In 2009, Liao and Wang proposed a secure dynamic ID based remote user authentication scheme for multi-server environments. They achieved user anonymity by using secure dynamic IDs instead of static IDs. Recently, Hsiang and Shih proposed an improved scheme to fix the security flaws found in Liao-Wang's scheme. Hsiang and Shih claimed that their scheme maintains the benefits and increases the security of Liao-Wang's scheme, while providing mutual authentication that Liao-Wang's scheme lacks. In this paper, however, it is shown that Hsiang-Shih's scheme cannot withstand user and server impersonation attacks. Their scheme is thus vulnerable to malicious users and insecure for practical applications.