I've done this type of testing before and it is extremely useful for scaring off truly bad applicants. It does not guarantee success, however.
I would recommend taking some of your existing code and deriving a test from that. For instance, if you have a database abstraction layer, send it to them (withOUT your passwords, of course!) and ask them to use it and make a database connection and perform a variety of queries. It all depends on what you want them to do.
If you want to take the interview approach, it could be skype or GoogleTalk or AIM or YIM or MSN that you use. Ultimately, if they hire someone else to do it for them, it should not matter much to you as long as they deliver results and don't present any security risk.
Speaking of security risk, I once got code from another developer that not only allowed a user to upload files to the server (it didn't check to make sure they were images) but also allowed a user to include any file they liked by specifying it in the query string. I would recommend that you consider hiring legitimate programmers in your legal jurisdiction so that you can sue them if you have to -- or go bang on their door and give them a good ass-kicking.