See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/343064340

Practice of Ethical Hacking in the Banking Sector

Conference Paper · July 2020

CITATIONS READS

0 4,345

2 authors:

Zoya Ahmad M S Minu Sanjudharan

SRM Institute of Science and Technology SRM Institute of Science and Technology
5 PUBLICATIONS   3 CITATIONS    45 PUBLICATIONS   36 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Used Car Value Predictor View project

All content following this page was uploaded by Zoya Ahmad on 20 July 2020.

The user has requested enhancement of the downloaded file.

 Practice of Ethical Hacking in the Banking Sector

Zoya Ahmad M S Minu

Deparment of Computer Science and Deparment of Computer Science and
Engineering Engineering
SRM Institute of Science and SRM Institute of Science and
Technology Technology
Chennai, India Chennai, India
ahmadzoya811@gmail.com msminu1990@gmail.com

Abstract—Despite all security measure taken, the systems
of banking firms fall prey to malicious attacks. This paper
talks about the practice of ethical hacking, its working, the
algorithms used, its advantages, disadvantages, needs and
current risks in the banking sector.
Keywords—ethical hacking, network security, cyber security,
threats, risks, dangers, vulnerabilities, security, algorithms,
SHA, DES, AES, MD5
I. INTRODUCTION
In recent years, with the rapid development in network
technology, the financial sector has started using computer
networks extensively. But they are constantly being
confronted with cyber-attacks. These financial sectors,
especially the banking sectors mainly take the assistance of
two types of security: computer security and network
security.
Computer Security is deemed to be an autonomous
system offered with the help of Operating Systems (OS) and
in-built hardware and software. Network Security is a
broad term covering a multitude of technologies, devices
and processes. In simple words, it is a set of rules and
configurations that are designed in order to protect the
integrity, confidentiality and accessibility of computer
networks and data. This is achieved using both software and
hardware technologies. Every company or organization,
regardless of its size, industry or infrastructure, requires
some amount of network security solutions in their systems
to protect it from the ever-increasing cyber threats prevalent
across the world today.
company or organization‟s reputation and credibility and
heavy monetary losses. These attacks also compromise
highly classified information of the companies as well as
their employees.
Despite all the security measures taken up by the banks,
individuals and often the bank themselves fall prey to cyber-
attacks. These cyber-attacks are ubiquitous in technology
companies and people. They are unavoidable and inevitable.
Nevertheless, if preventive measures are taken, the banks
can be saved from the risks present in technology. The most
prevalent risk in technology is the issue of security.
The banking sector is affected either by clients becoming
victims of social engineering or by professional „hackers‟.
Social engineering is a form of cyber-attack which is done
to harvest data and information from victims. It usually
comprises of playing with the minds of the people or
victims. Social engineers can be found everywhere. There is
no certification for social engineering, so there is no way to
detect a social engineer. There are many mediums to
implement social engineering. Some of the mediums are
email, web, phone, USB drives, etc. Few of the social
engineering techniques are: Phishing, Spear Phishing,
Vishing, Pretexting, Baiting, etc.

