The recient can still wait for two pieces to arrive, snap them together, then claim neither piece arrived. To be trusted, physical coins should always be checked against the block-chain. In fact, to be truly trusted, they would be single-use.
The second piece won't be sent until the recipient has confirmed receipt of the first one, so that can't happen.
That makes in unprofitable to cheat, not impossible.
Edit: If the recipient does not check that the serial number on the bar matches the expected number, it is possible to for a postal worker to profitably assemble an empty bar:
- Postal worker C intercepts bar sent to recipient A. Recipient A receives a new bar with a new number.
- Optionally, postal worker C sells intercepted bar on black market to postal worker D.
- Postal worker D intercepts bar sent to recipient B; replaces it with bar intended for recipient A.
- Recipient B, without checking the number, confirms receipt of bar.
- Postal worker D intercepts the key intended for recipient B, and now has a complete, unloaded bar.
- Recipient B requests a new key. Meanwhile, Postal worker D sells unloaded bar on black market.
- When new key arrives, recipient B complains the serial numbers don't match.
Edit2: seems unlikely when I lay it out like that....
The likelihood of a printer manufacturer stealing bitcoins by manufacturing rogue firmware that steals people's print jobs is astronomically low. Having your HP printer send a "mystery file" to HP's servers every time you print (and the mystery file just magically matching the size of each print job) is something that would be noticed by sysadmins in minutes. It would be all over the press the same day. They would probably have an easier time just guessing private keys. Besides, I print these on an inkjet printer via USB and no internet connection, so this issue is moot.
The dumber the printer, the better in this case. Yes, was refering to the printers I heard about that can automatically print from e-mail. Remember, your two-token scheme is being used for high value bars. If the printer is running a full-blown OS, it can simply send the private keys (in a nightly batch with the update check) without sending the whole print job. With PCL or Postscript, OCR is not even needed
I think ulimately, physical bitcoins are going to end up working more like checks. We just need a relatively simple, tamper evident way of hiding the secret key (The 'Bitbills' design
is almost ideal for this)
Yeah, or maybe someone can make coins with embedded tamper evident holograms.
I was thinking something less coarse: the user would print off 2.379 BTC if that was how much they wanted to send, for example (this point is probably off-topic any way).