I have confirmed via HTTP recording they do send just a SHA256 hashed password over the network (with no salt). It would indeed be more secure to salt your pin code you entered in a way that would not be obvious to someone who was sniffing around.

None the less, hashing a password before it's sent in a POST is more secure most non-financial sites.

I can only hope they do some sort of unique salt when storing the password to their database.