This is an issue with osCommerce, one that I have run into two or three times. It is possible for two customers to somehow get the same session id and whichever customer checks out last will be greeted with the other customer's details at the checkout. This is a big security issue, but not one that could really be exploited on purpose.
Yesterday, I spent a long time hunting through the osCommerce forums trying to find a solution to the problem of two customers and one credit card. But even the developers there didn't quite know the cause. Some say it is because a session id gets hard coded into a link. Some say that if two people get a session id at the same time, they will receive the same one. I didn't really care what caused it. I wanted it fixed.
The solution, I found, after reading everything possible, is to use the new version of the session regeneration contribution.
osCommerce comes with a session regeneration function but all this does is make sure that when someone signs up for an account, their guest shopping cart follows them to their new account. The updated version of the session regeneration function assigns a new session id whenever the customer either logs in or signs up for an account. This gives one last chance to fix the customer details switcheroo.