One has to spend those 2-3 minutes EVERY TIME they log on. Since you know the IP and time of page loads, and when the next transaction is sent to you from that IP, you can tell who hasn't been checking hashes and how many coins those poor careless souls have in their wallets.
Actually, we have no way of knowing who is or is not checking hashes. And actually, it takes less than 30 seconds once you get the hang of it.
If I were malicious - I might do something exactly like what you've done... including making multiple mdm5 documents on how to 'verify' the authenticity of the paper wallet generation code. Then I'd set my server up to monitor get requests from the same clients. Whenever my software felt someone wasn't being diligent checking - it would then deliver altered code that would deliver a copy of the private key back to my server. Assuming that you could kick the can down the road for awhile with some less experienced users claiming your legitimacy... in a few years you'd have access to hundreds or thousands of cold storage wallets that you could then clean out for massive profit. Total time invest - six to eight hours it would take to put together your website and 2 years of hosting fees.
QFT. I'm sick of arguing about this, so in case anyone needs it spelled out for them:
BoB knows when Alice loads the page.
BoB knows when Alice broadcasts a transaction.
If the difference between these times is <30s, BoB knows Alice didn't check the hash.
If Alice hasn't checked a hash during the last 10 logons, she probably won't do it on the 11th logon.