[JoachimSchipper]

Yes, but if PayPal's security is good enough, that's everyone else's problem.

(Yes, that's pretty nasty - but is putting a poorly-secured "startup" online really any better?)

[homakov]

To log in paypal account password is enough, user-agent and IP/location can be faked. When you're in you get access to user's transaction history. Ouch.

[Gigablah]

I just spent 10 minutes navigating the Paypal website trying to activate 2-factor auth on my account. Apparently they don't even offer it, at least for Singapore accounts.