Because the protocol used a weak hash (MD) that was easily broken

Because only one principal (Alice) was authenticated, but not the other (Bob)

Because the messages were not explicit enough about the identity of the principal in question

Because nonces were sent in plaintext rather than encrypted