This week in security news

Phishing scammers typically send out an e-mail that appears to come from a trusted company, such as a bank or an e-commerce Web site. The phishing messages attempt to lure people to a bogus Web site, where they're asked to divulge sensitive personal information. The attackers can then use those details to steal money from the victims' accounts.

Companies are paying a hefty amount to fix phishing damage. In many cases, they make good on their customers' losses. Companies are also spending money to educate customers about fraud prevention, and the cost of polishing up a tarnished brand is hard to estimate.

As part of that effort, banks are looking to bring down the number of phishing attacks by adopting two-factor authentication, which would require people to produce two forms of identification, according to Microsoft. The company's chief security strategist, Scott Charney, said that companies had failed to adopt the technology as fast as he would have liked.

"We haven't had as much adoption as you would hope for," Charney said at the Microsoft IT Forum in Copenhagen. "A lot of solutions for two-factor authentication are for enterprise spaces. If you get two-factor authentication to the consumer level, you reduce the phishing threat."

Microsoft has been focusing a lot on security, as well as coming under a lot of security scrutiny. This week, three more vulnerabilities were found in version 6 of Internet Explorer. That brings the total number of IE vulnerabilities disclosed in the past two months to 19, including eight flaws fixed by Microsoft during its October patch cycle.

The latest flaws were found by two different researchers and could be used together to allow malicious content to bypass a mechanism in Microsoft Windows XP Service Pack 2 that alerts people about potentially harmful programs. The third vulnerability could be used to overwrite the cookies of a trusted site to hijack a Web session, if the site handles authentication in an insecure manner.