PayPal probably has good enough fraud detection that easier-but-riskier integration is still a net win for PayPal. (Not so much for the rest of the internet, though...)
Similarly, Google's "No CAPTCHA" (https://news.ycombinator.com/item?id=8693767) lets Google offer a better experience than a traditional CAPTHCA. I'm somewhat surprised that better fraud detection leads to better UX, but it's pretty neat.
It's not just PayPal fraud per se. Leaking user's PayPal email address and password has a lot of other consequences. (Yeah yeah in theory you should use distinct passwords for different sites etc etc)
To log in paypal account password is enough, user-agent and IP/location can be faked. When you're in you get access to user's transaction history. Ouch.
I just spent 10 minutes navigating the Paypal website trying to activate 2-factor auth on my account. Apparently they don't even offer it, at least for Singapore accounts.
Similarly, Google's "No CAPTCHA" (https://news.ycombinator.com/item?id=8693767) lets Google offer a better experience than a traditional CAPTHCA. I'm somewhat surprised that better fraud detection leads to better UX, but it's pretty neat.