My question is, the hacker can do this only if he knows how the hash function (used by the bank) works. He obviously cant generate the hashes of common passwords if he doesn't know how the hash function used by the bank works. So then why is hashing without salts a security hazard? Does this mean that all hash functions work the same?
Your premise is wrong as you assume that banks are secure against hacking and keeping the password hashes from the attackers. If ever banks use password hashing without salts then their risk management is very bad, they need to fire the risk analyzers.
So, when the bank uses password hashes without salt it is a matter of time that they are attacked and almost all passwords are easily revealed.
Hopefully, the banking systems are not only relying only on passwords since their risk is higher. They usually require two-factor authentication, One-Time-passwords, etc.
And remember that, we don't use cryptographic hashes as password hashes since they are designed to be fast and secure. Modern Password hashes, on the other hand, require, unique salt and;
- controllable iteration to reduce the attacker's massive parallelization,
- high memory to reduce the massive usage of ASIC/GPU-like environment, and
- adjustable threads to reduce parallelization.
Some good password hashing algorithms that you may want to look at are Argon2, Scrypt, and Balloon hashing. In the end, password hashing without a unique salt is not recommended. If used then Rainbow Tables are the monsters lurking on the next street...