Well done Paypal – customers apparently will get a dongle (for free if you are a business) that generates a password that you use along with your own each time you login to Paypal.
Paypal fraud is a huge problem, and the service is highly sensitive to phishing attacks. Phishers will still have one shot at a users account with the dongle system – a fake login screen wil capture the user name, password and only one one-time key. However when the key generates a new number, and that number is used to login by the real customer, then Paypal would (hopefully) prevent the previous key from ever being validly used.
<update>
looks like the fob password only lasts for 30 seconds, so this really does lock out all but the most saavy scammers.
Lance Wiggs 