CNet is reporting that Paypal is launching a service aimed at reducing phishing attacks. This sounded like good news until I started reading more.

They write:

"If a fraudulent party somehow got hold of a person's username and password, they still wouldn't be able to get into the account because they don't have the six-digit code," Sara Bettencourt, a PayPal spokeswoman, said by phone Thursday. "This by no means is a silver bullet that is going to stop fraud. This is just another layer of protection."

And CNet further comments:

eBay and PayPal are common phishing targets. These prevalent scams typically use fraudulent Web sites made to look like legitimate sites and spam e-mail to trick people into giving up their personal information such as login names and passwords.

Today phishers can make a web site that looks exactly like the real web site, including the request for the user ID and password.  Users who sign up for this device will then have a user ID, a password, and a new SecurID number that changes every 30 seconds.

Is the theory behind this "layer of protection" that phishers will not know how to add one more field for victims to enter this new rotating number? 

Adding this type of device will protect the early adopters.  But as soon as a large percentage of customers use this device, the phishers will take it into account, and Paypal will be back to square one.

I'll be interested in reading their policies around people who lose their token, or who left their token at home while on vacation.  Will PayPal provide a mechanism for customers to temporarily disable the token under these circumstances?  How will they be sure it's really me asking for them to lower their security level and not a thief?