Hotel reservation. How is this secure with only credit card number and expiry date?
Booking.com doesn't take a deposit or any payment from you; what you're filling in is a reservation form. The card details are used as a form of payment identity in case (a) you don't turn up and they need proof you intended to stay, or (b) you stay and run off without paying when checking out. They hotel still requires a present card for payment, or the CVV to do a card-not-present transaction, or cash if you choose to pay that way instead.
The bigger question of "is this secure" is more complicated. The simplest way to think about it is that there are a number of security controls in place to help prevent fraud, at various stages in the process (website, payment processor, bank), but even if these all fail the bank is insured against fraud, so you will get your money back if you use an appropriate card type. In general, credit cards offer superior and faster fraud protection in comparison to debit/bank cards.
Merchants can request a payment with only the credit card number and the expiry date, which are very visibly written on the front of the card. Most but not all merchants also require a number written on the back of the card, generically called CVV (the formal name depends on the credit card vendor). In principle, merchants have to apply certain rules known as PCI DSS to all credit card data, and aren't allowed to store the CVV (only to pass it to the bank), but PCI DSS compliance only requires that the merchant declares themselves as compliant, so violations of the requirements are common.
Yes, this does mean that once somebody has your card details, they can make an online payment in your stead. The burden is on you to verify your credit card statements and cancel any fraudulent payment. Depending on your bank, on the credit card type and your country, the details of how to cancel a fraudulent payment and what happens if this caused overspending or an overdraft vary.
To be clear, this is a risk whether you have every used your card for online payments or not. The risk is inherent in having a card. There are fraudsters who make up card numbers and try to charge them; this isn't very easy to set up because most of their payments will end up being rejected because the made-up data is invalid and the bank will eventually block the source of evidently-fraudulent requests, but it's doable. Having a valid number and expiry date greatly increases the profitability/risk ratio.
To give an idea of the profitability of this kind of fraud, from what I remember of credit card spam, a credit card number with expiry date sells for around $1 and a valid CVV raises the price to something like $5. Note that I've never checked whether the advertised data was genuine.
The trick with credit cards is to remember the credit part of the system. You're not actually paying at the point of sale, you're creating two credit relationships where you owe the issuer money and they owe it to the merchant. Effectively two 'IOU' pieces of paper, and about as secure.
The next thing is that you don't necessarily have to pay if they can't establish that it was actually you that did the transaction. If you successfully repudiate it, the merchant doesn't get paid for the transaction. If a merchant gets defrauded too often, they can be banned from the system.
So, various forms of payment system come with different proofs to the merchant about the card. In cardholder-present transactions you have the opportunity to look at the card and the customer when making the decision. It's harder to automate the fraud or carry it out from a safe distance. So these can be done with just card+expiry. Everything on the front of the card can be copied with one of those card imprint machines that use carbon paper and submitted by the merchant by post. The pre-internet system.
Cardholder-NOT-present transactions are the opposite. Fraud is easy to automate. So most online transactions ask for at least the CVV (three digits on the back of the card, not copied by imprint and not on the magnetic track). Most online retailers insist on an address which must match the cardholder address before posting out goods. People selling "cashlike" things (gift cards, game time cards) sometimes do phone verification too because they're very high fraud targets.
The hotel reservation case is funny because there's almost no fraud case possible. There's no point in making a reservation with a stolen card and then not showing up, it gets you nothing. If you do show up, it turns into cardholder-present, and many hotels take a copy of your ID.