A common way to grab CC info is at restaurants. While I can't be 100% sure, I'm pretty sure I've seen it done more than once. It's a perfect setting since usually the cashier/wait station is out of view of the customers, and it's a great place to hide what's known as a "skimmer", or a generic mag stripe reader you can get virtually anywhere. They take your card, run the actual bill, then swipe it again in the skimmer which just records all that cards info to a separate computer. Then all that info can be used to buy stuff online, or even make a dupe of your card. I've even heard of hackers making self-contained pocket versions that save data to a flash drive to be offloaded later, for the ultimate ease in stealing card numbers.
Newer cards have stuff to guard against this...only approved CC machines can read the stripes, and they're not as easy to get as a generic reader. Still, a savvy or determined person can get around them. The "24/7" fraud monitoring offered is a great service and catches a lot of bullshit, but it looks for "unusual" spending. Someone who's smart about it(if they were really smart they wouldn't be common theives) won't go on an instant buying spree, since that's sure to get the card cancelled ASAP. Couple things here and there that the fraud sniffers (and you) likely won't notice if you're not diligent about watching your statements.
In a "private" setting, an unscrupulous employee can even just write down the number, date, and CVV code manually and use it later for online purchases. The "skimmer" just does this faster, easier, and it's not as obvious as some jackoff scribbling down your CC info on a notepad.
Whenever possible I pay cash at restaurants or when I can't see my card being run.