Due to the well-developed technology and its variety of applications, the Radio Frequency Identifications (RFIDs) are widespread in a broad range of markets. In many applications, the RFID systems need security service such as authentication mechanism to identify tag and resist possible attacks. In 2008, Song et al. proposed a RFID authentication protocol for low-cost tags. Their protocol has the merits of privacy and security properties, and it can stand tag impersonation attack, replay attack, and backward/forward traceability. In this article, we show that their protocol cannot resist server impersonation attack as they declared. An adversary can successfully impersonate as a server to send fake message for verification. We also present countermeasures to fix the flaw. The performance of the improved mechanisms is the same as that of Song et al.’s protocol while the server impersonation attack is avoided.