mis_chiff,
I'm not following you.
Somebody couldn't transfer your domain or push your domain out of your registrar account unless they have access to your registrar account.
If they gain access to the email that you are using for your registrar account, then off course they will have access to your registrar account as well.
So there are two things that you need to protect:
1. The email account that you have used to open your registrar account.
2. Your registrar account login details.
#2 Is very simple. Don't click on any links sent by email. Also don't use the same password anywhere else. See my password management strategy
HERE.
#1 is also simple. Don't use that email for anything else. Create a special email that you use for only opening registrar accounts and never use or mention that email on anywhere else. Don't use that email on your whois. Why would you want to expose your email address to scammers? For them to have something to work with? Don't do that. Never tell anybody your account email.
Said that, there are some very careless registrars like godaddy and dynadot who expose your account email to others. For instance when you get a domain pushed to your godaddy account, you need to give the other user your godaddy account email. How stupid is that? This is like giving away your credit card number to a complete stranger.
Godaddy doesn't fix their problem because when your email gets hacked they will argue it's not their fault. But they are the ones who force you to expose your account email in first place to people you don't know.
I had the same issue recently with dynadot. They are very annoying as well. When you buy a dynadot domain from somebody and he needs to push it to your account, you need to give that person your account email. See #5 here:
How do I initiate a Change Ownership request? (domain push)
On 20th may I send a long email to dynadot suggesting they should change their system. They wrote back and told me:
Hello,
What do you think the risk is in giving out your account email address?
Best Regards,
Dynadot Staff
I wrote another long answer with examples and links and the person said they will pass it to management, which I'm sure will just ignore it.
I think account email and whois email should be clearly separated from one another at the very beginning when you create your account. They could simple ask me "enter your account email" and show me one box, then say "enter your whois email" and show me another box. I have yet to see one registrar who does that.
At namecheap you can create profiles and make one of these your default profile. This way when you register a domain it uses your profile details for whois and not your account email. With domains pushed into your account their system incorrectly used your account details instead default profile. I contacted them for this about 2 years ago. I don't know if they have fixed it.
One thing I would like to hear from others are registrars that make it very easy to hide your account email from whois on all occasions.
I can tell you that network solutions is the worst. They don't let you edit your whois details at all. You actually need to create a completely new account and connect that second account with your first and then use its contact details. Their system is totally stupid and worst I have seen ever.
