In this letter, we analyze the security of an RFID authentication protocol proposed by Liu and Bailey [1], called privacy and authentication protocol (PAP). We present two traceability attacks and an impersonation attack.