An Egyptian hacker demonstrated that using a single exploit is possible to take control of any PayPal account due to the presence of a series of flaws . http://securityaffairs.co/wordpress/30755/hacking/hacking-paypal-account-poc.html
Perfect example of protecting only from malware is not enough. Besides strong account protection (including 2FA & best practice about reminder question), I use Requestpolicy (for Fx), Kissprivacy (for Chrome), and CSFire (for both) to prevent CSRF. However I admit those tools are not suitable for most user. I think better heuristic against CSRF with vast whitelist & blacklist (basically allow only 'from good site to good site' cookie & http auth request) will be possible and AV vendor should build it.