Internet Week has an excellent overview on the recent Panix.com domain name hijacking, including lessons on how to prevent this happening to you. Notably, Panix.com was transferred even though a domain name lockdown was in place, though correct procedures were not followed. Money quotes:
Companies should be sure to lock down domain records, to prevent them
from being transferred or modified. Using lockdown, someone requesting
a transfer needs to have an account with the registrar that currently
holds the domain, and administrative privileges to make the change. The
person making the change enters the account of the current registrar,
switches off the lockdown, and then makes the change.
Normally, when making an account transfer, the new registrar checks
with the current administrator of the domain name to verify that the
request is legitimate. And the new registrar would also check to see if
the domain is locked down. These steps were not taken in the panix.com
transfer, according to published reports.
Lockdown is standard procedure for midsized and big Internet
businesses, although very small businesses will often avoid using it,
to give themselves the flexibility to quickly make changes or transfer
domain names from registrar to registrar.
…
Businesses should also make the administrative contact for a domain
private. While ICANN requires that contact information for a domain
owner needs to be listed in the WHOIS database, some registrars offer
an optional service that allows a company to make that contact
information private. ICANN requires a public contact be listed in the
database, but the registrar would know that the public contact is not
the administrator. For example, for $9 per year per domain name,
Network Solutions Inc. (NSI) will let a company make its contact
information private.If a domain owner makes the administrator contact private, then a
registrar getting a domain name transfer request from the listed
contact would know that the request is not legitimate.Ideally, the administrative contact information should not be published
anywhere. That way, a hacker couldn’t simply get, say, the CIO’s e-mail
address off the company’s web site and try to use that to make a
change.