They're cracking open gym lockers, grabbing phone and bank cards, using knowledge of the bank name, person name and access to the SMS OTP visible on phone to relink a fresh cellphone banking app. That's the speculation anyway & there are some gaps in the theory.

But yeah basically they're gaining access to the entire bank a/c and doing thousands of damage instead of usual credit card stuff which is obv protected legally

It is the shite way the Paypal and I think Amazon does this : they put the code at the start of the SMS, other OTP providers sent it in the middle/end of the SMS, so even if someone set the display of text messages as 'enabled' on the locked screen , they are truncated and you can't see the code (but not in the case of Paypal)- you need to unlock the screen to read the full text YMMV as some SMS apps display it full.