When exchanging funds or services face-to-face, is there a risk of a double-spending attack? If there is, how could it be technically done?
I proffer that it would depend on the tools used to make the transaction and broadcast it.
Assuming use of something like Bitcoin Wallet for Android or even a laptop running Bitcoin-Qt, the chances are very unlikely.
A malicious user would have to connect to the network with two devices simultaneously and broadcast the real transaction (the one being “sent” to the vendor) milliseconds after the malicious transaction. The vendor’s client would have to see the real transaction before the malicious transaction, give the item to the malicious buyer, and depart company before realizing he’s been had.
Simply put, a malicious user would have to be connected to more nodes in the network than the vendor and NOT be connected to any of the nodes to which the vendor is connected when broadcasting the malicious transaction, probably out at least one or two degrees of separation. This would ensure enough latency to ensure the vendor sees the real transaction first and surrenders the goods before the vendor’s client says that other nodes think another transaction is of higher priority.
All of this can be avoided by waiting for a confirmation, but in real commerce, that may not feasible.