Replace by fee. Zero-confirmation transactions have always been insecure; replace-by-fee is essentially Firesheep for this vulnerability -- it puts a friendly UI on it and drops the technical acumen required from "substantial -- you probably have to write your own complicated C++ code" to "you have to be willing to lie; that's it."
(Replace by fee in a nutshell: All Bitcoin transactions are unstable for a period of time, generally believed to be "approximately 60 minutes." Exploiting this instability to retroactively invalidate a transaction was possible but beyond the ken of casual attackers. Replace by fee lets you reverse any transaction you made younger than N minutes by simply saying "I'm willing to outbid the fee I offered on that transaction. The new transaction does this new thing, for example replacing the $100 transaction 'pay from my left pocket to restaurant for dinner' into 'pay from my left pocket to my right pocket.'")
Not really, it used to be that they would just pick the first non-conflicting transaction they saw, although iirc that wasn't a "rule of the protocol" so much as how-the-software-worked.
(Replace by fee in a nutshell: All Bitcoin transactions are unstable for a period of time, generally believed to be "approximately 60 minutes." Exploiting this instability to retroactively invalidate a transaction was possible but beyond the ken of casual attackers. Replace by fee lets you reverse any transaction you made younger than N minutes by simply saying "I'm willing to outbid the fee I offered on that transaction. The new transaction does this new thing, for example replacing the $100 transaction 'pay from my left pocket to restaurant for dinner' into 'pay from my left pocket to my right pocket.'")