Credit cards are the first common 2 factor authentication.

You need physical possession of the card *as well as* the 4 digit PIN. A thief may get the card, but won’t have the PIN. If you follow security.

Yes, a 4 digit PIN seems unsecure by modern standards. But it is an old standard. The main security is physical possession of the card, or card details. Which is why it’s a huge deal when websites have a breach and leak thousands or 10s of thousands if card details.