The NatWest On-Line Service

Nat West have introduced a new online banking service. It looks quite useful.

However, rather than taking the sensible option of secure HTTP from a normal web browser over an Internet connection, they have done something very strange:

• You dial into their own Intranet directly, using a modem.
• You run a 'proxy' on your own computer, which encrypts the traffic between you and their server.
• You point your web browser at this proxy, on http://localhost:1794/ and use the service with a normal web browser.

This has a number of drawbacks. The first is that the 'proxy' software, IBM's "CBT Browser Crypto module", is a Win32 binary, so it's difficult to use the service from anything but a Windows machine.

Also, an increasing number of people do not use an old-fashioned modem to connect to the Internet any more. BT will be rolling out DSL shortly, and people are using ISDN, cable-modems and leased lines for connectivity. I also know a large number of students who have Ethernet all the way to their bedrooms, but no telephone provision except a payphone between 20 students. Infroducing an online system these days which requires a dedicated modem link is bordering on insane.

Using NatWest On-Line with Linux

Nonetheless, it's possible to use this service with Linux, using Wine to run the strange Crypto-proxy program.

You still have to install the software under Windows and generate your authentication keys, though. Although the key generation program appears to generate a key happily when run under Wine, the resulting key doesn't then actually work. After getting Nat West to unlock my account a couple of times after three consecutive failed logins, I gave up and used the key I had previously generated under Windows. If you have more luck or more patience with it, please let me know - I don't see why it shouldn't work.

Here's how you do it:

• Find a Windows box to use, and install the software on it. Go through the key generation procedure.
• Install a version of Wine on your Linux box. The only version I've tried it with is the latest which I happened to have in CVS, which I believe is 19990815 - that's the latest date in the ChangeLog anyway.
• Boot into Linux.
• Copy the \Program Files\NatWest On-Line directory to whatever directory has the same pathname in your Wine installation. If you use Wine with the same copy of Windows that you installed the software in, you shouldn't have to do anything, obviously.
• Set up your machine to use Nat West's dialup as an alternative ISP.
  Telephone number: 08457576176
  Authentication: PAP
  Username: userid@alivegoblin
  Password: nastyfellow
  The IP address that it will give you is in the 192.168.x.x subnet.
  
• Add the following line to your /etc/hosts file (or NIS map):
  62.172.187.144 www.nwol.co.uk
• Make sure that packets for 62.172.187.144 will be routed out the correct interface. If you're not trying to remain connected to the Internet while you're connected to Nat West, it's enough just to make the PPP connection the default route. Otherwise, you want to do something like:
  # route add 62.172.187.144 dev ppp0
  after the link is brought up each time.
• Having dialled up and added the route if necessary, run the bcmcmw32.exe program under Wine.
• Point your web browser at http://www.nwol.co.uk/ and play. After you hit the 'log in' button, the Crypto Proxy program should bring up a dialog box and ask for your password, just as it did under Windows.
• Contact NatWest On-Line on 0800 328 0211. Tell them that you're unhappy with this system, and that they should be running a system on the real Internet, using standard protocols such as Secure HTTP.
  Failing that, at least connecting their existing system to the real Internet would suffice for now. People with dedicated or ISDN connections would then be able to use the service without having to buy a modem and make extra phone calls for it. The IP address they're using for their server really does appear to belong to Nat West. But it's firewalled, or just not routed to, from the rest of the Internet. If they were to fix that, it'd be a lot more useful.