Paypal is one of the most frequently phished sites on the since the risk-reward ratio is so high for attackers.  By harvesting only a few accounts, attackers get can get access to real money. Compare this to phishing for email account which hardly have any direct monetary value.

While these attacks are hardly untraceable, it has a definite real impact to affected users even if it turns out to be solely the inconvience of recovering their account.  In the worst cases, users lose real dollars when funds are transfered out of their accounts, especially when payments are sent to international recipients.

In a not so surprising move, Paypal announced they are offering an option for their users to use a Verisign token that will improve the security of their sign-in process.  The security token will cost users a $5 one-time charge.  With the security token, users will still enter their username and password at sign-in, but in addition to that, they will also enter the 6-digit random numeric code that appears on their token.  The numeric code changes every 30 seconds.

 This improves security because attackers will not be able to access your account simply by stealing your password. They will also need to steal your security token which is a physical device and obviously much more difficult to steal on a large scale. 

I’m always in favor of increasing user security, and especially services that help their users through user education and offering tools to combat attacks.  It’s safe to say that not all of Paypal’s users will use the security token (by a lonshot), but it’s definitely a useful tool for those users savvy enough to put up with the hassle of carrying the token around and safe guarding it appropriately.