Re: online vs offline
There's no definitive data on it so feel free to take my comments with a grain of salt. 80% of the identity theft victims have no idea how it happened.
Existing stats are also misleading because most online fraud is not identity theft but rather ebay style fraud (over 50% of online fraud reports to the FTC are auction frauds and most of those are using Western union now because things like paypal are much more secure than credit cards offline and online).
Online
use of stolen cards is also common but the capturing of the data is easier offline. As anyone from a waitress to a trash collector often have access to your credit card info.
Cloning credit cards is happening more and more offline. It's easier to do offline than online and you can use it in many more places that way. There's a lot more appeal in a brick and mortar clone job.
The nature of offline transactions is much less secure, and almost always involved more human eyeballs than online (where the transaction is usually not ever reviewed by a human).
Using a credit card offline simply has many more means of foul play and the methods are a lot lot easier.
In addition, credit card companies almost always have more protection for online purchases than offline ones.
But don't expect any definitive data. Data on credit card fraud is guarded more tightly than the credit card info is.
It's "security through obsurity". Everyone I know who has suffered identity theft was not told by their credit card companies how it was done.
The last two people I know who had this AND know how it happend was:
1) a voided check sent to a mercedes dealer for automatic payments was discarded and a fraudster used it to clone checks and steal hundreds of thousands of dollars
2) credit card swipe at a gas station, the card was cloned