Is your PayPal account your primary email address?

Are you primarily running Windows?

Have you looked through your email to see if there's any possible phishing mails pretending to be from PayPal? A nicely implemented phishing scam would take you to the real paypal site as soon as you entered your credentials, so that the fake URL would only be up on the browser for that moment in time as you typed.

Have you done a malware scan to make sure you don't have any keyloggers installed?

BTW, the key/SMS can be side-stepped by answering one or more "security" questions in addition to supplying the password. From a phishing perspective, this isn't any more secure than not having any external key device enabled at all.

A nice and easy addition to PayPal's site would be the ability to restrict login to an ID that is not the email address used for sending/receiving money. In other words, security through obscurity.