Both methods can have their risks but overall online will be safer. The key reasons for this are that ...
over the phone you always have to provide your credit or debit card details. The merchant will always know this information which if they are not legitimate can immediately be used for fraud. In addition even on a legitimate merchant the card details maybe stored on a recording of the call and on their systems. Both of systems can be attacked or viewed by disgruntled or malicious insiders, disclosing your credit card details. In addition calls are not encrypted so anyone that is able to listen in can get your details, if you are in a busy area like a open plan office it is not difficult to record down all the information as you provide it to the merchant. There is also no such thing as two factor authentication for phone, if you are regular customer and have your card details stored with the merchant, it is probably only protected with a simple password, and/or simple security questions such as postcode and mothers maiden name. Finally unless you get an email confirmation of your order or an online tracking number you do not have written confirmation of what you ordered and what you paid, although nine times out of ten this will not be a problem, for that one time you may have some arguments.
Online can have these risks also where you provide your details directly to a merchant, however many merchants now use Integrated Payment Service Providers (IPSP) such as RBS Wordpay. In this case the card information is never seen by the merchant and processed securely by the IPSP. Similarly services such as Paypal, Google checkout and Amazon checkout allow you to store your card details securely and transact without the merchant ever needing to know those details. I have written here about how I expect these payment types to grow and services like Paypal already support two factor authentication with the use of an SMS one time password. In addition SSL / TLS (Transport Layer Security) is a defacto standard, virtually no site allowing online payment will operate without it - and if they do you should not use them. Modern browsers provide a friendly padlock and green address bar to verify that the transmission of information is secure and cannot be intercepted. Also as you are typing the information it cannot be overheard although it can be shoulder surfed. With online there is a clear documented trail of all your actions, your order and how much you paid.
Online does face one challenge that a telephone (non VOIP) does not have and that is malicious software such as viruses and trojans. These can capture your login or card details and/or divert payments. However as long as reasonable precautions are taken such as up-to-date anti-virus software, all operating system and software patches and a personal firewall these risks can be reduced to an acceptable level.
They both also face the vulnerability to social engineering attacks such as phishing. The defenses for both are the same, do not trust someone that calls you and asks for your credit card details, do not trust links on email, Facebook, Twitter etc for buying something. Always either dial or call back the number yourself and enter the website address directly (or at least Google)