In the attacks done by professionals, hacking tops the

list. Hacking is a term used to describe professionals with a
definite skill set that gain unauthorized access into computer
systems. They achieve this by exploiting weaknesses or
using bugs. This act is motivated either by malice or by
mischief. It is very easy for a hacker skilled in programming
to create algorithms which help him/her in cracking
passwords, disrupting network services, or even penetrating
networks. Malicious hacking is becoming prevalent in the
banking sector with the increasing popularity of the internet,
These banking firms need to have these protective
E-Baking and E-Commerce. Here, the primary motive of
measures in place because, just a few minutes of downtime
can cause massive damage, widespread disruption to the
malicious or unethical hacking involves financial gain or
stealing valuable information.
Other ways of attacking the cyber-sphere are setting up
malicious software in the banking systems. These types of
software can cause harm to the customers or the firm by
stealing or corrupting their business information, causing
system failures, recording computer activity, causing huge
monetary losses, etc. They are called malware. A computer
usually gets infected by a malware when an employee
downloads infected files accidentally or it is following by a
phishing attack. A Ransomware is used to block access to
computers or files until a ransom is paid. A massive
ransomware attack in May 2017, affected more than 100,000
organizations in around 150 countries. This cost the
companies billions of dollars. A computer virus is a type of
a program which is designed to replicate the Internet. It
causes damage to programs, deletes files, ties up system
resources, etc.
To counteract and thwart these attacks, the help
professional hackers are taken. These hackers are called
ethical hackers. They are skilled in hacking and look into
vulnerabilities and weak points present in the computer
network systems of the banks. In addition, they help in
developing solutions to prevent and counter data security
breaches. Ethical Hacking is a method of bypassing system
security in order to identify potential data threats and
breaches in a network but in an authorized manner.
Cyber Security experts, called by the banking firms
allow these professionals to perform authorized activities in
order to test the defences of the system. Therefore, this is a
planned, approved and most importantly, a legal process,
unlike malicious hacking.
These main aim of these ethical hackers is to examine
and inspect the system or network for any weak points or
vulnerabilities that can get in hand of malicious hackers who
can then exploit it or destroy it. These experts gather and
analyse the information in order to evaluate and figure out
ways for strengthening the safety and security of the system,
network or applications. The security footprint is improved
by this method. The system, network or applications can
withstand attacks or even divert them.
II. IMPORTANCE OF ETHICAL HACKING IN BANKING
In today's digital era, one of the most prominent threat
looms around the cyber world. Until a few years back,
hackers were not taken seriously. But since recently more
and more companies have entered the e-commerce and e-
banking ecosystem and have adopted new technologies such
as card transactions, net-banking, UPI, cloud computing,
etc. The risks of imminent security breaches are clearly on
the high rise and are in utmost need of efficient information
security systems. The increasing threats from cyber-attacks
expose the severe shortage of talent in this sector.
Ethical hacking is a developing method which has been
adopted by most of the banking firms to test their network
security systems and tackle any cyber-attacks that come on
the way. The security risks, weak points, vulnerabilities, etc.
in a network can be identified efficiently with the help of
ethical hacking. These ethical hacking help in securing the
systems of the banking firms and making sure that their
important documents, finance details, classified and
sensitive information are safe.
These ethical hackers are hired by banking firms and
perform security measures on their behalf. They help in
suggesting proper security tools and techniques that the
banks can implement and practise in order to avoid attacks
on their networks.
III. TYPES OF HACKERS
There are many types of hackers. The bank needs to be
extremely careful while hiring them. There exist 3 main
hackers. They are are—
1. “White Hat” Hackers— the hackers practising
ethical hacking are called “White Hat” Hackers.
They work with the banking firms in order to
strengthen the security of a system. They have
permission to engage the targets and compromise
them within the prescribed rules of engagement.
They specialize in ethical hacking tools,
techniques, and methodologies to help in securing
the bank‟s information systems. They exploit
security networks and look for backdoors only
when they are legally permitted to do so. These
hackers inform the banking firms of every
vulnerability they find in their security system and
fix it before they can be exploited by malicious
attackers.
2. “Black Hat” Hackers— these hackers gain access
to classified information and finance details of the
bank using illegal techniques. The reason behind
doing so is to compromise the systems or destroy
important information. They commit security
violations and attempt to gain unauthorized entry
into the banking system or network to exploit it for
malicious reasons. These hackers are neither
permitted nor do they have the authority to
compromise their targets. They inflict damage to
security systems by compromising it, altering
functions of websites and networks, shutting down
systems, etc. This is usually done in order to steal
information or gain access to passwords, financial
 information, personal data, etc. These types of
hackers have pure negative motives such as The hackers can also intercept proxy when the victim
monetary gain or reputation when they break into a is using public Wi-Fi.
computer.
This method detects and identifies vulnerabilities in
3. “Grey Hat” Hacker— “Grey Hat” hackers don‟t the system eventually catches the attention of a malicious
ask for permission before getting into your system attacker who can then exploit it.
the way “White Hat” hackers do. But they are
different from “Black Hat” hackers as well since
they don‟t hack for any personal gain or third-
party benefit. They do not possess any wicked
intention but hack these systems for fun. They
usually inform the owner about any threats they
find without being hired to do so. Despite the
intention of a Grey Hat hacker, this kind of
hacking is still considered to be illegal as it
constitutes an unauthorized system breach.

