Bruce Schneier also has some stories of different but related credit card scams which also exploit the fact that authorisation codes are not checked at the time of the transaction: <a href="https://www.schneier.com/blog/archives/2014/07/debit_card_over.html" rel="nofollow">https://www.schneier.com/blog/archives/2014/07/debit_card_ov...</a> and <a href="https://www.schneier.com/blog/archives/2009/01/in-person_credi.html" rel="nofollow">https://www.schneier.com/blog/archives/2009/01/in-person_cre...</a>