Whoever gets to use the PIN first is the winner.

For instance, suppose Alice is sharing a password with Bob by Crosspass, and she sends a Lookup ID and PIN to Bob. If Mallory gets a hold of the PIN after Bob had already used it to retrieve the shared password, then Mallory would not be able to access the password because the PIN is now expired.

However, if Mallory intercepts and uses the PIN before Bob, then he would retrieve the shared password. Will Bob find out about it? Well, that depends if Mallory can place himself as Man In The Middle (MITM) to intercept Bob’s retrieve request. If Mallory cannot do it, Bob would get an error that the PIN is invalid and would contact Alice. But to Alice it appears that the password was successfully delivered. The only explanation, Alice and Bob would realize, is that the password was intercepted. The prudent next step is then for Alice to generate a new password and share again with Bob (they can do it realtime, while on a phone call).