V. TOOLS AND TECHNIQUES INVOLVED IN HACKING

Some of the tools and techniques of hacking are—

1. Keyloggers—this tool is specially designed to log

IV. WORKING OF CYBER CRIME IN BANKS
There are countless ways in which a hacker or a social
engineer can hack the banks or an individual. The most
common ways to hack an individual is using social
engineering techniques such as phishing. The hackers trick
you into clicking a link that they have made to look
authentic. The link might take you to a fake banking
website which looks exactly like the original one.
and record each key pressed on a system. They
record every keystroke with the help of API
(Application Programming Interface) when it is
typed through a keyboard connected to the
computer. The recorded files which include data
like usernames, website visit details, screenshots,
opened applications, etc. are then saved onto the
system which can then be used by malicious
attackers.

They have keyloggers installed and this software

keeps on recording the details entered by the user in a
database. Clicking the link can also lead to unwanted files
containing viruses be downloaded into the system and
causing disruption. Since in most banking firms all the
computer network systems are connected by the same hub,
downloading a malicious file on one computer system can
cause problems in other systems as well.

Another possible way the hackers take up is by setting 2. Vulnerability Scanner—this tool helps
up a skimmer in an ATM booth. This device is similar to a in classifying and detecting numerous system
mini camera that records the hand movement and the weaknesses in networks, computers,
hacker can easily decipher the PIN despite you covering it communication systems, etc. This is used by
with hand since it logs in the input. ethical hackers in order to find potential
loopholes and to fix them on an immediate basis.

