Well done Paypal – customers apparently will get a dongle (for free if you are a business) that generates a password that you use along with your own each time you login to Paypal.
Paypal fraud is a huge problem, and the service is highly sensitive to phishing attacks. Phishers will still have one shot at a users account with the dongle system – a fake login screen wil capture the user name, password and only one one-time key. However when the key generates a new number, and that number is used to login by the real customer, then Paypal would (hopefully) prevent the previous key from ever being validly used.
looks like the fob password only lasts for 30 seconds, so this really does lock out all but the most saavy scammers.