The app use TOTP+HOTP, its just in the background. When it asks you for a pin on transaction it sends the OTP to via HTTPS instead of letting you type it in on the ste. You can see this in action when you have no internet on your phone and have to generate the code.
What you guys seem to forget is that SIM swap fraud is only used for getting access to people's bank accounts. It can be much bigger than that.
If your SIM is swapped and then used to call in a bomb threat to parilment, to set off a cellphone bomb, or to download child pr0n, or any other illegal activities YOU will be guilty of it. The subscriber identity module is directly linked to you. This is identity theft.