3. NMAP—this stands for Network Mapper. It is

widely for network discovery and security
auditing. It uses raw IP packets to determine what
hosts are available on the network, what operating
systems they are running on, what type of firewalls
are in use, etc. this software can run on all major
computer operating systems like Windows, Mac
OS X, Linux, etc. They are mainly used by ethical
hackers to detect any unwanted activity on the
system.
.
 4. Metasploit—it is one of the most powerful exploit
tools. Metasploit helps in conducting basic
penetration tests on small networks, browsing
exploit modules and run individual exploits on
hosts running spot checks on the exploitability of
vulnerabilities, etc. banking firms use this tool to
detect discrepancies on their system.
5. Angry IP Scanner—this is a cross-platform that
scans IP addresses. Sometimes attackers might use
a replica of the original bank website and ask you
you fill in your details. In the background all the
details are being recorded and stored with the help
of keyloggers.
VI. PHASES OF ETHICAL HACKING
The process of ethical hacking also known as pen testing or
penetration testing involves 6 main phases. They are—
1. Reconnaissance—the initial phase of ethical
hacking is called reconnaissance. It is also known
as “foot-printing”. The ethical hackers gather
information in this phase. They collect as much
information as they can gather about the target.
Information is collected mainly about three
groups: network, host and the people involved.
Foot-printing is of 2 types: Active Foot-printing
where the ethical hackers directly interact with the
target in order to gather information about the
target. The most common tool used for scanning
the target is Nmap and Passive Foot-
printing where the information about the target is
collected without directly interacting with the
target. Information is collected from social media,
public websites, etc.
2. Scanning—this phase involves three types: Port
Scanning in which the target is scanned for the
information from sources such as open ports, live
systems, various services running on the host,
etc., Vulnerability Scanning in which the target is
checked for weak points or vulnerabilities which
can be exploited. This type of scanning is often
achieved with the help of automated tools
and Network Mapping where the topology of the
network, routers, firewalls, etc. are found and then
a network diagram is drawn with the available
information. This network diagram map is touted
to be very valuable throughout the process of
hacking.
3. Gaining Access—in this phase, the ethical hacker
breaks into the system/network using various
hacking tools and techniques. After entering the
system, he/she increases his privilege to the
administrator level in order to install the
applications he/she is going to require during the
process or modify/hide.
4. Maintaining Access—the main aim of this phase
is to maintain access to the target system until the
ethical hacker can finish the tasks he/she has
planned to accomplish. Along with this the hacker
also has to build a shield against malicious
attackers who might try to enter the system along
with the ethical hacker.
5. Clearing Tracks— the last and final phase of
penetration testing is to clear tracks. The ethical
hacker modifies/corrupts/deletes the log values;
they also modify the values of the registry and
uninstall all the software and applications they
used during the hacking process and delete every
folder they created.
VII. ALGORITHMS USED IN ETHICAL HACKING
There are few algorithms in practice to carry out ethical
hacking efficiently, especially in the banking sector. They
are—
1. SHA—Secure Hash Algorithms (SHA) is a
group of cryptographic functions that have been
designed for keeping the data secured. By using a
hash function, it transforms the data into an
algorithm consisting of bitwise operations,
modular additions, compression functions, etc. The
function then yields a string of fixed size which is
completely different from the original. These
algorithms have been designed to be one-way
functions, i.e. once the data has been transformed
into its respective hash value, it is practically
impossible to convert it back to its original form.
SHA is of 3 types: SHA-1, SHA-2 and SHA-3.
Each of them has progressively stronger
encryption to counteract any attack from the
hacker. SHA-0 is obsolete because of its
extensively exposed vulnerabilities. SHA is
commonly used for encrypting passwords since the
server-side keeps track of only a user‟s hash value
rather than the actual password.
This helps when an attacker hacks the database
only to find the hashed functions and not the actual
passwords. Additionally, if they try inputting those
hashed values as a password, the hash function
will convert it into another string and
consequently, access will be denied. Also, the
 modification of just a few letters that are being
encrypted can cause an immense change in the
output. This is known as the Avalanche Effect.
Contrariwise, different strings can produce similar
hash values. This causes the hash values to not
divulge any information regarding the input string
like the original length. SHAs also find their use in
the detection of data tampering by attackers.
2. DES—Data Encryption Standard (DES) is
a block cipher algorithm. It was published by the
National Institute of Standards and Technology
(NIST). It is an implementation of a Feistel
Cipher, i. e., it uses plain text in the form
of blocks, each of 64 bits and converts them into
ciphertext using keys of 48 bits. It uses the same
key for encryption and decryption of data. Thus it
practices the symmetric key algorithm.
4. MD5—MD5 or message-digest hashing
algorithm is a one-way cryptographic function.
They help in comparing and storing smaller hashes
than storing a large text of variable length. This
algorithm is used by the Unix Systems for storing
user passwords in a 128-bit encrypted format.
MD5 also helps in checking the integrity of the
files. It is very easy to generate message-digests of
the original messages by using MD5. Despite all
this, the MD5 algorithm is relatively slower than
the SHA algorithm. Moreover, MD5 is more prone
to collision attacks.

VIII. ADVANTAGES OF APPLYING ETHICAL HACKING IN BANKS

There is a sudden growth in the demand for an ethical
hacker, especially in the finance sector due to increasing
advancement in technologies. This has led to numerous
threats to the banking sectors
The advantages of hiring an ethical hacker in banks are—

