please see my answers below.
1. How secure is the above call
Because, by default, the credentials are not encrypted, so if there isn't any encryption in place like SSL to protect communication, the data will not be secure. More details from here
2. Is the above code secure enough for a commercial application, and if not, how can the code be improved?
Like the other has suggested, you'de better to use Token-Based security, and enable SSL communication. This link is really useful
3. Do I need to implement any sort of AntiForgeryToken?
Yes, you will have to prevent cross site request forgery attacks.
Hope this help.