Registrar-lock is the only real protection against bogus registrar transfers ... account passwords, etc are meaningless in that context - if the domain is unlocked (speaking of .com/.net domains) it will very likely transfer, simple as that.
And then there's the WDPRS ... a security hole still wide open - and registrar-lock doesn't even matter! The only decent protection for WDRPS
http://wdprs.internic.net/ exploits at the moment is to:
1. Consolidate all domains to one or two registrars - this allows one to better track changes.
AND
2. Ensure all domains have similar email contact information - WDPRS is done via email ... miss that email and your domain(s) can be gone in mere days!
AND
3. Related to #2, have access to a computer even on holiday; don't take a holiday to begin with LOL! Every registrar I've contacted so far will suspend/delete domains in little as 5 to 15 days if the registrant doesn't respond to a Whois Data Problem Report - even if it's is obviously bogus!
Lastly, exploiting the WDPRS isn't theoretical ... it's been going on for awhile, but is still under the radar so to speak ... but don't expect that to be the case much longer - while such posts as mine likely will encourage more folks to try using the WDPRS to get already registered domains they want, hopefully ICANN will get their act together and implement meaninful security that truly protects the registrant ...
Ron