1. Ethical hacking helps in protecting and

3. AES—Advanced Encryption Standard (AES) is safeguarding the system and information of the
a symmetric block cipher used by the US banks from getting into the hands of malicious
Government for protecting classified information. actors and being misused.
It is implemented in the form of software as well 2. Immense value is added to the banking firm if they
as hardware all over the world for encrypting practice and exercise ethical hacking efficiently
sensitive data. It has proven to highly beneficial and correctly.
for government‟s computer security, e-data 3. It helps in counter-acting the cyber-attacks and
protection, etc. The development of AES began in data security breaches on the banks.
1997 by the National Institute of Standards and 4. It helps in building a secure system for the banks
Technology (NIST) after Data Encryption to prevent penetration by malicious hackers.
Standard (DES) started becoming vulnerable to 5. It helps in detecting and identifying loopholes in a
brute-force attacks. AES is free for use in public, network or computer system of the banking firms
private, commercial, non-commercial programs
that provide encryption services. AES is made up
of 3 block ciphers: AES-128, AES-192 and AES-
256. The ciphers use the same key for encryption
and decryption, therefore the sender and the
receiver both must know and use the same secret
key. The government has classified information
into 3 categories: Confidential, Secret or Top
Secret. AES is one of the most sought after
encryption method. It is fast and secure and helps
in keeping prying eyes away from the data.
 IX. DISAVANTAGES OF APPLYING ETHICAL HACKING IN
BANKS
There are disadvantages along with the advantages of
ethical hacking in the banking sector. They are—
1. The important files of the banks might get
corrupted if the hacker is not skilled enough.
2. The gained information can be used for malicious
use by ethical hacker.
3. It is quite expensive and cost a lot to the banks
when hiring professionals.
4. The baking firm‟s financial details are open for the
ethical hacker to pry on.
5. There is no guarantee that ethical hacker may/may
not place/send malicious code, malware, viruses,
etc. on bank‟s computer system or network
6. This method leads to a massive security breach
X. CONCLUSION
Cyber-attacks on banks continue finding a way despite
improved cybersecurity infrastructures. Thus ethical
hacking experts are gradually becoming useful for banking
firms for determining weak areas within their systems that
can be penetrated by cyber-criminals. Due to the increasing
number of computer hacking cases, renowned companies,
financial institutions, government agencies, etc. have been
compelled to recruit ethical hackers to look into the
vulnerabilities and possible security leaks of their computer
systems and also to protect and safeguard them from any
potential threat. Therefore, ethical hacking promises huge
prospects in the near future as a career. A fresher Ethical
hacker can draw a salary of up to 5 lakh per annum while
an advanced hacker is looking at a salary of nearly 30 lakh
per annum.
ACKNOWLEDGMENT
I am immensely grateful to my teacher Mrs M. S. Minu for
her guidance and constant support. Her indispensable help
and motivation encouraged me to work on this project.
Thank you.
REFERENCES
[1] https://www.greycampus.com/opencampus/ethical
-hacking/introduction-b0156166-4fa6-43ad-9b9f-
54c2cb83fbb6
[2] https://www.simplilearn.com/tutorials/cyber-
security-tutorial/what-is-ethical-hacking
[3] https://www.forcepoint.com/cyber-edu/network-
security
[4] https://securitygladiators.com/ethical-hacking-
current-trends-growth-opportunities/
[5] https://blog.eccouncil.org/cybersecurity-trends-in-
2020-the-threats-facing-the-industry/
[6] https://www.edureka.co/blog/importance-of-
ethical-hacking/
[7] https://www.indiatoday.in/education-today/jobs-
and-careers/story/ethical-hacking-1047211-2017-
09-18
[8] https://www.ukessays.com/essays/information-
systems/importance-of-ethical-hacking.php
[9] https://www.helpnetsecurity.com/2012/04/20/the-
importance-of-ethical-hacking/
