Remote user authentication schemes are helpful to provide authenticity between users and a remote server in network-based services. In order to meet the security requirements, many related schemes have been proposed. Recently, Moon et al. proposed a smart card based three-factor authentication scheme and claimed that the scheme prevented various attacks. However, just in the same year, Li et al . suggested a new insider attack scenario and pointed out that Moon et al . ’s scheme suffers from a user anonymity violation attack, a user impersonation attack, and a server masquerade attack under this scenario. In this study, it is demonstrated that without the new attack scenario, Moon et al . ’s scheme is still insecure against a traceability attack, an offline identity-guessing attack, an impersonation attack, and a man-in-the-middle attack. Based on Moon et al . ’s scheme, a new three-factor authenticated key agreement scheme is proposed. The proposed scheme is validated by widely accepted BAN logic. In addition, the proposed scheme can satisfy various types of functional features and prevent various security attacks.