you choose to protect your Internet browsing experience, keep in mind that a good antivirus product is your first line of defense, that no browser and no solution is 100% secure, and that you’ve got to be constantly vigilant when it comes to online activities.

PayPal and two-factor authentication

I’ve been a huge proponent of two-factor (something you know and something you have/are) authentication for several years now.  I understand that nothing is 100% secure, but I haven’t seen anything better come along. 

I’d like to see more services provide this type of authentication option.  PayPal has a feature called Security Key that allows you to add two-factor authentication to your PayPal account.  LogMeIn has a similar implementation for even their free version of the service.  They allow one-time passwords as well as the use of SecurID cards.

I’ve used PayPal’s Security Key with some success.  I only have two concerns with it:

  1. It allows the user to bypass the security key for times when you don’t have your second factor available or the service isn’t working;
  2. The service isn’t 100% reliable (at least not the cell phone key).

I applaud PayPal for introducing additional security to their service. A system as important and valuable as PayPal needs to be a leader in online security. 

Unfortunately, when it allows the user to bypass the security key, it effectively voids the two-factor component and just asks the user for one or more things he already knows, thereby making the first factor a little more complicated and the second factor unnecessary.  The reason they do it is because the service isn’t 100% reliable. 

Even so, I’d like PayPal to allow the user to decide whether they want the system to allow an override of the second factor.  In this way, I can force all authentication to go through my security mechanism and, if it isn’t available or not working, I’ll just have to wait until it is.  I think that is a reasonable compromise.