[10] https://wowdigital.com/blog/importance-of-
network-security/
[11] https://info.nutmegtech.com/it-insider-blog/the-
importance-of-network-security
[12] https://www.ecpi.edu/blog/importance-of-network-
security-safety-in-the-digital-world
[13] https://blog.eccouncil.org/types-of-hackers-and-
what-they-do-white-black-and-grey/
[14] https://www.techfunnel.com/information-
technology/different-types-of-hackers/
[15] https://www.solarwindsmsp.com/blog/types-of-
network-security
[16] https://blog.eccouncil.org/what-is-network-
security-types-of-network-security/
[17] https://enterprise.comodo.com/blog/what-is-
network-security/
[18] https://www.synopsys.com/glossary/what-is-
ethical-hacking.html
[19] https://enterprise.comodo.com/blog/network-
security/
[20] https://www.ecpi.edu/blog/how-does-network-
security-work-is-this-something-i-could-learn
[21] https://study.com/academy/lesson/how-does-
network-security-
work.html#:~:text=Network%20security%20can%
20be%20made,if%20they%20make%20it%20insi
de.
[22] https://www.bankinfosecurity.com/interviews/we-
need-ethical-hacking-i-1145
[23] https://www.cybrary.it/blog/2018/03/ethical-
hacking-necessary/
[24] https://www.simplilearn.com/ethical-hackers-for-
businesses-
article#:~:text=To%20stop%20a%20hacker%2C%
20one,and%20networks%20of%20an%20organiza
tion.&text=Ethical%20hackers%20help%20in%20
improving%20the%20security%20of%20systems
%20in%20organizations.
[25] https://www.ecpi.edu/blog/why-do-we-need-
network-
security#:~:text=What%20is%20Network%20Sec
urity%3F,safe%20for%20all%20legitimate%20use
rs.
[26] https://www.tutorialspoint.com/ethical_hacking/et
hical_hacking_tools.htm
[27] https://blog.gigamon.com/2019/06/13/what-is-
network-security-14-tools-and-techniques-to-
know/https://blog.eccouncil.org/certified-ethical-
hacker-ceh-certification-requirements/
[28] https://www.guru99.com/skills-required-become-
ethical-hacker.html
[29] https://www.edureka.co/blog/advantages-and-
disadvantages-of-ethical-hacking/
[30] https://www.edureka.co/blog/benefits-of-ethical-
hacking/
[31] https://www.rfwireless-
world.com/Terminology/Advantages-and-
Disadvantages-of-Ethical-Hacking.html
[32] https://www.lucidchart.com/blog/network-
security-basics-and-benefits
[33] https://www.solarwindsmsp.com/content/advantag
es-of-network-security
 [34] https://www.avalan.com/blog/bid/334529/Advanta
ges-Of-Network-Security
[35] https://qualitycrush.wordpress.com/2014/06/24/eth
ical-hacking-advantages-and-
disadvantages/#:~:text=Disadvantages%20of%20E
thical%20Hacking&text=Allowing%20the%20co
mpany's%20financial%20and,Massive%20security
%20breach
[36] https://www.studymode.com/subjects/advantages-
and-disadvantages-of-network-security-
approaches-page1.html
[37] https://www.fromdev.com/2019/04/is-there-a-
future-for-ethical-hacking.html
[38] https://admissionguide.in/ethical-hacking-scope-
and-future-ahead/
[39] https://thinkitsolutions.com/future-of-network-
security/
[40] https://www.quora.com/What-is-the-current-trend-
in-network-security
[41] https://www.quora.com/How-do-hackers-hack-
banks
[42] https://www.investopedia.com/articles/personal-
finance/012117/cyber-attacks-and-bank-failures-
risks-you-should-know.asp
[43] https://www.ptsecurity.com/ww-
en/analytics/banks-attacks-2018/
View publication stats
[44] https://www.indiatoday.in/education-today/jobs-
and-careers/story/ethical-hacking-1047211-2017-
09-
18#:~:text=The%20job%20of%20an%20ethical,to
%20fix%20these%20weak%20points.&text=Ethic
al%20or%20white%20hat%20hackers,firms%20to
%20prevent%20cyber%20crime.
[45] https://brilliant.org/wiki/secure-hashing-
algorithms/
[46] https://www.thesslstore.com/blog/difference-sha-
1-sha-2-sha-256-hash-algorithms/
[47] https://www.educative.io/edpresso/what-is-the-
des-algorithm
[48] https://www.tutorialspoint.com/cryptography/data
_encryption_standard.htm
[49] https://searchsecurity.techtarget.com/definition/Ad
vanced-Encryption-Standard
[50] https://www.comparitech.com/blog/information-
security/what-is-aes-encryption/
[51] https://www.educba.com/md5-
alogrithm/#:~:text=The%20MD5%20algorithm%2
0is%20a,the%20integrity%20of%20the%20files.
[52] https://searchsecurity.techtarget.com/definition/M
D5