By watching how electrical charge – which shows up under an electron microscope as bright flashes – play out across the connections on top of the EMV chip, it's possible to work out the sequence of 0s and 1s being generated. That could help hackers reverse engineer the chip or work out how to extract the cryptographic keys. Or both. So the trick is to learn how an EMV chip's connecting tracks can be buried or rerouted, or logic gate positions shuffled, to head off such attacks. "So far it is working. Up until now, we have not seen a cloned chip card," says Mushing.

No one at the lab looks terribly convinced it won't ever happen, however: attack attempts are constant – indeed, two engineers leave our visit briefly to discuss a just-breaking attack – and the impression is that it's only a matter of time. "Criminals tend to work on an entrepreneurial scale where they look for weak spots and ways to get in. They are not nine-to-five workers," says Paul Trueman, senior vice-president of enterprise security solutions at MasterCard. One of those ways is power analysis: monitor how the power use of a chip changes during a cryptographic operation and you might get clues to the encryption tricks in the chip. That’s yet another thing to defend against.

Another criminal way in is to attack the PIN-entry devices (PEDs) used at points of sale – the devices the teller hands us to put our cards into. That means adding memory chips (like SD cards) and connectors inside the device that an attacker can access at some point to, for instance, download a few days’ worth of card numbers and associated PINs. That is where the lab's X-ray machines, much like those at airports, come in. By looking right through a device, the lab's engineers can look for tiny changes that suggest circuitry that has been added by attackers. It can sometimes be as little as a stray wire leading to an illicit USB connector. The trick, says Mushing, is to keep perfecting the tamper resistance functions in the PED, ensuring anyone trying to add something untoward wipes the device's cryptographic software and renders its unusable.