EETimes: Paypal talks about security on mobile devices
A good article on mobile phone security and authentication.
Just protecting the user’s login screen will not be protection enough as the stakes increase. There must be a way to bind the physical identity of the mobile device—some identifying hardware characteristic—to the PayPal account, while allowing only minimum exposure of the user’s password to the network. He suggested several alternatives, only to reject each of them. SIM cards could work, but would require the cooperation of the world’s service providers—an unlikely scenario at best. Micro SD cards similarly could work, but would add cost to the handset that neither the service providers nor the end users would likely accept.
I'd have thought the cooperation of the world's service providers would be something they would be pursuing.