Recently, Pang et al. proposed a secure and efficient lightweight mutual authentication protocol [1]. Their scheme is EPC Class 1 Generation 2 compatible and based on both the cyclic redundancy codes (CRC) and the pseudo random number generator (PRNG). Although authors claimed that the proposed protocol is secure against all attacks, in this paper we utilize the Vaudenay's privacy model to prove that the scheme only supports the lowest privacy level and it is traceable as well. Furthermore, an improved scheme with higher privacy is proposed. Also, the privacy of the our proposed protocol is proved in formal model.