[javajosh]

I think a big reason is that the alternatives are worse across some dimensions. Credit cards are especially bad, since they are trivial to steal (and its at best painful to address fraud, and at worst you can lose a lot of money). So, basically paypal hides your credit card. But, as the OP noted, other things now count as your credit card! In his case, his Facebook account connected to Paypal connected to his bank was, effectively, a credit card that got stolen.

And sadly there are people (on this thread) who still blame the OP. Of course the payment wasn't authorized, and the OP is very articulate about what happened. At the end of the day, money middle-men are very effective at pointing fingers at one-another, the effect being that the user will throw up their hands and give up. (This happened to me once and cost me about $15k, and I was unable to recover any of it). But what makes it even worse is how conditioned we all are to accepting blame for what is, ultimately, an authentication mistake made by the financial institution(s).