Only Registrar-Lock protects one from bogus Registrar Transfers. Account passwords, etc are meaningless in this context - they only protect one's account at their current domain registrar.
The new domain registrar is who makes the transfer request - this is the step, in which one would assume logically, the "losing" domain registrar would be required to confirm the request, etc ... but the system does NOT work like that ... if the domain transfer isn't explicitedly rejected, it happens AUTOMATICALLY!
To make matters worse, a recent ICANN policy change Nov-12-2004 strongly discourages "losing" registrars from requiring any email acknowledgement from the registrant ... so now, not only do domain transfers happen automatically unless explicitely canceled (this part has long been true), the registrant need not be notified at all!
Oh, and hang on tight for the best way to "hijack" domains still isn't widely used yet ... which way is that ... by using the Whois Data Problem Reports System ... now one can actually get grab many nice domains they want, often LEGALLY!
Fortunately, WDPRS still isn't widely known by domain hijackers, but be aware this is a security hole EVEN BIGGER ... because NOT even Registrar Lock protects one's domains from being deleted in as little as *15 days* and subsequently registered by someone else (ie. the hijacker, etc). Ie. A missing country-code in the phone number field is a legitimate reason to file a Whois Data Problem Report - everyone has their correct country code in their Whois, right? LOL! ... point is many domains are vulnerable to this type of attack.
For more information on WDPRS ... see
http://wdprs.internic.net/ and also do a search for WDPRS on Google / DNForum.com ...
Ron